Egregoros · Phoenix Framework

Post

Remote status

Context

Blurry Moon

I literally spent all day trying to get this fucking application installed and working and now it's literally impossible.

This is why Docker exists, people smugly shitting on Docker is annoying as fuck

woodland creature

@meowski@fluf.club remote

@sun skill issue

Blurry Moon

@sun@shitposter.world remote

@meowski someone else's code not mine

woodland creature

@meowski@fluf.club remote

@sun i will never install docker. or kubernetes for that matter

Blurry Moon

@sun@shitposter.world remote

@meowski I ended up just biting the bullet and rewriting some of the code I didn't have permission to touch

woodland creature

@meowski@fluf.club remote

@sun actually i have installed docker before i just usually try to run any needed libraries before reaching for docker. containers are mostly used out of laziness imo

Blurry Moon

@sun@shitposter.world remote

@meowski my position is that the default permission model on operating systems is so bad that it’s beter to just run things n containers

Phantasm

@phnt@fluffytail.org remote

@sun @meowski Containers provide little isolation anyway. It's more of a "feel better" security than anything else. If you fear bad code might go sideways, your only solution is a VM really, unless you want to make a compromise and jump into the rabbit hole called SELinux.

Blurry Moon

@sun@shitposter.world remote

@phnt @meowski containers are good enough to be a security layer now

Phantasm

@phnt@fluffytail.org remote

@sun @meowski Container escapes are like a yearly thing both for Docker and Podman. And with Docker it's even more dangerous as everything runs usually under root. Few months ago three different container escapes for podman dropped from how it handled bind-mounting files, which also included an LSM bypass.

Replying to @phnt@fluffytail.org

Vinnewed Goblin

@mirq@tsogol.tsiran.org remote

@phnt @meowski @sun
Docker doing root by default is so annoying and baffling
I've had "de-root containers" on my to-do list for months now

Replies

Replying to @mirq@tsogol.tsiran.org

Phantasm

@phnt@fluffytail.org remote

@mirq @meowski @sun If your distro has podman packaged, just use that. No stupid daemon required and rootless by default. If you create a new user account and start the container in it, it can also generate you a systemd user service file, which you can then enable and systemd will handle it for you (lingering enabled for the user account is required).

Replying to @phnt@fluffytail.org

@mint@ryona.agency remote

@phnt @meowski @sun @mirq Does it shit pu your iptables rules like d*cker?

Replying to @mint@ryona.agency

Phantasm

@phnt@fluffytail.org remote

@mint @meowski @sun @mirq It probably does, but in a different way. Instead of network interfaces, it uses network namespaces and if you don't tell it to export a port only to localhost, it will happily punch a hole through your firewall to the outside world (at least with firewalld).

Replying to @phnt@fluffytail.org

Phantasm

@phnt@fluffytail.org remote

@mint @meowski @mirq @sun It also creates a firewalld zone only for itself.