> There was a popular post less than a month ago about this recently https://news.ycombinator.com/item?id=46305585
This incident precisely shows that containerization worked as intended and protected the host.
> There was a popular post less than a month ago about this recently https://news.ycombinator.com/item?id=46305585
This incident precisely shows that containerization worked as intended and protected the host.
It protected the host itself but it did not protect the server from being compromised and running malware, mining cryptocurrency.
Containerizing your publicly exposed service will also not protect your HTTP server from hosting malware or your SMTP server from sending SPAM, it only means you've protected your SMTP server from your compromised HTTP server (assuming you've even locked it down accurately, which is exactly the kind of thing people don't want to be worried about).
Tailscale puts the protection of the public portion of the story to a company dedicated to keeping that portion secure. Wireguard (or similar) limit the protection to a single service with low churn and minimal attack surface. It's a very different discussion than preventing lateral movement alone. And that all goes without mentioning not everyone wants to deal with containers in the first place (though many do in either scenario).