u/Connect_Detail98

I'm playing around with the docker network, exploring how it is setup through the virtual bridges.

This is my setup:

- Docker network 1 - 172.17.0.0/16

- Docker network 2 - 172.18.0.0/16

I have one container running in each of those networks.

The host is plugged to the network-1 with the IP 172.17.0.1 and plugged to network-2 with the IP 172.18.0.1.

If I deploy an HTTP server in my host network namespace bound to 0.0.0.0 and port 8000, I can reach it from the docker containers.

```
# from inside the container
curl 172.17.0.1:8000 # for example.
# reaches the service running in the host.
```

I expected the host network to be isolated from the containers by allowing packets to be forwarded through the host in the forward chain, but blocked from reaching the host processes in the input chain.

So... Why does Docker allow containers to reach the host network by default but blocks containers from reaching each other between container networks? It's like they said "security is important so we don't allow containers to reach each other in different docker networks" but then said "uhhh, let's allow containers to talk to the host just because".

Would be nice if someone explain why they chose this design. To me it seems like bad isolation. What if I want to have a process in my host that I don't want these containers to reach? I'd expect the default behavior to be "there's no access. If you want to enable it, you need to do it explicitly". Instead of "all the services in the host are accessible, if you want to figure out how to close them, good luck finding the right iptables rules that don't break the docker network".

I just interviewed a person for a Senior Cloud Engineer position. He has a ton of credentials about security, like SOC2, HIIPA...

My first cloud question is "what would you do if you have a service that is located in a public subnet and is getting accessed through the public IP of the instance". I asked some ownership and leadership questions before this.

He didn't talk about security groups, he didn't mention that he'd check if the instance if open to any attacks, didn't mention that the instance should be migrated to a private subnet. When I explicitly told him to please fix the network layout, he insisted the public subnet was the correct place for an API service running in EC2. When I told him it should go in the private subnet he said that clients would need to connect to the instance via the NAT. That's not how an AWS NAT works, omg.

I rejected this person, not solely based on this, but this was a very bad start to the interview. Am I wrong to think this is a big deal? This is the sort of stuff I learned on my first week reading about the Cloud and this guy has 12+ years of experience working with all the cloud providers and doesn't know it? It was such a big red flag.

Any opinions? I just want to make sure I'm not being a dick, maybe someone can defend this guy and make me see why this is acceptable.

In my understanding, the end goal of Marxist and Leninist communism is to abolish the state and to have a classless society.

It seems to me China is currently going the opposite way, the state is gaining power internally and globally. This probably means that they are in the first stages of socialism, in which they consider necessary growing to prevent external forces from disrupting their future transition into communism.

Let's assume China reaches a point in which it is the strongest world power. It has successfully taken over the US and is now the most advanced and powerful nation in the world. There are no threats to their communism plans.

How do they migrate from being one of the countries with the most involved state into a stateless country? What does a country with more than a billion people look like when there is no state and no social classes?

Do you think this is realistic?