Docker Community Forums

Share and learn in the Docker community.

Missuse Docker Container as VM

(Secdocker1) #1

I’ve read that you shouldn’t ssh into a docker container. But why? I’d like to use a docker container as a replacement for a normal VM. What are the disadvantages? I know that this will create a lot of layers. But I could flatten my container on a regular base.

Can I use the container as a regular vm and what is the “worst case” that can happen?

(Jfraney) #2

The worst case is you won’t like it. A container is not a replacement for a vm. Understanding the container differently will be more likable. Understand the container as a process which is constrained from accessing resources except where explicitly allowed. A container CONTAINS the process, like a cage in the zoo CONTAINS the lion, or a carton CONTAINS the milk. A vm is not a container, and a container is not a vm. Too bad too many people explain container’s in terms of vm. Big confusing mistake.

What’s ‘wrong’ with a container with a root process, like an initd, that starts processes that do different things? All the processes will be under the identical constraints. Certainly doable. You can run a reverse proxy, and your application, and your database server under the same container. Your reverse proxy could access the files of your application and the root filesystem of your database… If you’re ok with that, fine, knock yourself out. I don’t like it because the reverse proxy could be hacked, then my application and data is vulnerable. If they run in separate containers, damage during a break-in is less widespread.

Ultimately, a container is not a vm. If you want a vm, use a vm.