Hacker News new | ask | show | jobs
by otabdeveloper4 810 days ago
> Turns out that's exactly what containers are a packaging of!

Well, no. When people say "containers", they always mean "Docker".

And Docker also comes with a daemon with full root permissions and ridiculous security policies. (Like, for example, forcefully turning off your machine's firewall, #yolo. WTF!)

P.S. I actually run systemd-nspawn in production, but I am probably the only person on earth to do so.
8 comments
codethief 810 days ago
> Well, no. When people say "containers", they always mean "Docker".

Not really / not necessarily. https://github.com/opencontainers/runtime-spec

link
flaminHotSpeedo 810 days ago
Those in the know are familiar with OCI, etc. but (without hard data to back me up) I think it's still fair to say that the majority of people (lay people, if you will) consider them the same thing by virtue of ignorance.
link
bayindirh 810 days ago
Docker doesn't turn off the firewall, but rather hijacks and repurposes it for itself. It's not any nicer, but it's not the same thing in reality.
link
forgotmyinfo 810 days ago
Docker punches holes in it:

>By default, all external source IPs are allowed to connect to the Docker host. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER-USER filter chain.

Yikes. Should people read the docs? Yes. Should Docker not do this? Also yes.

link
akvadrako 810 days ago
No they don't. Kubernetes doesn't usually use docker, nor does Redhat / Fedora come with docker, but podman.

Maybe you mean: "they always mean OCI images".

link
kachnuv_ocasek 810 days ago
Perhaps I belong to the minority, but I really don't think about containers as Docker. Actually, I don't remember the last time I used Docker for anything. For the past several years, I've been using either Podman or systemd-nspawn, as yourself.
link
CoolCold 807 days ago
> P.S. I actually run systemd-nspawn in production, but I am probably the only person on earth to do so.

Mind sharing some good practical introduction article or set of articles for using VEs (virtual environments) with it? I'm tied to LXD at this moment which manages to provide both ease of operational and ease of configuration fine tunings be needed. I.e. I understand and tested for the projects I do taking care about on how to have network bridges, resources limiting, snapshot/rollback/create new image for VEs, storage profiles (say some I want to put on BTRFS some on ZFS some ...), simple `lxc ls` and `lxc shell <VE-name>` interfaces - may be systemd has all this kind of stuff as well. Or may be it shines in different area?

link
moondev 810 days ago
Except when they mean

containerd without docker crio lxc windows containers podman

link
moreentropy 810 days ago
> P.S. I actually run systemd-nspawn in production, but I am probably the only person on earth to do so.

You're not alone, systemd-nspawn is very much underrated. I have used it a lot for machine containers, though I'm using podman+quadlet+systemd more right now. systemd-nspawn with mkosi for generating workload images is still a nice & powerful ecosystem.

link
EraYaN 810 days ago
Or you know containerd, which is I feel used much more often in production than docker itself.
link