undefined | Better HN

0 pointsWesolyKubeczek2y ago0 comments

> Why not have 1 daemon, rather than 1 daemon per container?

Having a daemon per container has this little advantage that if something manages to bring down one of the daemons, it won't bring down the whole shebang.

0 comments

amelius2y ago

Also side-channel attacks.

E.g. if one user downloads a container, and then for another user it is already in the cache, this gives the other user information about the first user.

Fire-Dragon-DoL2y ago

Isn't this pointless, since if the other user has access to docker, they basically have root access to the machine?

amelius2y ago

I don't think users need to have root access to use Docker.

2 more replies

j / k navigate · click thread line to collapse

0 pointsWesolyKubeczek2y ago0 comments

> Why not have 1 daemon, rather than 1 daemon per container?

Having a daemon per container has this little advantage that if something manages to bring down one of the daemons, it won't bring down the whole shebang.

0 comments

amelius2y ago

Also side-channel attacks.

E.g. if one user downloads a container, and then for another user it is already in the cache, this gives the other user information about the first user.

Fire-Dragon-DoL2y ago

Isn't this pointless, since if the other user has access to docker, they basically have root access to the machine?

amelius2y ago

I don't think users need to have root access to use Docker.

2 more replies

j / k navigate · click thread line to collapse