Hacker News new | ask | show | jobs
by shamsalmon 3366 days ago
Have you considered a solution like graylog for centralized logging with both the VMs and Containers? Thats what my company tends to do with clients and we frequently choose containers and multiple VMs together running something like docker stack. As long as you do proper security practices on the container itself, such as not running the application as root, I dont see any downside to running things in containers over VMs as long as you have proper logging. Combined with something like ansible or another config management you can automate this whole process and it works really well for us.
1 comments
arca_vorago 3366 days ago
Yeah I use graylog and elk stack and ansible already, there is still an isolation level with full VM's you don't get with containers. (namespace sharing issues, kernel-level system call attack issues, etc). Of course VM's have the same issues with the host OS, but there is a single layer more for an attacker to penetrate, and as we know, security is all about layers.

On that note, a FOSS ansible tower alternative popped up on my radar recently that looks interesting.

https://github.com/ansible-semaphore/semaphore

link
shamsalmon 3366 days ago
Thanks for sharing! Currently only using jenkins for our ansible deployments but this looks like a great WIP for an eventual replacement.
link