My view so far
So.. my view on Linux containers, managed with i.e. podman or docker so far were this: complicated, and for servers.
I run Linux for myself on desktops, and on servers, where I host things like DNS/bind, webserver, Wikis, Tiny tiny RSS for collecting RSS feeds, and so on. I run these services on a virtual system in Germany.
So far, almost all of these services were running natively: that makes it easy for me to update them as I trust the Linux distro maintainers of the distro to fix security issues when they get known.
For work, I have looked at containers, but not considered them for my servers. Introducing containers there would just make things more complicated: instead of just patching the host system, I would need to patch all of the containers by themself.
First omen.. TTRSS
Then, Tiny tiny RSS, which I am a huge fan of, started to move to containers: the default way of installing is now container based. Want to install natively? You got to dissect the container scripts then..
New challenge: Lychee image gallery
Not just since I moved to Japan, I like to take pictures and make them available. My journey of image software started with Album-generator from MarginalHacks, Perl software which generates nice static albums like this. Next step was fgallery (example), which is unfortunatelly not continued, and I did not get warm with the followup software.
So new candidate: Lychee. I fired up a KVM guest with Debian, and installed it. Installation works fine, and an album which I imported for testing works great, just one pain point: while installing, it installs >130 php modules. This really puts me at unease: the more code is running, the bigger are chances that security issues with the code get known. PHP, and 130 modules which need to be kept an eye on.. running something like that on my system makes me think. Pixelfed, another candidate for a gallery software, is not better either..
Getting more opinions
So what to do about this? I walked over to tlug.jp, started a thread, and got great advice. Summing up some ideas from myself and the thread:
- I could rent a completely new KVM guest, and on a different KVM hypervisor. With that, only my pictures would be at danger: if the system gets hacked via security issues in Lychee, just the image data can be obtained.
- I could apply things like SELinux, which wrap around i.e. the PHP processes, and can with proper policies restrict the processes to just what they really need. This lowers the chances of an intruder doing something bad, and one can also use this to detect when something unusual happens.
- Linux containers. Various opinions exist, I think they provide a ‘weaker’ security protection than KVM guests, but it’s better than nothing.
Ontop, I can now do this workflow: I can setup the container in my workstation running Fedora, import images, and when satisfied I transfer the container to my server and take the service online there.
Also: having an application like Lychee in a container, allows me to easily commit the current state to an image, then do an upgrade, and if that fails roll back to the image I had taken. Also, having applications in the container makes updates of the host more easy.
Still not sure if I will stick with Lychee.. but it seems like containers are not only for Enterprise but can also help me. My Lychee gallery is here.