Comment on Dedicated service user or not ?
sugar_in_your_tea@sh.itjust.works 1 day agoCompanies don’t typically host multiple containers on the same host. So having a different user for them is less important than securing the connection between machines, since a given biat isn’t particularly interesting. Attackers will still try to break out, so they have a backup.
As a self-hoster, you typically do the opposite. You run multiple services on the same host, and the internal network isn’t particularly secure. So you should be focusing more on mitigating issues, and having each service run as an unprivileged user is one fairly easy way to do that.
fishinthecalculator@lemmy.ml 22 hours ago
Companies do run multiple containers/pods on the same host. That is what Kubernetes does
sugar_in_your_tea@sh.itjust.works 11 hours ago
Sure, but those will usually be pieces of an app on the same host, not whole apps. Like for an inventory management app, you might have the auth server and its database on one host, the CRUD app and its database on another, and the report server, its database, and a replica of the CRUD db on another. And I use the term “host” broadly enough to include VMs on the same physical hardware. And these hosts will have restricted communication between each other.
At least, that’s how I’ve seen it done.
Self-hosters will generally run multiple full apps on one host. It’s a different setup.