I’m a retired Unix admin. It was my job from the early '90s until the mid '10s. I’ve kept somewhat current ever since by running various machines at home. So far I’ve managed to avoid using Docker at home even though I have a decent understanding of how it works - I stopped being a sysadmin in the mid '10s, I still worked for a technology company and did plenty of “interesting” reading and training.
It seems that more and more stuff that I want to run at home is being delivered as Docker-first and I have to really go out of my way to find a non-Docker install.
I’m thinking it’s no longer a fad and I should invest some time getting comfortable with it?
Nixos, nixos, nixos 🤌
Does Docker still give a security benefit over NixOS, because of the sandboxing?
Not familiar with nixOS but there’s probably still isolation benefits to Docker. If you care a lot about security, make sure Docker is running in rootless mode.
See this comment https://sh.itjust.works/comment/6651651
Both! Sandboxing from containers and configuration control from nix go well together!
You can use the sandboxing of nixos
You get better performance, nixos level reproducibility, and it’s not docker which is not foss and running with root
The Nix daemon itself still uses root at build/install time for now. NixOS doesn’t have any built-in sandboxing for running applications à la Docker, though it does have AppArmor support. But then, NixOS doesn’t generally have applications run as root (containerized or otherwise), unlike Docker.
You don’t need to build/install with root, you can do home-manager
And for isolation there’s one good module, I forgot its name
And if just easier but less reproducible, you can do the containers, but with nixos’ podman, and this is of course builtin
I’m not sure honestly if we are agreeing or disagree lol
Nix for building OCI containers is great and Nixos seems like a great base system too. It seems like a natural step to take that and use it to define our a k8s system in the future as well.
I’m currently doing that with OpenTofu (Terraforms opensource successor) and Ansible but I feel like replacing those with nix may provide a real completeness to the codification of the OS.
Barring k8s though, at least until it’s gets so simply you might as well use it, podman is so far the go to way to run containers instead of Docker (for both of the reasons you mentioned!). That and flatpaks for GUI apps because of the portals system!