undefined | Better HN

0 pointsrewmie2y ago0 comments

> I also miss the simplicity of compose, but for me running rootless is worth the tradeoff.

To setup/tear down software dev environments deployed locally, the root/rootless discussion isn't really relevant. Ease of deployment and ease of use are critical though, and Docker is above all a development experience victory.

0 comments

worksonmine2y ago

Relevant to who? The damage done with container escape is bigger on my machine than any production server I have access to. And there are a lot more packages running in my dev environment than on production servers. When it comes to security or convenience I always choose the first but I know most people wont.

Podman-compose isn't as good as docker but it exists, and you can run docker-compose with podman as the runtime. I don't need it as my environments are simple and even wrapping the commands in shell scripts would be overkill. But the option is there.

yrro2y ago

> The damage done with container escape is bigger on my machine than any production server I have access to.

It's worth pointing out that if you're running on Fedora/RHEL then containers are confined to the container_t domain, with a unit per-container MCS label. SELinux policy will prevent a process that has broken out of its namespaces from being able to read/write files from the host or from other containers, or being able to kill or read the memory of or (I'm assuming, haven't checked) ptrace processes from the host or other containers.

rewmieOP2y ago

> Relevant to who? The damage done with container escape is bigger on my machine than any production server I have access to.

If you are concerned that your dev machine is vulnerable but for any reason you decided to not do anything about it, them you might be happy to learn that it's possible to configure Docker to not run as root.

https://docs.docker.com/engine/security/rootless/

worksonmine2y ago

> If you are concerned that your dev machine is vulnerable but for any reason you decided to not do anything about it

Why would you assume I'm not doing anything about it? Podman is one piece in my hygiene, not allowing npm scripts is another. It does make some things harder and most devs I work with don't even know it's possible and should be done. Assuming you aren't vulnerable and waiting for a problem to appear before solving it is doing it backwards if you ask me. Your kind of self-confidence is what usually gets people.

I could also point docker-compose to the podman socket (it's the default for the podman compose command), if that was something I needed. Pods do it for me these days, which was my initial point. Even though compose is cool it's not really needed and wouldn't add that much for me these days. I've been using podman so long that I don't see the point in going back to docker, changing the default when what I'm using was built to fix that issue to begin with.

What point are you trying to make? I can live without docker.

j / k navigate · click thread line to collapse

0 comments

worksonmine2y ago

yrro2y ago

> The damage done with container escape is bigger on my machine than any production server I have access to.

rewmieOP2y ago

> Relevant to who? The damage done with container escape is bigger on my machine than any production server I have access to.

https://docs.docker.com/engine/security/rootless/

worksonmine2y ago

> If you are concerned that your dev machine is vulnerable but for any reason you decided to not do anything about it

What point are you trying to make? I can live without docker.

j / k navigate · click thread line to collapse