It’s strong, but splitting services into separate VMs is stronger than just using separate docker containers. This is especially true for the torrent client.
I’m not a netsec professional, this is just my understanding of best practices.
Soooo this is not really true unless you don’t trust your kernel. While a VM is more isolated from the host, since a container shares kernel space, that doesn’t make it less secure. I.E. isolation does not equal security.
Actual sandbox escape vulnerabilities happen in VMs as frequently as they do in Docker, and while all VMs have a full systems that many exfiltrations can hit (due to a full suite of services running), many docker containers are locked to a user space with only one process running.
@kureta@lemmy.ml if you are running separate Docker networks in compose, I would not recommend switching to VMs. If that kind of isolation is a requirement, add another server and use different SSH keys for it.
It’s strong, but splitting services into separate VMs is stronger than just using separate docker containers. This is especially true for the torrent client.
I’m not a netsec professional, this is just my understanding of best practices.
Soooo this is not really true unless you don’t trust your kernel. While a VM is more isolated from the host, since a container shares kernel space, that doesn’t make it less secure. I.E. isolation does not equal security.
Actual sandbox escape vulnerabilities happen in VMs as frequently as they do in Docker, and while all VMs have a full systems that many exfiltrations can hit (due to a full suite of services running), many docker containers are locked to a user space with only one process running.
@kureta@lemmy.ml if you are running separate Docker networks in compose, I would not recommend switching to VMs. If that kind of isolation is a requirement, add another server and use different SSH keys for it.
I am also just a hobbyist, so that was a genuine question. Thanks for the answer.
Same here! Good luck with your setup!!