[Swlug] Docker, containers, oh my!

Dave Cridland dave at cridland.net
Wed Apr 26 09:07:39 UTC 2017


On 26 April 2017 at 09:08, Mark Einon via Swlug
<swlug at mailman.lug.org.uk> wrote:
> On 19 April 2017 at 16:19, Matt Willsher via Swlug
> <swlug at mailman.lug.org.uk> wrote:
>>
>> Hi,
>>
>> Whats your view on Docker (and container in general)?
>>
>> Do you use it and if so to what degree? Has it made your liked easier?
>>
>>  If you don't use containers now are you looking to learn more about them?
>
> Hi Matt,
>
> I don't use Docker (or any containers) in any production environment
> as I consider them as insecure.
>
> They may be useful for development, but vagrant / ansible isn't
> presenting enough issues for me to look elsewhere.
>
> My understanding is that containers share the same host kernel and are
> run with root privileges, using kernel namespaces and cgroups to
> partition resources. There have been security issues in the past, and
> this setup is brittle - each security bug is serious, and any one bug
> may give you access to everything.
>

In fairness, most of the issues can be mitigated by ensuring that
containers operate with the right caps; but it's certainly true (and
often forgotten) that if a container performs a modprobe, it is
affecting the host kernel.

> Because this is the fundamental framework for containers, and having
> been in the kernel for many years I don't expect the security issues
> to disappear overnight - so I'll continue to ignore them for the time
> being.

I'm not sure ignoring them is the right answer, though.

I've decided to plonk a simple docker setup into production for my own
services, since the isolation capability is better than the nothing I
have right now. In addition, the overhead is small enough that I can
get away with it on my personal server.

Is the isolation as good as running a full VM server? No.

Is Docker easier to work with than Ansible playbooks and Vagrant? Hell yes.

Dave.



More information about the Swlug mailing list