• MoonlightFox@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    8 days ago

    There are another important reason than most of the issues pointer out here that docker solves.

    Security.

    By using containerization Docker effectively creates another important barrier which is incredibly hard to escape, which is the OS (container)

    If one server is running multiple Docker containers, a vulnerability in one system does not expose the others. This is a huge security improvement. Now the attacker needs to breach both the application and then break out of a container in order to directly access other parts of the host.

    Also if the Docker images are big then the dev needs to select another image. You can easily have around 100MB containers now. With the “distroless” containers it is maybe down to like 30 MB if I recall correctly. Far from 1GB.

    Reproducability is also huge efficiency booster. “Here run these this command and it will work perfecty on your machine” And it actually does.

    It also reliably allows the opportunity to have self-healing servers, which means businesses can actually not have people available 24/7.

    The use of containerization is maybe one of the greatest marvels in software dev in recent (10+) years.

    • MajorHavoc@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      8 days ago

      Oof. I’m anxious that folks are going to get the wrong idea here.

      While OCI does provide security benefits, it is not a part of a healthly security architecture.

      If you see containers advertised on a security architecture diagram, be alarmed.

      If a malicious user gets terminal access inside a container, it is nice that there’s a decent chance that they won’t get further.

      But OCI was not designed to prevent malicious actors from escaping containers.

      It is not safe to assume that a malicious actor inside a container will be unable to break out.

      Don’t get me wrong, your point stands: Security loves it when we use containers.

      I just wish folks would stop treating containers as “load bearing” in their security plans.

      • hemko@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        Not only that but containers in general run on the host system’s kernel, the actual isolation of the containers is pretty minimal compared to virtual machines for example.

        • Clent@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          What exactly do you think the vm is running on if not the system kernel with potentially more layers.

          • hemko@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            0
            arrow-down
            1
            ·
            edit-2
            8 days ago

            Virtual machines do not use host kernel, they run full OS with kernel, cock and balls on virtualized hardware on top of the host OS.

            Containers are using the host kernel and hardware without any layer of virtualization