this post was submitted on 09 Jan 2025
1130 points (98.3% liked)

Programmer Humor

20006 readers
720 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] alsaaas@lemmy.dbzer0.com 22 points 1 week ago (3 children)

Isn't Docker massively insecure when compared to the likes of Podman, since Docker has to run as a root daemon?

[–] MoonlightFox@lemmy.world 18 points 1 week ago* (last edited 1 week ago) (2 children)

I don't have in-depth knowledge of the differences and how big that is. So take the following with a grain of salt.

My main point is that using containerization is a huge security improvement. Podman seems to be even more secure. Calling Docker massively insecure makes it seem like something we should avoid, which takes focus away from the enormous security benefit containerization gives. I believe Docker is fine, but I do use Podman myself, but that is only because Podman desktop is free, and Docker files seem to run fine with Podman.

Edit: After reading a bit I am more convinced that the Podman way of handling it is superior, and that the improvement is big enough to recommend it over Docker in most cases.

[–] alsaaas@lemmy.dbzer0.com 2 points 1 week ago* (last edited 1 week ago)

ofc containerisation is still better than running it natively in terms of security (which is why I said "compared to Podman"), but that's kind of mostly a side effect of it's main thing: reproducible runtime environments. It's not rly good security tho afaik and shouldn't be relied upon in that regard at all, but I don't know too much about it

[–] chunkystyles@sopuli.xyz 14 points 1 week ago (1 children)

I prefer Podman. But Docker can run rootless. It does run under root by default, though.

[–] alsaaas@lemmy.dbzer0.com 2 points 1 week ago* (last edited 1 week ago)

afaik it's still using a daemon, compared to Podman being daemonless, right? ofc it's better to run it in userspace, tho I can't recall if it limited some of the features or not and whether it was easy to set up

[–] hemko@lemmy.dbzer0.com 9 points 1 week ago (3 children)

Not only that but containers in general run on the host system's kernel, the actual isolation of the containers is pretty minimal compared to virtual machines for example.

[–] stetech@lemmy.world 6 points 1 week ago

… With the tradeoff being containers much more lightweight and having much less overhead than VMs…

[–] MajorHavoc@programming.dev 4 points 1 week ago* (last edited 1 week ago) (1 children)

It amused me that the votes on your comment (a simple factual statement) reflect how many people here vote without knowing what the fuck they're talking about.

[–] hemko@lemmy.dbzer0.com 4 points 1 week ago* (last edited 1 week ago)

I think many of the people don't understand the difference between containers vs VMs

[–] Clent@lemmy.dbzer0.com -3 points 1 week ago (1 children)

What exactly do you think the vm is running on if not the system kernel with potentially more layers.

[–] hemko@lemmy.dbzer0.com 19 points 1 week ago* (last edited 1 week ago)

Virtual machines do not use host kernel, they run full OS with kernel, cock and balls on virtualized hardware on top of the host OS.

Containers are using the host kernel and hardware without any layer of virtualization