←back to thread

272 points twelvenmonkeys | 6 comments | | HN request time: 0s | source | bottom
Show context
xer0x ◴[] No.42139358[source]
What took them so long?
replies(2): >>42139403 #>>42139529 #
1. nijave ◴[] No.42139529[source]
My take was they sort of dug in said "Docker isn't made right for Linux, we're reinventing it"

On Fedora w/ SELinux that led to quite a bit of compatibility issues for a while with lots of quirky things that didn't behave the same.

I think their implementations have gotten pretty stable and improved in compatibility since then

replies(1): >>42139632 #
2. 2OEH8eoCRo0 ◴[] No.42139632[source]
That's my take as well. Red Hat's design choices fit into Linux much more neatly. Docker has always been rubbish with late cgroups v2 support, punching holes in my firewall, no rootless, etc.
replies(1): >>42139891 #
3. mmh0000 ◴[] No.42139891[source]
> punching holes in my firewall

I teach various Linux training courses. One of which is Containers. It always shocks several people per-class how Docker just blatantly ignores and rewrites existing firewall rules. And there's no real option to prevent that unless you want to manually configure ALL network routing.

For me personally, that was one of the big issues the pushed me over to Podman.

Also, Docker's insistence on "forcing" and preventing the disabling of using the malware-ridden Docker Hub didn't help me appreciate their security practices.[]

[]

https://jfrog.com/blog/attacks-on-docker-with-millions-of-ma...

https://www.infosecurity-magazine.com/news/malicious-contain...

https://www.bleepingcomputer.com/news/security/millions-of-d...

https://www.bleepingcomputer.com/news/security/docker-hub-re...

https://sysdig.com/blog/analysis-of-supply-chain-attacks-thr...

... ETC ...

replies(3): >>42140120 #>>42141051 #>>42143434 #
4. hughesjj ◴[] No.42140120{3}[source]
I want to switch to podman. What are the general gotchas and difficulties you could see in doing that for multi architecture+os builds/deployments?
5. xelamonster ◴[] No.42141051{3}[source]
You might just be convincing me to switch, I generally love docker and compose but the firewall thing still blows my mind and that there still just is not a solution.

My workaround has been to bind all docker port forwards to localhost and only ever expose them externally via reverse proxy. Which is annoying because that means I can't run the reverse proxy itself in docker.

6. justinclift ◴[] No.42143434{3}[source]
> It always shocks several people per-class how Docker just blatantly ignores and rewrites existing firewall rules.

Yeah. Many times I've mentioned that to people, and they just don't believe it's a thing which Docker does. Including here on HN. :/