hngopher.com

       [HN Gopher] Awesome Docker Compose Examples
       ___________________________________________________________________
        
       Awesome Docker Compose Examples
        
       Author : thunderbong
       Score  : 76 points
       Date   : 2023-02-25 20:34 UTC (2 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | sneak wrote:
       | Security note: specifying no version, or a version tag (and not
       | an @-hash) in the docker image name allows DockerHub or the image
       | publisher to replace the code underneath you on container
       | restarts (ie RCE), as they are not cryptographically assured.
        
         | nandur wrote:
         | You would have to down (remove) the container to change the
         | image, if the image is present with the tag if wont get force
         | pulled (singular node scenario), unless you have that image
         | locally, heck this is not that straightforward. I like the idea
         | of using digests though, using both _head explodes_ ,
         | explicitly, _another head explosion_ may prevent some
         | headaches.
        
           | lstamour wrote:
           | Not docker compose, but I would like to introduce you to
           | RedHat image streams, my least favourite feature of
           | OpenShift:
           | https://developers.redhat.com/blog/2019/09/20/using-red-
           | hat-...
           | 
           | I consider not pinning to at least a version to be a hot
           | potato that will eventually bite you. Not least of which when
           | you're using an older version of an image instead of the
           | newer one due to the caching/local repo you mention.
           | 
           | Sadly there is no right answer - pinning to an image not
           | under your control always means the image can disappear,
           | which is part of the-- never mind. Let's just say there is a
           | trade off between availability and security where for the
           | most secure experience you have to do extra legwork that
           | frankly isn't immediately required if we trust the upstream
           | image.
        
         | vorpalhex wrote:
         | ...and you'd have to do that for every single security update
         | for every single service that you run. If you need that level
         | of security that might be appropriate, but most users need
         | security patches more than they need to be concerned with a
         | novel attack that requires DockerHub to intend to RCE them.
        
           | fbdab103 wrote:
           | While the track record of security in the industry is pretty
           | laughable, I do like to delude myself that things are
           | improving.
           | 
           | How many RCEs are discovered per year in baseline
           | Debian/Ubuntu? Seems far more likely that security holes are
           | in the library/application code layered on-top of an image.
        
       | EnigmaCurry wrote:
       | Nice collection, although I don't really like binding volumes to
       | host directories, because then you can't really use docker over
       | SSH. I'm working on my own similar project here that exclusively
       | uses docker named volumes:
       | https://github.com/enigmaCurry/d.rymcg.tech
        
       | nickjj wrote:
       | There's a lot of "tool" selections in that repo.
       | 
       | If anyone is looking for ready to go web app examples aimed at
       | both development and production with Docker Compose, I maintain:
       | - https://github.com/nickjj/docker-flask-example         -
       | https://github.com/nickjj/docker-rails-example         -
       | https://github.com/nickjj/docker-django-example         -
       | https://github.com/nickjj/docker-node-example         -
       | https://github.com/nickjj/docker-phoenix-example
       | 
       | About once a week or so I update them to their latest versions
       | for everything.
       | 
       | The examples use a combination of services for each tech stack
       | such as web + worker + postgres + redis + esbuild + tailwind. The
       | Rails example is set up for Hotwire and runs Action Cable as a
       | dedicated service along with Sidekiq where as the Flask and
       | Django examples use Celery as a worker. You can easily swap
       | things out since the examples are starter projects that you can
       | clone + rename (they all come with a rename script), you're meant
       | to customize them to build your app on top of.
        
         | decide1000 wrote:
         | Thanks! I will use this.
        
         | fbdab103 wrote:
         | This looks great. Definitely a few idioms I will have to
         | explore further.
         | 
         | I can use Docker in a basic sense, but it is amazing to me how
         | much black arts still exists for what has become a cornerstone
         | of modern deployment. Lots of conflicting/dated advice about
         | best practices. Unsure which advice is still required/applies
         | to podman, etc.
        
       ___________________________________________________________________
       (page generated 2023-02-25 23:00 UTC)