Submitted via IRC for TheMightyBuzzard
Docker is a great tool. But Docker containers are not a cure-all. If you really want to understand how Docker is impacting the channel, you have to understand its limitations.
Docker containers have become massively popular over the past several years because they start faster, scale more easily and consume fewer resources than virtual machines.
But that doesn't mean that Docker containers are the perfect solution for every type of workload. Here are examples of things Docker can't do or can't do well:
- Run applications as fast as a bare-metal server.
- Provide cross-platform compatibility.
- Run applications with graphical interfaces.
- Solve all your security problems.
I kinda miss just running services directly on physical servers. Guess I'm getting old.
Source: http://thevarguy.com/open-source/when-not-use-docker-understanding-limitations-containers
(Score: 2, Interesting) by higuita on Saturday August 26 2017, @04:24PM
That is only half true... in recent kernels and dockers, the root inside the docker is a normal user in the host machine... but many people uses older dockers, old kernels or both... and then complain. for docker, you MUST use the most recent kernel and docker version you can get.
But even for recent kernel and docker, most people still run the docker with the "fake root" user, because they do not care or know how to change it
you can define what user the all will run via the "User" config in dockerfile or the "docker run --user" when starting it up
if you do not specify it, it will run as root, so you should ALWAYS set it up to some other user.
sometimes the dockerfile needs to be updated to change the permissions of some folders for that user, as you are not using root anymore, you may not be able to write on some folders.
You should also drop all the docker capabilities in all containers and add then back only when they are really needed. again, many software do not any capability and many of those that might need can be removed after fine-tune the dockerfile (to create files empty and directories, change permissions and ownership, change port, disable change-user as you are already running as that user). only a few more complex or special programs really need capabilities.
So a bad, outdated, setup for docker, you have a special chroot with namespaces, running as root with all the power.
So a bad, updated, setup for docker, you have a special chroot with namespaces, running as "fake root" with many power, via the capabilities.
a good setup for a updated docker, you get a special chroot with namespaces, running as a normal user, without any power.
With this last setup, your security is very good already. you can even improve it more using app-armor, selinux and likes, but updating a kernel, docker and finetune a dockerfile/ docker run are simply enough tasks that you can apply to all your containers