Does Docker still give a security benefit over NixOS, because of the sandboxing?
Comment on Should I move to Docker?
Gooey0210@sh.itjust.works 9 months ago
Nixos, nixos, nixos 🤌
milicent_bystandr@lemm.ee 9 months ago
dan@upvote.au 9 months ago
There’s still benefits to Docker. If you care a lot about security, make sure Docker is running in rootless mode.
Gooey0210@sh.itjust.works 9 months ago
See this comment sh.itjust.works/comment/6651651
fruitycoder@sh.itjust.works 9 months ago
Both! Sandboxing from containers and configuration control from nix go well together!
Gooey0210@sh.itjust.works 9 months ago
You can use the sandboxing of nixos
You get better performance, nixos level reproducibility, and it’s not docker which is not foss and running with root
fruitycoder@sh.itjust.works 9 months ago
I’m not sure honestly if we are agreeing or disagree lol
Nix for building OCI containers is great and Nixos seems like a great base system too. It seems like a natural step to take that and use it to define our a k8s system in the future as well.
I’m currently doing that with OpenTofu (Terraforms opensource successor) and Ansible but I feel like replacing those with nix may provide a real completeness to the codification of the OS.
purelynonfunctional@programming.dev 9 months ago
The Nix daemon itself still uses root at build/install time for now. NixOS doesn’t have any built-in sandboxing for running applications à la Docker, though it does have AppArmor support.
Gooey0210@sh.itjust.works 9 months ago
You don’t need to build/install with root, you can do home-manager
And for isolation there’s one good module, I forgot its name
And if just easier but less reproducible, you can do the containers, but with nixos’ podman, and this is of course builtin