[onebike]

This (Docker opening a hole in my firewall) is why I moved my dev server from Linode to Digital Ocean. DO provides a “cloud firewall” that provides something akin to AWS security groups and therefore can’t be messed by Docker. Linode doesn’t have anything like that (last time I checked at least).

[bombcar]

This is perhaps the best arguments I’ve seen for a separate firewall device even if it’s in the cloud (and just software) - something on your box running as root may bypass your rules just to help you.

[eru]

Alternatively, running all your services as VMs also helps.

Having root in a VM doesn't typically give you any rights on the hypervisor (at least not on eg Xen).

[ahepp]

Well, if they get root on your mongo vm they can still drop all your tables (or ransomware you) right? So would it make a difference in this particular case? Outside the VM tooling probably not being so insane as to bypass the firewall?

[eru]

Well, in this case docker was trying to be helpful.

On a hypervisor, it's much harder for VMs to influence each other.

Linux containers (and docker amongst them) started out as convenient and reasonably performant, and added security later. One patch at a time.

Historically, hypervisors typically started secure and added performance and convenience over time.

(Very simplified. But I used to work for XenSource back in the day.)

[LinuxBender]

They recently added one. In fact I had to move many of my VM's to new hypervisors because the ones that didn't support the cloud firewall were deprecated. I don't even use their cloud firewall.

[kyrra]

I recently started hosting something on Linode, thanks for calling this feature out. It looks like they started launching Cloud Firewalls back in November. Full rollout was maybe April?

https://www.linode.com/blog/linode/cloud-firewall-beta-open/

[qbasic_forever]

Make sure to flip on the feature though, it's not on by default last I saw spinning up some droplets a few months ago.