this post was submitted on 13 Dec 2023
234 points (98.0% liked)

Selfhosted

39895 readers
516 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
234
Should I move to Docker? (lemmy.ca)
submitted 10 months ago by GreatBlueHeron@lemmy.ca to c/selfhosted@lemmy.world
218 comments fedilink hide all child comments
 

I'm a retired Unix admin. It was my job from the early '90s until the mid '10s. I've kept somewhat current ever since by running various machines at home. So far I've managed to avoid using Docker at home even though I have a decent understanding of how it works - I stopped being a sysadmin in the mid '10s, I still worked for a technology company and did plenty of "interesting" reading and training.

It seems that more and more stuff that I want to run at home is being delivered as Docker-first and I have to really go out of my way to find a non-Docker install.

I'm thinking it's no longer a fad and I should invest some time getting comfortable with it?

you are viewing a single comment's thread
view the rest of the comments
[–] Gooey0210@sh.itjust.works 4 points 10 months ago (2 children)

Nixos, nixos, nixos 🀌

[–] fruitycoder@sh.itjust.works 1 points 10 months ago (1 children)

Both! Sandboxing from containers and configuration control from nix go well together!

[–] Gooey0210@sh.itjust.works 2 points 10 months ago (2 children)

You can use the sandboxing of nixos

You get better performance, nixos level reproducibility, and it's not docker which is not foss and running with root

[–] fruitycoder@sh.itjust.works 1 points 10 months ago* (last edited 10 months ago)

I'm not sure honestly if we are agreeing or disagree lol

Nix for building OCI containers is great and Nixos seems like a great base system too. It seems like a natural step to take that and use it to define our a k8s system in the future as well.

I'm currently doing that with OpenTofu (Terraforms opensource successor) and Ansible but I feel like replacing those with nix may provide a real completeness to the codification of the OS.

Barring k8s though, at least until it's gets so simply you might as well use it, podman is so far the go to way to run containers instead of Docker (for both of the reasons you mentioned!). That and flatpaks for GUI apps because of the portals system!

[–] purelynonfunctional@programming.dev 1 points 10 months ago* (last edited 10 months ago) (1 children)

The Nix daemon itself still uses root at build/install time for now. NixOS doesn't have any built-in sandboxing for running applications Γ  la Docker, though it does have AppArmor support. But then, NixOS doesn't generally have applications run as root (containerized or otherwise), unlike Docker.

[–] Gooey0210@sh.itjust.works 1 points 10 months ago

You don't need to build/install with root, you can do home-manager

And for isolation there's one good module, I forgot its name

And if just easier but less reproducible, you can do the containers, but with nixos' podman, and this is of course builtin

[–] milicent_bystandr@lemm.ee 1 points 10 months ago (1 children)

Does Docker still give a security benefit over NixOS, because of the sandboxing?

[–] dan@upvote.au 1 points 10 months ago* (last edited 10 months ago) (1 children)

Not familiar with nixOS but there's probably still isolation benefits to Docker. If you care a lot about security, make sure Docker is running in rootless mode.