[Swlug] Docker, containers, oh my!

Matt Willsher matt at monki.org.uk
Wed Apr 26 08:50:26 UTC 2017 

> On 26 Apr 2017, at 09:08, Mark Einon <mark.einon at gmail.com> wrote:
> 
> Hi Matt,

Hi Mark!

> I don't use Docker (or any containers) in any production environment
> as I consider them as insecure.
> 
> They may be useful for development, but vagrant / ansible isn't
> presenting enough issues for me to look elsewhere

Yes, I think it’s trading one set of problems for another. While Ansible has it’s challenges - global variables being the worst, I think - at least everything about the workflow is familiar. It’s installing apps, configuring them via a template, and so on. Docker and rkt do lend themselves to dynamic configuration generation. For example, it’s possible to have a container lookup other running web services on a machine via env var and configure endpoints accordingly, but it raises security issues as it requires access to the docker daemon socket. Configuration management could be done using a service discovery daemon such as consul, etcd or even redis or a DB, but then that’s more stuff to run. 

> My understanding is that containers share the same host kernel and are
> run with root privileges,

It’s possible to use user namespaces now. It looks like root inside the container but gets mapped to a high uid. It makes sharing files between containers a pain. It also makes it unsuitable for services that need higher-level access to kernel functions. 

> using kernel namespaces and cgroups to
> partition resources. There have been security issues in the past, and
> this setup is brittle - each security bug is serious, and any one bug
> may give you access to everything.

That sums up my concerns. It’s possible to run VMs with one container in each, which resolves some of the security issues (but there is still a docker daemon running with root privileges listening on the network), and there would be the benefit of easier and quicker deployment once the effort has been put into making the workflow for that. 

> Because this is the fundamental framework for containers, and having
> been in the kernel for many years I don't expect the security issues
> to disappear overnight - so I'll continue to ignore them for the time
> being.

I’ve been trying to do just that. The market seems very very keen on Docker at the moment though. If this list is a fair reflection, though, it seems that most are only dabbling at this point.

Cheers,
Matt

More information about the Swlug mailing list