re: How to actually make your life easier with Docker VIEW POST


"Full isolation from host machine and other apps"

I found this isn't actually true. I had to develop on some software of awful quality. It would also communicate with many systems. It had never had a decent dev set up. End points all over, database, config, hard coded, etc.

This was also high stakes. This was used to configure systems for communications governments use to coordinate military operations.

At that time, I don't know about now, docker would let anything connect to anything. It wasn't safe to run locally without the network pulled.

I ended up building a system around docker and docker compose to do things such as run the processes but listen to network events and fully manage ip tables applying output rules.

It's dangerous in some circumstances to say fully isolated or contained because it's not true.

Technically you can say, have no network then sure, I'm technically wrong but the standard modes are more messed up. In is isolated, you have to map or enable in but out isn't. Then you want out isolated but a few things allowed out it wouldn't allow you.

When you want two way network, one direction is allow deny the other is just allow it bruv.

I don't know about how it is now but this is an important consideration for legacy software. You want it truly isolated, but to be able to log when it tries to connect out then be able to make holes if need be. If you get it set up like that safely it's a life safer for software you can't trust.


Yeah, full isolation might be a stretch, especially with outbound connections. Thanks for the input.

code of conduct - report abuse