Comment on Am I the only one interested in Fedora container?
just_another_person@lemmy.world 1 week ago
Secure how? Containers aren’t secure because of their base contents since the majority of everything in the image isn’t even executed. It’s not like running an OS.
A secure container by definition will be the one with the LEAST amount of contents in its base. This is the point of Distroless.
A container is going to get compromised because of its running code 9/10 times, not because the base was compromised. This of course is not including supply chain attacks.
Any podcast telling you that adding more stuff into the container image will make it secure has an inferior bridge. Come check out my much better bridge over here…
possiblylinux127@lemmy.zip 1 week ago
In the case of Nextcloud it is written in PHP so it is very important to get PHP security fixes. I get the argument for static binaries like Forgejo. I’m mostly looking at more complex things.
just_another_person@lemmy.world 1 week ago
Containers get upgrades when they run. They get updates as static projects, then are built into containers. Fedora being said container will help none of this process at all though.
I have no idea why you’re even mentioning Foregjo, I’m lost now.
sugar_in_your_tea@sh.itjust.works 1 week ago
PHP isn’t complex, you just need a webserver (nginx, Apache, etc) and PHP. That’s one process (webserver) that runs a few child processes (PHP scripts). When using PHP fpm, use two containers.
Each container should run one process. Each container can run whatever base you want. If you want a newer PHP on an older image, go for it! More complexity should mean more containers, not more complex containers.
possiblylinux127@lemmy.zip 1 week ago
Yeah tell that to Nextcloud
sugar_in_your_tea@sh.itjust.works 1 week ago
Yeah, NextCloud doesn’t follow ideal containerization style, but they do have an FPM package, so I can co figure PHP FPM separately from the web server, which is separate from my Collabora container. I don’t use the AIO image so I can control each piece separately.