Context: Docker bypasses all UFW firewall rules
-
Try podman and quadlets
Quadlets are so good.
-
Ok
So, confession time.
I don't understand docker at all. Everyone at work says "but it makes things so easy." But it doesnt make things easy. It puts everything in a box, executes things in a box, and you have to pull other images to use in your images, and it's all spaghetti in the end anyway.
If I can build an Angular app the same on my Linux machine and my windows PC, and everything works identically on either, and The only thing I really have to make sure of is that the deployment environment has node and the angular CLI installed, how is that not simpler than everything you need to do to set up a goddamn container?
Sure but thats an angular app, and you already know how to manage its environment.
People self host all sorts of things, with dozens of services in their home server.
They dont need to know how to manage the environment for these services because docker "makes everything so easy".
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
On windows (coughing)
-
Explicitly binding certain ports to the container has a similar effect, no?
I still need to allow the ports in my firewall when using podman, even when I bind to 0.0.0.0.
-
Ok
So, confession time.
I don't understand docker at all. Everyone at work says "but it makes things so easy." But it doesnt make things easy. It puts everything in a box, executes things in a box, and you have to pull other images to use in your images, and it's all spaghetti in the end anyway.
If I can build an Angular app the same on my Linux machine and my windows PC, and everything works identically on either, and The only thing I really have to make sure of is that the deployment environment has node and the angular CLI installed, how is that not simpler than everything you need to do to set up a goddamn container?
I pretty much share the same experience. I avoid using docker or any other containerizing thing due to the amount of bloat and complexity that this shit brings. I always get out of my way to get Software running w/o docker, even if there is no documented way. If that fails then the Software just sucks.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
-
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
OWASP was like "you can follow these thirty steps to make Docker secure, or just run Podman instead." https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
That is definitely one of the crowds but there are also people like me that just are sick and tired of dealing with python, node, ruby depends. The install process for services has only continued to become increasingly more convoluted over the years. And then you show me an option where I can literally just slap down a compose.yml and hit "docker compose up - d" and be done? Fuck yeah I'm using that
-
It's okay for simple things, but too simple for anything beyond that, IMO. One important issue is that unlike with Portainer you can't edit the container in any way without deleting it and configuring it again, which is quite annoying if you just want to change 1 environment variable (GH Issue). Perhaps they will add a quadlet config tool to cockpit sometime in the future.
i mean, you can just redeploy the container with the updated variable. thats kinda how they work.
-
Linux lets you do whatever you want and that's a side effect of it, there's nothing preventing an app from messing with things it shouldn't.
there's nothing preventing an app from messing with things it shouldn't.
that's not exactly a linux specialty
-
Ok, see the sandboxing makes sense and for a language like C++ makes sense. But every other language I used it with is already portable to every OS I have access to, so it feels like that defeats the benefit of using a language that's portable.
it does not solve portability across OS families. you can't run a windows based docker image on linux, and running a linux image on windows is solved by starting a linux VM.
-
ufw just manages iptables rules, if docker overrides those it's on them IMO
iptables is deprecated for like a decade now, the fact that both still use it might be the source of the problem here.
-
it does not solve portability across OS families. you can't run a windows based docker image on linux, and running a linux image on windows is solved by starting a linux VM.
Oh, fair. That's a good point.
-
CLI and Quadlet? /s but seriously, that's what I use lol
Quadlets are so nice.
-
That caused issues with Docker containers being unable to communicate with eachother for me.
-
I mean if you're hosting anything publicly, you really should have a dedicated firewall
Do you mean a hardware firewall?
-
I still need to allow the ports in my firewall when using podman, even when I bind to 0.0.0.0.
Also when using a rootfull Podman socket?
-
I assume portainer communicates via the docker socket? If so, couldn’t you just point portainer to the podman socket?
Portainer Docs | Install Portainer CE with Podman on Linux The official docs also mention doing that.
-
Also when using a rootfull Podman socket?
I haven't tried rootful since I haven't had issues with rootless. I'll have to check on that and get back to you.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
This post inspired me to try podman, after it pulled all the images it needed my Proxmox VM died, VM won’t boot cause disk is now full. It’s currently 10pm, tonight’s going to suck.
-
This post inspired me to try podman, after it pulled all the images it needed my Proxmox VM died, VM won’t boot cause disk is now full. It’s currently 10pm, tonight’s going to suck.
eh, booting into single user mod should work fine, uninstall podman and init 5
