Am I doing something wrong? All my services are grouped in docker compose files. Containers that have to communicate internally - a server and it’s db for example - are on their own private docker network. A reverse proxy has its ports 80 and 443 open and it is on an external docker network. Services that I need to access from the outside are on this network and they do not have any ports open. Except for the torrent client, which has a UDP port open.
Same. One single docker compose, and a dozen images. I get to take advantage of publicly available docker images too which makes managing and updating things a breeze.
It’s strong, but splitting services into separate VMs is stronger than just using separate docker containers. This is especially true for the torrent client.
I’m not a netsec professional, this is just my understanding of best practices.
Soooo this is not really true unless you don’t trust your kernel. While a VM is more isolated from the host, since a container shares kernel space, that doesn’t make it less secure. I.E. isolation does not equal security.
Actual sandbox escape vulnerabilities happen in VMs as frequently as they do in Docker, and while all VMs have a full systems that many exfiltrations can hit (due to a full suite of services running), many docker containers are locked to a user space with only one process running.
@kureta@lemmy.ml if you are running separate Docker networks in compose, I would not recommend switching to VMs. If that kind of isolation is a requirement, add another server and use different SSH keys for it.
From my understanding, it’s helpful that each VM will have its own IP so ports can be opened only on specific VMs, increasing overall security.
Am I doing something wrong? All my services are grouped in docker compose files. Containers that have to communicate internally - a server and it’s db for example - are on their own private docker network. A reverse proxy has its ports 80 and 443 open and it is on an external docker network. Services that I need to access from the outside are on this network and they do not have any ports open. Except for the torrent client, which has a UDP port open.
Same. One single docker compose, and a dozen images. I get to take advantage of publicly available docker images too which makes managing and updating things a breeze.
It’s strong, but splitting services into separate VMs is stronger than just using separate docker containers. This is especially true for the torrent client.
I’m not a netsec professional, this is just my understanding of best practices.
Soooo this is not really true unless you don’t trust your kernel. While a VM is more isolated from the host, since a container shares kernel space, that doesn’t make it less secure. I.E. isolation does not equal security.
Actual sandbox escape vulnerabilities happen in VMs as frequently as they do in Docker, and while all VMs have a full systems that many exfiltrations can hit (due to a full suite of services running), many docker containers are locked to a user space with only one process running.
@kureta@lemmy.ml if you are running separate Docker networks in compose, I would not recommend switching to VMs. If that kind of isolation is a requirement, add another server and use different SSH keys for it.
I am also just a hobbyist, so that was a genuine question. Thanks for the answer.
Same here! Good luck with your setup!!