[Swlug] Fwd: Docker, containers, oh my!

[Mark Einon]

On 26 April 2017 at 10:07, Dave Cridland <dave at cridland.net> wrote:
>
> In fairness, most of the issues can be mitigated by ensuring that
> containers operate with the right caps; but it's certainly true (and
> often forgotten) that if a container performs a modprobe, it is
> affecting the host kernel.

Hi Dave,

True - but people are usually the weak bit in any security setup, and
can you imagine your average web dev pouring over lists of kernel caps
when something doesn't work? They'll probably end up switching
everything on regardless...

>
> > Because this is the fundamental framework for containers, and having
> > been in the kernel for many years I don't expect the security issues
> > to disappear overnight - so I'll continue to ignore them for the time
> > being.
>
> I'm not sure ignoring them is the right answer, though.

Ok, to give my comment here a little more context, I won't be putting
any of the genetic data that I look after anywhere near a docker
container for the foreseeable future :)

>
> I've decided to plonk a simple docker setup into production for my own
> services, since the isolation capability is better than the nothing I
> have right now. In addition, the overhead is small enough that I can
> get away with it on my personal server.
>
> Is the isolation as good as running a full VM server? No.
>
> Is Docker easier to work with than Ansible playbooks and Vagrant? Hell yes.

But, if you choose to use Docker for development instead of Ansible,
how easy is it them to deploy it into a production environment?

Mark