Hi,
While tinkering today with Chef Solo and Docker, there's a thought I really like to get others feedback on.
Of the many facets of using both Chef and Docker there's one I'd like to focus on in this thread.
Let's take for example a web server like Apache or Nginx.
Option A)
Use a well supported community chef cookbook to install and configure Apache/Nginx
Option B)
Use the chef docker cookbook to pull down and install an apache/nginx container
and install a start up script for the container.
So of all the pro's and con's to these two installation options the one I'd big advantage I get
using Option B instead of Option A is my web server is "chrooted" out of the box.
So if there's some exploit for Apache/Nginx that comes out (and my web server has unrestricted access on the web)
I'll get a good security buffer out of the box - the Docker isolated container (chroot).
In a previous job, long before Chef existed, I used to to manual apache installs and chroot them.
Recently I've stopped doing that by default, however; with the docker install method I'd get that feature back again.
Any thoughts on this? Agree? Disagree? Am I missing something or thinking about this incorrectly?
Thanks!