So, is it a bad/good idea to run *every* service I want to use on my root server in docker containers?

I don't think that's a good idea, you mean services like ssh server etc. too?

I wanted to keep the question as simple as possible, so sorry if its a bit unclear..

@alexbrooklyn
I think more about services like
- Build Server
- Mail Server
- Gitlab
- Cloud Server
- nginx reverse Proxy for everything above
-....

@Emphiliis I'd say give it a try, I use containers for my nginx, apps and email and I'm certainly not complaining. Just don't forget to add volumes to make sure nothing gets lost.

I'm not so sure about build servers or the cloud though 🤔

if you have ever worked with build agents on Gitlab, Microsoft Team Service, Bitbucket, they all use containers to build your code when requested, I think Github recently added this option

It keeps environment clean since container is not actually created but just spinned up for a single purpose and then disposed.

But always be aware, although docker adds a bit of more security so that if your web service had a backdoor (for example) it is true hacker will not be able to attack host system, but docker has its own share of security issues, the last one (can't recall its name) is deep down in its core and can only be mitigated but not fixed in the near future.

All-in-all, having them in containers means less conflict for dependencies

@gitpush depends how you configure networking, by default it have access to host network

IDK what a root server is.

If you meant "run as root user on my server", then the answer is DON'T. Only run services as root you cannot run as a service account. For instance services that are to be used by other Linux users, services that will need to bind to ports <1025 and so on.

Always avoid running your apps as root user. Always. Only do that as a last resort.

@vane Even if it doesn't have access to host network, there are some security issues in the core of it where attacker can grant himself root access to system resources of the host from inside the container, its symlink race (https://thenewstack.io/docker-symli...)

It can be mitigated by patching Linux kernel but not sure if its actually a permanent solution, couldn't find the original article I read :\

@netikras by default docker inside container pid is run as root unless you specify user of process

Anyway use docker compose for configuration and look at openresty / lua / redis for dynamic hosts.

I host bunch of services this way and I’m happy with results.

@netikras
A root server is just a dedicated server. In Germany the term 'root server' is quite common and I did not know its not that used in other countries.

@gitpush
Yes, I did have problems in the past with dependencies (who didn't..) and that's the reason I want to use docker. And also because its easier to move :)

@gitpush yeah that’s why there are some additional layers from ex. amazon to run containers secured way but I would consider them as enterprise layer :)

@vane you're happy until someone discovers an RCE vuln in your app and exploits it to escape from the docker container to the host OS filesystem :)

@netikras it’s a problem for containers cloud providers. I don’t expose my containers to the outside world, only some services with ports and those are usually run as regular user with restricted network inside some vm so someone can get a vm at most with 1024 ram but I don’t think it’s worth a fuss 🙂

So if anyone os interested in security layers for docker those are things I am aware of
gvisor - https://gvisor.dev from google
firecracker - https://firecracker-microvm.github.io/... from amazon

@vane Aah yes in that case I think its ok but I rent a VPS so that's why I was thinking about security