this post was submitted on 03 Aug 2024
75 points (91.2% liked)
Technology
58101 readers
3910 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Cleaner how? Systemd services can already provide basically all of the isolation features you could want if that's what you're talking about. It's got namespaces, chroot+bind mounts, per-service dynamically allocated users, syscall filter, capability filter, and so on.
Docker adds a lot of for most uses unnecessary complexity (a huge part of which being the networking). This also sometimes causes problems, for example it messes with netfilter tables which works fine most of the time but can actually do unwanted things like IIRC open ports you didn't expect to be open because you didn't open them in your firewall. There's also how if you use prebuilt images (which you probably do) you're at the mercy of everyone whose containers you're using to provide security updates in time.
Of course there's cases where you actually want something like docker (multi-machine orchestration, spinning up multiple of the same container dynamically depending on load, running people's arbitrary build environments like in GitHub Actions are a few examples) but a lot of times when people are pushing it it really seems like cargo cult mentality.