Our great sponsors
-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
singularity
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure. (by sylabs)
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
As discussed extensively in https://github.com/moby/moby/issues/22054, which is linked from the OP: this doesn't actually help, because Docker (by default) bypasses your existing firewall rules.
With apt2ostree[1] we use lockfiles to allow us to version control the exact versions that were used to build a container. This makes updating the versions explicit and controlled, and building the containers functionally reproducible - albeit not byte-for-byte reproducible.
[1]: https://github.com/stb-tester/apt2ostree#lockfiles
Docker's behavior is unintutivie but makes sense given how container networking works. If you use UFW read https://github.com/chaifeng/ufw-docker and follow the guide.
Then configuring firewall rules to containers is as easy as
- name: Open HTTPS
rkt (and many other container solutions) was introduced after docker was released and became popular... they even mentioned docker's shortcomings as a motivation for the project creation [0]. It had all the same problems as other replacement software: there were plenty of bugs and missing features, documentation was limited, and there are no community to help you (the announcement explicitly mentions "prototype quality release"). None of those would be fatal if it was significantly better than docker, but it was not -- it was basically the same functionality. So almost no one made the switch. It is closed now [1]
And why "rkt"? There were much better alternative container runtimes. For example Sylabs Singularity [2] -- container-as-a-file, instant mounting, etc... I wish more people knew about it.
[0] https://web.archive.org/web/20141201181834/https://coreos.co...
[1] https://github.com/rkt/rkt#warning-end-of-project-warning
[2] https://github.com/sylabs/singularity#singularityce
rkt (and many other container solutions) was introduced after docker was released and became popular... they even mentioned docker's shortcomings as a motivation for the project creation [0]. It had all the same problems as other replacement software: there were plenty of bugs and missing features, documentation was limited, and there are no community to help you (the announcement explicitly mentions "prototype quality release"). None of those would be fatal if it was significantly better than docker, but it was not -- it was basically the same functionality. So almost no one made the switch. It is closed now [1]
And why "rkt"? There were much better alternative container runtimes. For example Sylabs Singularity [2] -- container-as-a-file, instant mounting, etc... I wish more people knew about it.
[0] https://web.archive.org/web/20141201181834/https://coreos.co...
[1] https://github.com/rkt/rkt#warning-end-of-project-warning
[2] https://github.com/sylabs/singularity#singularityce