Should we replace docker-ce with docker.io?

[jemrobinson]

• docker-ce is the community edition of docker from download.docker.com
• docker.io is the Ubuntu version from packages.ubuntu.com

docker-ce will be more up-to-date but requires us to allow access to a large number of IP addresses as it's hosted behind a CDN. docker.io does not have this problem but will in general be out-of-date and might have associated security issues.

[JimMadge]

I would go with the Canonical build (docker.io). From personal experience,

• Managing Docker's PPAs can be a pain (especially in this case as it requires curating and allowing many IPs)
• It often takes time for official builds to support new releases (even LTS)

The main downside is that the canonical builds may lag behind upstream. Brand new features might not be in docker.io yet. I would be surprised if this were a big problem. We already lean towards stability with LTS releases (e.g. Python minor versions are frozen).

might have associated security issues

I would be surprised if this were true. In fact, I would expect docker-ce to have more vulnerabilities as it has newer, less 'road-tested' code.

Longer term I think we should look into using podman. It is completely FOSS, runs any OCI containers and is more secure (no daemon) with rootless setup being trivial (and automatic on most distros now thanks to subuid and subgid).

I would argue it makes any VM running containers more secure, and gives as a simple route to let users run OCI containers (which includes Docker container images).