My containers run in dedicated "docker host" VMs. And I never expose ports on 0.0.0.0, jus...

dizhn • yesterday at 12:42 PM • 4 replies • view on HN

My containers run in dedicated "docker host" VMs. And I never expose ports on 0.0.0.0, just the private internal IP. Most (all) of my docker hosts do not have a public IP anyway. I use wireguard to access them myself. If they need to be public I reverse proxy with caddy from my web server (or use Authentik's embedded proxy). These servers have access to the same private LAN which could be hardened without having the issues you brought up.

By the way most docker based implementations do not actually need the userland proxy docker runs automatically. Disable it in /etc/docker/daemon.js

{

    "userland-proxy": false

}

Replies

zbentley • yesterday at 10:34 PM

https://www.macchaffee.com/blog/2024/you-have-built-a-kubern...

Like, if that works for you, more power to you. But that is a lot of moving parts in exchange for using a tool whose value prop is that it doesn't have many.

➕ show 2 replies

hkpack • yesterday at 12:54 PM

This is the way, ended up using identical setup.

KetoManx64 • yesterday at 1:42 PM

What would the config look like if I have my docker containers split up over multiple VMs?

➕ show 1 reply

Lord_Zero • yesterday at 1:09 PM

Could you elaborate on your setup? Is the docker host also your web server on which you run caddy?

➕ show 1 reply

alt Hacker News

Replies