this post was submitted on 09 Jan 2025
990 points (98.1% liked)
Programmer Humor
20155 readers
1699 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There are another important reason than most of the issues pointer out here that docker solves.
Security.
By using containerization Docker effectively creates another important barrier which is incredibly hard to escape, which is the OS (container)
If one server is running multiple Docker containers, a vulnerability in one system does not expose the others. This is a huge security improvement. Now the attacker needs to breach both the application and then break out of a container in order to directly access other parts of the host.
Also if the Docker images are big then the dev needs to select another image. You can easily have around 100MB containers now. With the "distroless" containers it is maybe down to like 30 MB if I recall correctly. Far from 1GB.
Reproducability is also huge efficiency booster. "Here run these this command and it will work perfecty on your machine" And it actually does.
It also reliably allows the opportunity to have self-healing servers, which means businesses can actually not have people available 24/7.
The use of containerization is maybe one of the greatest marvels in software dev in recent (10+) years.
i said same thing and in 2 days deployed 4 conatainers that fixed a problems in my life so thats goood
What did you deploy?
I'm messing with self-hosting a LMM with a web front end right now.
actully i started with it 2 days ago so i have on my device something called adguardhome its for blocking ads and a dns and i have metube which is webui for ytdlp and memos and photo prism im still messing with them i started knowing how to see the proccess and stop and run and see logs so i gained some knowledge
Oh I'm totally getting metube. I use ytdlp with a script
btw it doesn't have advanced configs so give it a try also their are some others you can try i have metube cuz my dad wants somthing easy for him just to put youtube link and download this is why i used it for him
Yes, yes you really should
I said this a year and a half ago and I still haven't, awful decision, I now own servers too so I should really learn them
The worse part is having the gear and STILL not learning/playing with it.
I got stuff to start !selfhosted@kbin.social like an old i5 minipc and even a 64gb i7 pro series laptop...
Theyre just sitting unplugged with mint on them.
You would be using them if you installed arch
/s
Well, mucking about with configuration on a computer is a form of entertainment hence its "use" in a broader sense...
What a waste of potential compute at least have it mining crypto in the background.
Isn't Crypto unprofitable in countries with high energy cost?
There's a udemy course by Max that is only $20 that helped me immensely.
Isn't Docker massively insecure when compared to the likes of Podman, since Docker has to run as a root daemon?
I don't have in-depth knowledge of the differences and how big that is. So take the following with a grain of salt.
My main point is that using containerization is a huge security improvement. Podman seems to be even more secure. Calling Docker massively insecure makes it seem like something we should avoid, which takes focus away from the enormous security benefit containerization gives. I believe Docker is fine, but I do use Podman myself, but that is only because Podman desktop is free, and Docker files seem to run fine with Podman.
Edit: After reading a bit I am more convinced that the Podman way of handling it is superior, and that the improvement is big enough to recommend it over Docker in most cases.
ofc containerisation is still better than running it natively in terms of security (which is why I said "compared to Podman"), but that's kind of mostly a side effect of it's main thing: reproducible runtime environments. It's not rly good security tho afaik and shouldn't be relied upon in that regard at all, but I don't know too much about it
I prefer Podman. But Docker can run rootless. It does run under root by default, though.
afaik it's still using a daemon, compared to Podman being daemonless, right? ofc it's better to run it in userspace, tho I can't recall if it limited some of the features or not and whether it was easy to set up
Not only that but containers in general run on the host system's kernel, the actual isolation of the containers is pretty minimal compared to virtual machines for example.
… With the tradeoff being containers much more lightweight and having much less overhead than VMs…
It amused me that the votes on your comment (a simple factual statement) reflect how many people here vote without knowing what the fuck they're talking about.
I think many of the people don't understand the difference between containers vs VMs
What exactly do you think the vm is running on if not the system kernel with potentially more layers.
Virtual machines do not use host kernel, they run full OS with kernel, cock and balls on virtualized hardware on top of the host OS.
Containers are using the host kernel and hardware without any layer of virtualization
https://www.explainxkcd.com/wiki/index.php/2044:_Sandboxing_Cycle
Oof. I'm anxious that folks are going to get the wrong idea here.
While OCI does provide security benefits, it is not a part of a healthly security architecture.
If you see containers advertised on a security architecture diagram, be alarmed.
If a malicious user gets terminal access inside a container, it is nice that there's a decent chance that they won't get further.
But OCI was not designed to prevent malicious actors from escaping containers.
It is not safe to assume that a malicious actor inside a container will be unable to break out.
Don't get me wrong, your point stands: Security loves it when we use containers.
I just wish folks would stop treating containers as "load bearing" in their security plans.
This
Sounds like an ugly retrofit of bsd jail
You don't have to ship a second OS just to containerize your app.
Containerized software is huge in the sciences for reproducible research. Or at least it will/should be (speaking as someone adjacent to bioinformatics and genomics)
Always someone who needs to explain and ruin the joke..
Not everyone is experienced in the space. I appreciate the reader notes.
Based on many of the other comments, I don't think most people understood the joke.