[ale] Containers... use?

Jim Kinney jim.kinney at gmail.com
Sat Sep 16 22:21:32 EDT 2017


From a sysadmin perspective, containers make it far to easy to bypass all security protocols. Until it's live, it's a binary blob waiting to suck in code from unknown sources and send information to unknown locations. Virtual machine security is better and more understood than containers. 

Until I can get a SHA256 signed docker container with sig I trust, I can't allow them to touch my storage cluster.

How do containers get updated for security patches? They don't. Toss it and rebuild. That sets up a churn of install new containers which will in time dull the build process security focus. Time passes and a mission critical process is running on a gaping security hole that can't be patched because the F+@$ing developer who built it got a better job offer and left. Developers don't have the responsibility for the integrity of the system, network, environment. Just their code. The sysadmin is on the hook for that blob of festering code rot that lets <fill in a cracking team name here> gain root in a container attached to a few TB of patient/banking/insurance/ANYTHING data and suddenly the sysadmin makes headline news .

Yeah. Not a fan. Lots more work to do before containers move beyond lab curiosity for me.

Chroots work well. Add cgroups and its rather locked down.

VMs are mostly decent (some security issues with shared RAM and networking).

On September 15, 2017 10:30:01 PM EDT, Raj Wurttemberg <rajaw at c64.us> wrote:
> 
>
>Are any of you using containers for anything? Most of my customers are
>SAP
>HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks
>cool...
>I just can't find a use for it.
>
> 
>
>/Raj
>
> 

-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170916/6acb685d/attachment.html>


More information about the Ale mailing list