Can you evangelise Docker to me?
I don't get it, it seems dead. Why people keep copulating dead corpse of Kubernetes?!
When docker just arrived >+10yrs ago, I was like: wow, light weight lightspeed vm`s, nice!
but now I feel pain & frustration :::
- whole big rebranding split of community\enterprise\desktop pay for win versions + ... vm (?!) which was unavoidale and was ultimate solution from the beginning.
- can't easy install & run rootless without hustle
- we can simply use lxc or other light weight containers
- everyone enforcing podman or rkt or some their own new sh1t as replacement
- can't offer secure protection from running untrusted malware code
- docker seems good if we build apps from 0, but when it came to just running instalation of some 3rd party server app proprietary binary - it failed.
- used wrongly for wrong reasons as package system or build system isolation
- nixos replaces case above ^
- just use lightweight vm, Cloud on demand as a Service.
Maybe I'm dumb, and don't get geniuses who pay & earn 10k/mo with Kubernetes? Elaborate.
used […] as package system or build system
Well, here's your answer.
nixos replaces case above ^
Mainstream just hasn't adopted Nix yet, plus there are legitimate issues with it, e.g. there's no way to check the system for known CVEs.
Also, docker has very convenient UX. You can download, configure & run any container with just one command. Compare with virtualbox or qemu. You can say that docker is like flatpak for servers.
Plus, its isolation helps against dumb bugs in shitty software you just wanted to run once, e.g. [1]. I'm not talking about security here, only dumb bugs.
[1]: https://github.com/ValveSoftware/steam-for-linux/issues/3671
way to check the system for known CVEs
how do you usually check, what tools you use?
can you recommmend good FLOSS scaner + antivirus, with fastest regular crowd contributed updates?
antivirus alone doesn't fix or protect from arbitrary code expoiting CVE.
clamAV if even with recent signatures doesn't detect unix (or crossplatform) badware.
----------------
2c
1 in nixpkgs you supposed to read, audit code yourself, trust build intstruction, hash demonstrates build reproducibility. But there are other specific designated tools out there for reproducible builds other that nix.
2 in theory nothing prevents you to run offline customized CVE scan script, just get and compare installed versions vs vulnerable. + optional exploit check via nix-env .
I like Guix because it uses Scheme.
Did you migrate from NixOS? I'm considering it and am looking for stories from the frontlines.
>>6
From a practical point of view, they're equivalent. From a stylistic point of view, customizing your packaging system is easy with the power of Guile. I am a fan of Scheme and it's cool to manipulate Guix to do little things that it wasn't explicitly programmed to do.