Thank you for this important initiative. As a non techie and member of the german hostsharing coop, I asked for comments on the project. So far as i know, our tech team is heavily using Ansible in daily work to manage our hosting infrastructure.
I got one (german) feedback from one coop member, that he thinks, that your concept makes sense, but he made the experience, that docker compose needs often root rights in the containers, which can be critical concerning security issues.
KawaiiPunk, could you please explain, how you deal with potentials security issues in the project?
With help of deepl, I also translated the comment of my coop colleague. Please consider this, if the text is may be a little strange…
As far as I can see, Autonomic is right. If you have to manually maintain all role configurations with Ansible manually, it’s quite a bit of extra work compared to upstream deployed docker-compose configurations.
I’m not entirely happy after using docker-compose on a large project with many containers in the development thread, but this mainly concerns maintenance issues when you update containers very often with new code states.
The filesystem can get full with outdated images, which is not cleaned automatically. However, this is also stated in the documentation that docker compose is not optimized for this particular scenario.
From a security point of view, docker/docker-compose is a bit problematic, since it works a lot with root rights in the containers.
OpenShift, for example, uses individual one-time users in the root group and more stringent security policies, but is also more difficult to configure, has discontinued docker support, and is just not very free.
So if docker-compose is delivered upstream, it would have to be evaluated whether the security is sufficient.