Hacker News new | past | comments | ask | show | jobs | submit login

That seems like lazy contrarianism.

If you put docker inside a VM, and your hypervisor is running in a zone, and you have different zones based on ”role”. Then of course you get the benefits of the zone and the hypervisor.

The parent said “docker solves deployment, not isolation”- if you get your isolation another way then there’s no issue with using docker.




Probably slightly more complicated that. Each and every isolation layer can be broken. Why are we using just one?

Run well written software. As a user. In a cgroup. With SELinux. On a VM. On Different Tin. With a security monitoring. Patch.


>Run well written software. As a user. In a cgroup. With SELinux. On a VM. On Different Tin. With a security monitoring. Patch.

The analogy you're trying for is surely not that this is as likely to solve the deployement problem for most people just as "Eat food. Not too much. Mostly Plants" is to solve the obesity epidemic for most people ? Not at all ?


No, not most people. Industry professionals deploying applications using frameworks that help with the problem.

I probably wouldn't want a fat PT, the same I don't want my sysadmin to be running apps as root.


Fair enough. :)

Docker does have fairly good support for SELinux built in tho (which counts as "using Docker" in my book).

And I do like that Docker makes the SELinux fairly straight forward for the simplest usecases (adding :z or :Z to volume directives).




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: