[ale] Behind on your "Container Skills"
Jerald Sheets
questy at gmail.com
Mon Jan 8 12:38:00 EST 2018
You solve this by only allowing an internal “hub” where you place “blessed” container images. Done.
We blackhole docker hub internally, and there is no ingress to serving nodes from the outside. In short, if you want something inside, it has to go through a vetting process, and then I have to put it onto the internal hub. Outside of that, nothing goes on a serving node that isn’t explicitly blessed on an almost file-by-file basis.
Docker is and can be secure. The problem is that most Systems folks are too lazy to build the infrastructure to make it so.
—j
> On Jan 8, 2018, at 12:05 PM, Jim Kinney via Ale <ale at ale.org> wrote:
>
> Devs LOVE containers. SysAdmins hate them. They are difficult to manage for updates (toss and rebuild) and most devs pull latest-greatest libs even though they are all right from git repo and not checked for problems. None of the security checks that exist for vm control work for containers and they leak like screen door on a submarine.
>
> Good for development. Should be barred from production use.
>
> On January 8, 2018 11:34:07 AM EST, DJ-Pfulio via Ale <ale at ale.org> wrote:
> From the article, seems most enterprises still use VMs and real hardware
> for their production loads. Containers are mostly used for development
> needs, not production.
>
> https://www.theregister.co.uk/2018/01/08/container_shock_not_everybody_is_doing_it/ <https://www.theregister.co.uk/2018/01/08/container_shock_not_everybody_is_doing_it/>
>
>
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
>
> --
> Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20180108/5dbdec06/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.ale.org/pipermail/ale/attachments/20180108/5dbdec06/attachment.sig>
More information about the Ale
mailing list