[macns]

Why do I need Docker for such a simple task? From their blog:

> The proxy is extremely lightweight. An inexpensive and tiny VPS can easily handle hundreds of concurrent users. Here’s how to make it work:

    SSH into the server.
    Install Docker, Docker Compose, and git:

I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.

[tecleandor]

It's a simple way of running something quickly and without touching the rest of your system (if you already have Docker installed)

Anyway, the proxy is just an nginx with a custom config file. You can check that file and just add it yourself to an nginx you manage, probably with little changes.

https://github.com/signalapp/Signal-TLS-Proxy/blob/main/data...

[e12e]

It's a bit odd to use a custom docker image, rather than the one maintained by nginx Inc though:

https://github.com/signalapp/Signal-TLS-Proxy/blob/main/ngin...

Vs

https://github.com/nginxinc/docker-nginx

For one, this is 5 versions behind (1.18 vs 1.23).

In general seems caddy or haproxy might be a better fit - but nginx is a perfectly fine choice I suppose.

[sooyoo]

> It's a simple way of running something quickly and without touching the rest of your system

Providing a statically linked binary is even simpler, without all that extra complexity that comes with docker.

[jSherz]

This project wraps existing software (e.g. nginx) to function. It's not as simple as providing a binary.

[Caligatio]

I'm also confused about the Docker hate here. The daemon itself is lightweight and the Docker-ized process(es), once running, have negligible overhead compared to running them natively.

I didn't look at the image size but you might be paying a ~100 MB storage penalty to bundle dependencies.

[pooper]

For my fedora people,I just want to remind them that whenever anyone says docker, you can safely use podman (or at least that is the goal).

It won't be rootless in this case as far as I know because you will need privileged ports 80 and 443 but good habit in general.

[jacooper]

You can allow unprivileged apps to use privileged ports, its just a simple sysctl edit.

[metadat]

It's actually more than negligible, docker containerization tends to impose limits, tracking, and network overhead on processes, which all have some overhead and penalty on performance.

On beefcake supreme machines it's just usually not significant enough to worry about, because the perceived benefits outweigh the downsides.

[killingtime74]

Docker images are just tarballs no? There’s almost no overhead at runtime. Of course you could fork it

[masklinn]

There is some performance overhead from the configuration Docker uses for the containers, as well as some of the historical behaviour (not sure if they still apply)

- if you use docker nat, it about doubles connection time, if you only have extremely short connections this can be quite visible.

- If you need FS access, this can come at a high cost depending on your usage pattern, docker’s layered FS is not cheap.

- Finally Docker enables features which don’t come for free and which you may not be enabling separately e.g. seccomp (this can result in a 15+% performance hit in the worst case)

[kitd]

I've put Docker onto small VPSes. It's no hassle. The heavy part is Nginx. Adding the container on top won't be making much difference to the size.

[tsujamin]

pretty sure you can run docker on a $5 vps with plenty of headroom left

could it be done leaner? sure

is it worth it if it raises the barrier of entry of getting people to run the proxy? doubtful

[hosteur]

A single statically linked binary would not raise the barrier of entry. Quite the opposite.

[franga2000]

What if you're running on an ARM VPS? Now there are 2 binaries. What if you're running e.g. Alpine? Now you need 4. Which init system do you provide startup scripts for? You need an install script too. And what if you just want to try it on your Windows/Mac computer? Need to manually set up a VM.

Meanwhile, you can just install Docker, which you might already have if you do self-hosting often, and run one command. The overhead of containers is tiny, so you really won't notice it. Bonus points for using Podman, which doesn't even have a daemon.

[sofixa]

But you also need to provide a systemd service for it. And statically linked against glibc or musl?

[monocasa]

you need to provide a systemd service for a docker image as well, the restrt policies leave a lot to be desired for a host that itself can restart.

glibc doesn't support static linking, so it's probably going to be musl. Running a musl binary on an otherwise glibc system isn't an issue.

[Bayart]

> Why do I need Docker for such a simple task?

Containers are more consistent and have less side effects than packages.

> I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.

There's very little overhead and it takes a one liner[1] to install it.

[1]: curl -sSL https://get.docker.com/ | sh

[tomohawk]

Whenever I see a docker compose based install, it's clear that the installation wasn't thought through very well. Inevitably, these installs are more complicated and less reliable than a finished product.

[cpach]

Do you have any data to back up your claim about the overhead of using Docker?

[peppermint_tea]

just installed it in lxc without docker... works like a charm.

[toomuchtodo]

time > compute resources. Docker up/compose and on with your day.

[7v3x3n3sem9vv]

stood up a Signal proxy on a VM with the following specs:

- Single core 1GHz CPU - 640 MB RAM - 10 GB storage ( default size )

I'd say docker is pretty light.