[GLLUG] Docker question - for those that are using it

andy singleton freescooter at gmail.com
Tue Sep 23 15:30:28 UTC 2014


I admit there are security flaws that still need to be worked out with
containers, but the utility is huge.
The real-life security risk depends on what software you are running within
those containers. So stay patched.

One of my clients (a well-known large company) went from using many 100's
of VMs for their services to using between 2 and 4 app servers per
environment, and containerising everything that used to run in those
environments.
If you use the same core filesystem image, the containers are small, and
the client can deploy 100's of these services in the space of a few seconds.
It may not suit everyone, but for these guys Docker has done a lot for
them, and at least penetration testing has failed to find any way to abuse
the Docker-aspect of their deployment.



On Tue, Sep 23, 2014 at 3:50 PM, James Courtier-Dutton <
james.dutton at gmail.com> wrote:

> On 23 September 2014 14:08, Andy Smith <andy at bitfolk.com> wrote:
> > Hello,
> >
> > On Tue, Sep 23, 2014 at 01:39:16PM +0100, Matthew Copperwaite wrote:
> >> Lately there has been some backlash against containers/Docker because
> the
> >> assumption was that, like a VM, the containers were isolated and
> therefore
> >> secure. This however was not necessarily the case, especially if
> SELinux is
> >> disabled or not installed. This meant on some PaaS services it was
> possible
> >> to "break in" to other Docker instances.
> >
>
> We are using Docker at work.
> It is for Continuous Integration testing.
> Docker is essentially a wrapper around chroot.
> So, Docker has all the same vulnerabilities as chroot does.
> For our testing, we can ensure that it is deploying to a newly built
> machine each time, without the overhead of a VM.
> In our case, Docker is running on a VM, so if we use a VM for CI, we
> would be doing a VM inside a VM!
> The application is a web site.
> The real deployed machines are all real VMs.as chroot would not be
> secure enough.
>
> Kind Regards
>
> James
>
> _______________________________________________
> GLLUG mailing list
> GLLUG at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gllug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20140923/de655dfe/attachment.html>


More information about the GLLUG mailing list