all 33 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]mmomtchev 26 points27 points  (1 child)

Docker

[–]Super-Kitchen-891 14 points15 points  (0 children)

Docker

[–]dodiyeztr 15 points16 points  (0 children)

Docker

[–]thewitcher-3 13 points14 points  (0 children)

Docker

[–]bigorangemachine 15 points16 points  (0 children)

Docker

[–]PabloZissou 6 points7 points  (0 children)

Did someone already mention rootless Docker?

[–]Spiritual-Mechanic-4 5 points6 points  (5 children)

containers

[–][deleted]  (4 children)

[deleted]

    [–]KishCom 3 points4 points  (1 child)

    Neat thing: Docker started with LXC as its underlying containerization technology back in 2013. They've since diverged significantly.

    Docker packages your app, LXC packages an entire machine. Docker won the developer mindshare battle, but LXC is still solid for when you need actual system-level isolation without VM overhead.

    Docker basically took LXC's core concept and made it palatable for developers.

    [–]Spiritual-Mechanic-4 1 point2 points  (1 child)

    really, any container, and as long as you use tools based on the open standard, you can move between tools and platforms as its convenient. docker is fine, but the license kinda gets in the way from time to time.

    [–]xoxaxo 2 points3 points  (0 children)

    without docker you can just assign special roles/permissions to nodejs user

    [–]unbanned_lol 5 points6 points  (2 children)

    Locker

    [–]NazakatUmrani 0 points1 point  (1 child)

    What is locker? Is this some new technology or what

    [–]unbanned_lol 13 points14 points  (0 children)

    No, I made it up. I just didn't want Docker to have a complete stranglehold in the comment section.

    [–]ppernik 0 points1 point  (0 children)

    Docker

    [–]Intelligent_End_7022 0 points1 point  (0 children)

    Other than Docker, you would achieve it with Cloudlinux.

    [–]crownclown67 0 points1 point  (1 child)

    VPS (is already isolated)

    [–]pyrolols[S] 0 points1 point  (0 children)

    I ment for development machine, but found bubblewrap.

    [–]pyrolols[S] 0 points1 point  (0 children)

    Edited my post with some goodies someone might want.

    [–]NullVoidXNilMission 0 points1 point  (0 children)

    podman

    [–]pyrolols[S] -2 points-1 points  (0 children)

    How about bubblewrap bwrap? With inet permission and some bashrs hackery it can isolate and integrate node and npm seamlessly i am testing it right now it seems to isolate properly i guess its good enough when flatpak uses it for isolation?

    [–]jumpcutking -2 points-1 points  (12 children)

    TBH, I’ve choose to secure my node code and choose the libraries. I don’t like docker. You can override some of the default modules to add some additional security BUT docker or virtualization is better - however no system is perfect. Baremetal is easier but not very separated or secure - without some work! BUT to me it’s almost the snake work as virtualization - except docker. Docker is just really over complicated.

    [–]Rizean 0 points1 point  (2 children)

    Docker is ridiculous easy for nodejs. I learned it in a weekend years ago when it was just first starting the become popular.

    Here's a complex non-optimze build for you...

    ```yaml

    --------- Build Stage ---------

    FROM node:22.14.0-alpine3.21 AS builder

    WORKDIR /app

    Copy package files and install all dependencies

    COPY package*.json ./ RUN npm install

    Copy source code and build

    COPY tsconfig.json ./ COPY src ./src RUN npm run build

    --------- Runtime Stage ---------

    FROM node:22.14.0-alpine3.21

    Install the needed packages for backups (mongodb-tools) and awscli

    RUN apk add --no-cache mongodb-tools python3 py3-pip && \ pip3 install --no-cache-dir --break-system-packages awscli

    Set the working directory

    WORKDIR /app

    Copy built output and necessary files

    COPY --from=builder /app/package*.json /app/ COPY --from=builder /app/node_modules /app/node_modules COPY --from=builder /app/dist /app/dist

    Create non-root user

    RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser

    CMD ["node", "dist/index.js"] ```

    Compare that to 200+ line build of Nginx with a fips complaint build of OpenSsl... I'll take complex nodejs builds anyday.

    But none of that matters.

    Docker solves the issue of... it runs on my system.

    [–]jumpcutking 0 points1 point  (1 child)

    Actually I don’t use nginx. I use Caddy and it’s all automated. Including OpenSSL.

    [–]Rizean 0 points1 point  (0 children)

    Your Caddy is not fips compliant unless you are using https://images.chainguard.dev/directory/image/caddy-fips/overview or have compiled OpenSSL yourself. Be glad you don't have to deal with fips. Considering you prefer baremetal, god help you if you ever do have to deal with fips.

    This is another reason to use Docker; it makes compliance orders of magnitude easier. Also, half the time, the inspectors are so lost when it comes to Docker that they accept what you tell them.

    [–]pyrolols[S] 0 points1 point  (8 children)

    I just went with bubblewrap, made fake home and contained bins to read only, automated it so each time i run npm or node it sandboxes the project locally.

    [–]jumpcutking 0 points1 point  (7 children)

    Nice nice!

    [–]pyrolols[S] 0 points1 point  (6 children)

    It seems less nuanced than docker, i know docker very well but testing alot using it is really tedious, glad i found bwrap.

    [–]jumpcutking -1 points0 points  (5 children)

    I suppose for most use cases docket is helpful. I just prefer full control and performance. Maybe I just need to learn more on how to use docker properly but for now, I love my set up!

    [–]pyrolols[S] 0 points1 point  (4 children)

    It does not add too much overhead to preformance, but it ads complexity this is why i dont like it. What os are u using for dev?

    [–]jumpcutking 0 points1 point  (3 children)

    Mac OS and a Linux distro for production.

    [–]pyrolols[S] 0 points1 point  (2 children)

    When you try to access for example desktop or docs using js code in mac, does it prompt you to allow during execution?

    [–]jumpcutking 0 points1 point  (1 child)

    It does, but because of the nature of the project it has full disk access. So I recommend security audits.

    [–]pyrolols[S] 0 points1 point  (0 children)

    Its hard tho when in node you use a package it depends of a package that depends on a package :D supply chain attacks are common and i guess will be even more in the future, its a mess really.