Sincere question - AFAIK, Raspberry PI OS is a Linux distribution like any other, with dependency/distribution issues like any other. Why would using Docker on it be a sad state of affairs, in contrast to using it on any other distribution?
Because a password manager is a tiny piece of software. Instead, it is now a multi-component black box installation with a general purpose operating system running on a full-scale Linux machine with a containerization platform designed for datacenters.
I am not a fan of this kind of redundancy and opaqueness.
When you put it that way, I agree - a password manager should really be implementable as a single statically linked binary.
There seem to be some other Docker features used, like healthcheck [0], and MariaDB seems to be installed, too, so it might be worth considering how much additional OS-dependent complexity would the equivalent functionality without using Docker require. At the very least, you need some kind of service manager to run your program on boot, and restart it on error. At that point, Docker may as well be used as a glorified service manager - just slap your static binary in a `FROM scratch` container, and you're done.
> I am not a fan of this kind of redundancy and opaqueness.
Me neither. But I wouldn't blame Docker itself - it's just a tool. If it wasn't for Docker, some other way of circumventing good engineering would be found :-)
BitWarden isn't all that tiny. I am pretty sure the main reasons for the docker container is that is built with dotnetcore and uses sql server for its database. BitWarden is complicated to install for self-hosting as opposed to using it on PiZero.
That said, I am skeptical of running it on a PiZero. I could see running it on a Pi3 or Pi4 where I can leave it connected to my network and cron backups to a NAS.
Reminds me of someone writing a little status light app (in the macOS menu bar / windows tray) and choosing Electron for that. Something ridiculous like 200MB+ install size and 150MB memory use.
You wanted a banana, but what you've got is a monkey holding a banana, the whole jungle, the continent on which the jungle is growing, the atmosphere for holding evaporated water for irrigating the jungle, the Sun for providing energy to the jungle trees, and the whole universe.
Docker has been a godsend for home labs. People don't need to know where on the filesystem their configs have been scattered (distro dependent). They just need to know how to docker pull and configure their container.
In case you ever wish to change the operating conditions/environment/hardware in the future. Having a consistent operating environment is a big win, in my opinion.
Yes absolutely, but if the hardware requirements for running docker currently doesn't fit on a keychain (a physical one that is), perhaps its not the best choice today for secure password storage.
One reason is that software isn't always distributed in normal distro repositories anymore. People can't (or don't want to) deal with dependency management so they ship an entire (slightly outdated version of an) OS with their application to make deployment foolproof.
The vaultwarden install instructions assume Docker, for example: https://github.com/dani-garcia/vaultwarden. If you want to install native binaries, you're going to have to git fetch/checkout/pull the latest release tag and run `cargo build --features sqlite --release` yourself. Doable in a cronjob, but it'll probably take a compile to build a system like vaultwarden on a low-power ARM core.
Yes, Docker is a black box. You don't know anything, you just launch something without understanding what components it consists of, what are they doing individually, what is their attack surface.
Not to mention that it encourages sloppiness and software bloat. The password manager could be put on a simple MCU device, instead, we have a large non-transparent multi-component installation swept under the rug with Docker. I do not think this is a good thing.
The same can be said of any software that you don't review and compile yourself. Whether I run a Docker container or pull in 500 npm/pip/cargo/gems/composer dependencies, the attack service remains. With Docker these individual layers can be separated and inspected at the very least.
Based on the name, I expected someone to take vaultwarden and make it an αcτµαlly pδrταblε εxεcµταblε that runs on its own without an OS; instead, this is just a quick tutorial for "how to set up vaultwarden".
I much prefer normal systemd services to sandbox my applications but if the software you want to run isn't packaged in some normal, updateable way (like a standard repository) then Docker is definitely the way to go.
On the other hand, docker containers on a RPi Zero? What a sad state of affairs we have in 2022.