undefined | Better HN

0 points8fingerlouie7y ago0 comments

I'm probably beating a dead horse here with Docker Policies available and all, but i personally don't trust Docker in production.

Each Docker image runs it's own stack, and each stack has the potential to contain vulnerabilities. Even with services such as Watchtower ( https://hub.docker.com/r/v2tec/watchtower/ ), you're still not safe. Some images are abandoned for years, others are only updated once their "final" product is updated, meaning you could be hosting a handful of vulnerable services without even knowing it.

I host all my internet facing stuff on FreeBSD in jails, though Linux with LXC would do just as good. I have one stack to update, and once that's updated, everything else is updated as well.

0 comments

1 comments · 1 top-level

fallenhitokiri7y ago

Nothing I host is exposed to the Internet but only available locally. When on the road I VPN back home.

But generally I agree, for Internet facing services I would likely make a few different decisions than in this case.

j / k navigate · click thread line to collapse