We don't use containers, and here's why.

Containers solve multiple issues and not just isolation. You can still use micro VMs for isolation and containers inside those VMs to handle application deployments/dependencies.

Wolfereign

Good video but i really hope new devs dont walk away thinking containerization is bad. Containers like docker and docker compose mainly solve the, "well it works on my machine issue". It's not specifically made for security, per say.
Although it's difficult and there are limitations. Docker container can be ran on a linux server with firejail for additional security that prevents cross contamination mentioned.

That being said, firecracker is probably much easy and effective.

HansMcMurdy

It's not true that you can't escape the hypervisor it's just harder

KManAbout

I'm convinced your product offering is much better thought out than most modernized hosting solutions. I really like the idea of micro VM's over containers.

TheHermitHacker

I don't think security is the main problem with containers; clearly this has been figured out. (Sure, nothing except air-gapping gives 100% guarantee, but that's the same with hypervisors.)
The actual problem with containers is that they're inflexible and awkward to administrate. It would be much more convenient to have something like NixOS running on those VMs and submit a configuration instead of a Docker image.

leftaroundabout

Yes, virtualization isolates better. However, Podman and CRI-O configured correctly completely get rid of the complaints you have with containers. Your issues as presented are with Docker, not containers.

Maxible

I must say that containerization has completely solved botched deployments for us. We haven't had to do a single rollback in 4 years, and it's because our entire service runs locally and deploys as-is. It took at long time to not be surprised that it just works in production.

HollywoodCameraWork

VMs really do eliminate more ambient-authority than cgroups do. That's only half of the battle, of course: how you manage the interfaces you expose to the tenants makes a huge impact to the overall security of the platform and the tenants on it, too!

capability-snob

Brilliant! Is really interesting to know how these hosting services run behind the scenes, and even more interesting to know they are not just AWS wrappers 😂

Andressuquaz

I wish I had a mentor who could explain things as simple and clear as she does.

roodood

This is my gripe with Docker. People just assume that containers = Docker. There are much better alternatives like Podman/CRI-O which can be configured so that all the security concerns mentioned here are addressed.

earthling_parth

All you said it was valid for containers around 7-8 years ago
Today, it is very different.

MadalinIgnisca

love your content. fly io did very well by letting you do these stuff.

Yusuf-okrk

I have been using fly and it is the best for indie dev like me best product.

ishaquenizamani

Insightful! Thank you for making the video. The audio is really quiet... had to turn up my system volume and open a different video to make sure I wasn't going crazy and now all the other videos are shouting lol

carltongannett

You blew past all the cons of using virtualization over containers, like higher overhead, wasted resources, worse startup and scaling, etc. And the security concerns with containers that you listed just aren't realistic.

soapergem

What an awesomely explained video. Makes me want to use Fly

nikodunk

Everything sounds great and all but your VMs are not scaling quick enough for big payloads like image binaries. On the other hand containers are smooth like butter on GCP.
Note: I have load tested your systems for two weeks / created a ticket on support site/ email to support specialist etc.. before switching to GCP.

alperenata

4:09 Beta kubernetes? For managing container or what?

ahmadganteng

Kata Containers does the same thing. Kata containers is open source so that you can set it up yourself.

SouravMoitra