I’ve been researching how to set up a machine for the following services:
Nextcloud
GOGs
Emby
(Libre?)NMS
Originally I wanted to set up multiple Alpine VMs to run each service individually. This proved less feasible than I had the patience for, so I’m looking at using the more efficient & easier to use Docker option.
My concern, however, is that I’ll be running this machine 24/7–Are there any factors I should be aware of from a security perspective? The advantage to VMs in my mind was that I would be able to automate more frequent updates through them. With Docker you’re somewhat dependent on the image provider for that.
In the case of MySQL, would you run it on bare metal or under Docker? Why or why not?
Yes, it runs the same kernel. It’s a container like docker, but instead of running a single application it has its own init and looks/works like a separate VM with persistent storage and so on.
I don’t see any issues, like other people said keep the db out of the container, and if you follow regular security practices such as mysqld setup and have proper firewall rules you should be good :). The only thing I would add is that running docker in production is usually frowned upon unless if they have made huge strides to make it better and more secure.
Well that completely ignores stateful containers. If you have a problem with databases losing data on kill, you haven’t touched stateful containerization and your relying on stateless containers for a stateful program. That’s a setup and user problem, not a docker problem.
The question i’d ask is: Why do you want to use containers?
There is no Problem running Containers 24/7 and Updates are certainly easier than 4 seperate VM’s. I just don’t get the security question.
Docker Containers don’t enhance your security. Docker has various benefits, but i don’t think most of them are a thing if you plan on running one instance each on a single hardware machine and don’t plan to redeploy this thing regularly.
Docker is great when it comes to deploying reproducable builds across machines, Running many instances at once (docker swarms) and such.
If you just want to set up a machine with a certain setup and use it like that, i’d skip docker and just install what you need. Security concerns are the same for docker or “Bare Metal” (Docker is not Virtualization).
You could make the argument that running these services in a virtual machine with some custom networking setup (nat rules and stuff) would be more secure and stable then running all this stuff in docker. (Docker networking is also confusing as fuck).
Please don’t run your db under docker unless if you are just developing. Bare metal or a virtual machine are the route to go here. Less chance of losing data in the event docker takes a dump.