Hi! Im new to self hosting. Currently i am running a Jellyfin server on an old laptop. I am very curious to host other things in the future like immich or other services. I see a lot of mention of a program called docker.
search this on The internet I am still Not very clear what it does.
Could someone explain this to me like im stupid? What does it do and why would I need it?
Also what are other services that might be interesting to self host in The future?
Many thanks!
EDIT: Wow! thanks for all the detailed and super quick replies! I've been reading all the comments here and am concluding that (even though I am currently running only one service) it might be interesting to start using Docker to run all (future) services seperately on the server!
Its an extremely fast and insecure way to setup services. Avoid it unless you want to download and execute malicious code.
Please explain this to me
Package managers like apt use cryptography to check signatures in everything they download to make sure they aren't malicious.
Docket doesn't do this. They have a system called DCT but its horribly broken (not to mention off by default).
So when you run
docker pull, you can't trust anything it downloads.Thank you very much! For the off by default part i can agree, but why it's horribly broken?
You know container image attestations are a thing, right?
You know it doesn't verify any signature on download, right?
A signature only tells you where something came from, not whether it’s safe. Saying APT is more secure than Docker just because it checks signatures is like saying a mysterious package from a stranger is safer because it includes a signed postcard and matches the delivery company’s database. You still have to trust both the sender and the delivery company. Sure, it’s important to reject signatures you don’t recognize—but the bigger question is: who do you trust?
APT trusts its keyring. Docker pulls over HTTPS with TLS, which already ensures you’re talking to the right registry. If you trust the registry and the image source, that’s often enough. If you don’t, tools like Cosign let you verify signatures. Pulling random images is just as risky as adding sketchy PPAs or running curl | bash—unless, again, you trust the source. I certainly trust Debian and Ubuntu more than Docker the company, but “no signature = insecure” misses the point.
Pointing out supply chain risks is good. But calling Docker “insecure” without nuance shuts down discussion and doesn’t help anyone think more critically about safer practices.
Entirely depends on who's publishing the image. Many projects publish their own images, in which case you're running their code regardless.
Nope. See DCT. Its a joke.
Use apt.