[Swlug] Docker, containers, oh my!
Simon Palmer
Simon.Palmer at colegsirgar.ac.uk
Wed Apr 26 08:56:31 UTC 2017
Hi all,
Just to say we have a couple of commercially supplied Virtual Appliance
VMs with a single docker instance in them, and the VA is configured to
NAT from the host to the docker instance. I don't really understand why
they did this. I can't see the benefit over putting the application
directly into the VA.
Simon
>>> On 26/04/2017 at 09:50, in message
<12633F8E-3A72-4FF4-A482-5A3AB81AB35E at monki.org.uk>, Matt Willsher via
Swlug
<swlug at mailman.lug.org.uk> wrote:
> > On 26 Apr 2017, at 09:08, Mark Einon <mark.einon at gmail.com> wrote:
> >
> > Hi Matt,
>
> Hi Mark!
>
> > I don't use Docker (or any containers) in any production
environment
> > as I consider them as insecure.
> >
> > They may be useful for development, but vagrant / ansible isn't
> > presenting enough issues for me to look elsewhere
>
> Yes, I think it’s trading one set of problems for another. While
Ansible has
> it’s challenges - global variables being the worst, I think - at
least
> everything about the workflow is familiar. It’s installing apps,
configuring
> them via a template, and so on. Docker and rkt do lend themselves to
dynamic
> configuration generation. For example, it’s possible to have a
container
> lookup other running web services on a machine via env var and
configure
> endpoints accordingly, but it raises security issues as it requires
access to
> the docker daemon socket. Configuration management could be done
using a
> service discovery daemon such as consul, etcd or even redis or a DB,
but then
> that’s more stuff to run.
>
> > My understanding is that containers share the same host kernel and
are
> > run with root privileges,
>
> It’s possible to use user namespaces now. It looks like root inside
the
> container but gets mapped to a high uid. It makes sharing files
between
> containers a pain. It also makes it unsuitable for services that need
> higher-level access to kernel functions.
>
> > using kernel namespaces and cgroups to
> > partition resources. There have been security issues in the past,
and
> > this setup is brittle - each security bug is serious, and any one
bug
> > may give you access to everything.
>
> That sums up my concerns. It’s possible to run VMs with one
container in
> each, which resolves some of the security issues (but there is still
a docker
> daemon running with root privileges listening on the network), and
there
> would be the benefit of easier and quicker deployment once the effort
has
> been put into making the workflow for that.
>
> > Because this is the fundamental framework for containers, and
having
> > been in the kernel for many years I don't expect the security
issues
> > to disappear overnight - so I'll continue to ignore them for the
time
> > being.
>
> I’ve been trying to do just that. The market seems very very keen
on Docker
> at the moment though. If this list is a fair reflection, though, it
seems
> that most are only dabbling at this point.
>
> Cheers,
> Matt
> _______________________________________________
> Swlug mailing list
> Swlug at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/swlug
--
Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r
unigolyn neu'r sefydliad a enwir uchod. Bydd
unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni
chynrychiolant o anghenraid farn Coleg Sir Gâr.
Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r
gweinyddwr ar y cyfeiriad canlynol:
postmaster at colegsirgar.ac.uk
Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to
whom they are addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Coleg Sir
Gâr. If you have received this email in error please notify the
administrator on the following address:
postmaster at colegsirgar.ac.uk
Please consider the environment - do you really need to print this
email?.
More information about the Swlug
mailing list