Implications of containerizing services

Hey everyone, I’m new to the Nix ecosystem and I’ve just begun to read about Containers.

From a security standpoint, is it recommended to constrain services into containers then? In my understanding, it should be just as safe to use sufficiently hardened Systemd service configurations, correct? Here is such an example.

Staying with the Mosquitto example, as far as I can tell the only effective difference between a normal and a containerized setup is that the container blocks outgoing network traffic by default. Is this true?

Both use cgroups as the underlying containerization tech - in fact, NixOS uses systemd-nspawn - so, mostly yes.

For NixOS containers “un-hardened” namespaces are opt-in though, rather than opt-out, so it’s arguable that they’re safer (because you can’t forget a setting and it’s future proof).

Your configuration is missing a RootDirectory=, by the way, which is definitely less secure than what the containers give you by default. This is the primary use case in my mind, since setting up a correct sysroot without the containers feature is tricky.

Whether it’s recommended is a different question; network configuration with the containers feature is very tricky. Personally, I still prefer podman, for which there is also support, and the systemd namespacing options are plenty for a lot of use cases.

1 Like

I see, thanks for your insights!