there's a difference between installing and using docker in a per client vps virtualized environment as opposed to removing vps virtualization and just setting up a dedicated server with docker containers for each client
The biggest problem with docker is it is a massively moving target, and is the sort of thing you need a large team to manage well. Fitting a webforum in it would be challanging due to the shared persistant state.
I was thinking about Docker only for shared gameserver hosting. And thanks to the webpanel that I mentioned before, does all the thing. So I just have install to webpanel on one of my dedicateds and create gameservers through that panel for each client which will be created on Docker containers. That's the easy part tho. I was just wondering would it be safe this way or not? Safer than or equals to VPS virtualization?
As DevOps matures enterprises have a need to put critical applications running on Docker Containers into production. Security folks currently have a hard time to decide if their Docker use case is ready to be operationalized. Is it a “go”, a “no go” or do they need to implement additional controls before putting it into operation?
The answer depends on how you define security. If security for you is a measure of segregation capabilities then containers are not quite there yet. If you take a step back and look at the bigger picture and consider the many pockets where security must usually go, then you come to interesting insights!
Applications deployed in containers are more secure than applications deployed on the bare OS
In short, despite the challenges, Gartner believes that one of the biggest benefits of containers is security. Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS and, arguably, on a VM. Although containers will not prevent applications from being compromised, they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS — as long as a kernel privilege escalation vulnerability does not exist on the host OS.
I was experimenting with Docker for XenForo with different configurations such as:
a monolithic image that packs everything including a web server, a data base server, an email server, and whatnot
a micro service style setup in which separate images are used for each service and linked together
The latter is more flexible that allows easy upgrades, independent scaling of services, and easy clustering. To make the deployment easier, Docker Compose can be used. Alternatively, recently introduced Docker Application Bundle (DAB) can also be used.
A few things that need to be considered include the decision whether the code would be copied inside the image or a volume mounted at run time. The earlier would allow versioning (using image tags) as updates to XF or add-ons are made, but would require building a new image after each change, while the latter would make it easier to make changes in the code base, but keeping parity between local and production environments will have yet another moving part. The other major thing to consider is to not distribute the Docker image with XenForo code in a public repositories. Additionally, it would be better if the XF related configurations can be done externally, without any file changes in the downloaded code, to allow easy updates. One way to achieve this is to use environment variables instead of making changes in the config.php. Also, the the directories that change at run time (such as data and internal-data) should be configured as external volumes, if the code is packaged inside the image.
I intend to write a detailed guide to run XenForo in Docker, but thinking of a common ground that works for many webmasters is difficult.