• fin@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        Why do you avoid docker? It’s cleaner than installing on your machine directly.

        • 2xsaiko@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          4 months ago

          Cleaner how? Systemd services can already provide basically all of the isolation features you could want if that’s what you’re talking about. It’s got namespaces, chroot+bind mounts, per-service dynamically allocated users, syscall filter, capability filter, and so on.

          Docker adds a lot of for most uses unnecessary complexity (a huge part of which being the networking). This also sometimes causes problems, for example it messes with netfilter tables which works fine most of the time but can actually do unwanted things like IIRC open ports you didn’t expect to be open because you didn’t open them in your firewall. There’s also how if you use prebuilt images (which you probably do) you’re at the mercy of everyone whose containers you’re using to provide security updates in time.

          Of course there’s cases where you actually want something like docker (multi-machine orchestration, spinning up multiple of the same container dynamically depending on load, running people’s arbitrary build environments like in GitHub Actions are a few examples) but a lot of times when people are pushing it it really seems like cargo cult mentality.

            • Kairos@lemmy.today
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              14
              ·
              edit-2
              4 months ago

              Docker is probably nice to use, but it’s UI is just so goddamn auful for something that other people think everyone is instantly able to pick up. The massive disconnect between containers, images, instances, or whatever near-synonym that the UI expects you to know, and what they actually do is astounding.

              I still have ZERO goddamn idea which port is internal or external in the -p 80:80 option because every single fucking guide just has it there and expects you to just magically know which one is what and EVERY LAST ONE just uses the same internal and external port. And good fucking luck looking it up and getting even vaguely relevant results (I’ve tried)

              So when something says “oh just use docker-compose …” I groan because I have not one fucking idea what actually happens. Does that create a container? Or an image? Or instance? Which one of those is the template and which one of those is the running code which is identified by a completely meaningless hexadecimal string?

              Also how do I back them up? Do I also have to back up EVERYTHING in the container? What if I just want to back up the database? How would I pass through a folder on an external drive? Or do I have to duplicate the hundreds of gigabytes of photos I have for just this container? Are those included in backups if backups are even a thing? What if I can’t store all that on my boot drive? Am I able to move JUST that single container or image or whatever the fuck?

              There’s a reason I like running things on bare metal. It’s plenty secure if it’s just for you and also behind additional authentication and put it in its own user like I do. It just fucking works.