@sir what does containers have to do with shitty sysadmins who don't know how to security?
@sir do illumos and freebsd admins have this problem or is it a linux master race issue? I think containers are great, but it seems like a lot of the new gen developers are ..not very informed about their craft.

@xj9 correllation does not imply causation. If Linux is the default choice, then anyone using a non-default choice is likely to have put more thought into their system

@xj9 @sir To be fair, Solaris Zones and BSD Jails are far less insecure than Docker, and don't end up with shipping an entire OS's worth of new vulnerabilities.

Jessie Frazelle (ex-Docker Core) has a post where she goes to great lengths to stress that Zones and Jails are not, in fact, containers. Kind of inaccurate in most senses but it does sort of shed light on why Linux has this problem in spades versus illumos and Free/DragonflyBSD.


In short, excess choice naturally leads to uninformed and naive people foregoing all choice, which is a problem when shipping defaults that aren't aimed for security.

@kick @xj9

>In short, excess choice naturally leads to uninformed and naive people foregoing all choice, which is a problem when shipping defaults that aren't aimed for security.

See, I don't like this part. Because I know my shit, I am capable of reasoning about my system without sane defaults as a crutch. By no means am I against sane defaults, but in this case they're being used as an argument away from learning your shit so you can admin your system properly.

I don't think we should leave this knowledge in the hands of a few dedicated specialists who study systems and security. This is symptomatic of the broader complexity explosion in software. I prefer to design my systems to be as simple as possible so that anyone can easily understand them and reckon about their design and security implications, which leads to far more robust systems than making docker do the right thing by default does.

@sir @xj9 I don't disagree, I was just summarizing her blog post.
@sir @xj9 Though I think I must have made a part of her argument unclear: she claims that _Docker_ is complex by design, not a tool at managing complexity.

@kick @xj9 sorry, you weren't unclear, I was just using Docker as a stand-in for all of these systems.

@kick @sir

the strained "container" definition is odd to me because the term container predates docker by a lot. i think jails and zones are a nice way to organize and isolate services on a machine. that said, i agree with the sentiment in general. i just don't think containers are the actual problem here. maybe they make bad decisions easier to make, but isn't it still the responsibility of the developers involved to make sure reasonable things are happening?

@sir 2015 and this still applies huh.

Imagine if properly administrating servers didn't require sacrificing yourself to Satan, and if using Docker wasn't an invitation to grabbing random binaries into prod

@sir What do you think about the solution that NixOS is building? It is kind of like the declarative, deterministic approach of Docker but better

@jelle not into it. These things are a solution looking for a problem

@sir The problem is that other configuration systems are not declarative, so you build up cruft if you want to delete services. I've used Ansible and wanted to remove a postfix installation, but there are so many pieces to an email system that just removing the config from Ansible leaves a lot of random files hanging around.

@jelle I don't like Ansible, either. I don't use any tools at all to fill this niche.

@sir I feel that configuration systems are similar to using git. If you're working on your own, using git for version management is not strictly needed, but it is very nice. In the same way, if you're adminning a system together you need a configuration system, but it's very responsible to use if you're working on your own as well

@jelle @sir NixOS doesn't cover software isolation nor does it help with deployment of third-party software.

@sir You can build your own docker containers, but that also depends on the software you need being nicely installable.


I agree in general that the current situation is a mess. Ideally all the deps would be packaged by distros, and the few things that aren't packaged would be a simple offline build.

But I think Maven isn't the worst offender, there's pypi and npm afterall.
IIRC Maven Central does require signatures, and IMO it's a better quality repo than pypi and npm. (Can't say the same about dozens of 3rd party Maven repos around the net.)

@Wolf480pl I think the author wrote about Maven because that's what they were familiar with. The arguments work anyway.

@sir I think containerization is really great for internal development. You're afforded so much freedom to run it on any "platform" the same.

But you're right the way it's used for distribution is dumb. Very little is verifiable.

Personally I try to only download images from trusted sources who publish the dockerfile and have the images built verifiably (public CI)

It's still a farcry from proper package management and I've had to build many custom dockerfiles as a result.

@sir I've been on both sides of this argument. On one hand, we have numerous linux distros with different sets of libraries and packages, and packaging software even for the two most popular ones (CentOS and Debian) is just an enormous pain in the ass. We switched to Docker for deployment eventually just to save time and manpower, because having an extra person on staff just for software deployment is an overkill. We still build everything in house though.


@sir Anyway, the problem here is that the traditional Linux way of software deployment, a.k.a. build a package with your software and either rely on the distro for dependencies or package them yourself, is just unreasonably painful and often doesn't work.

Snap or Flatpak could be a solution to this problem, but nobody seems to be eager enough to push for their mass adoption. Essentially, Docker works for 95% of people, nobody cares about the rest.


@sir Now, on the other hand, I completely agree that what we have now is a security nightmare. Several of our serves had been hacked recently partly due to this. I've been pushing hard for total ban of third-party docker images in our infrastructure, and so far it worked well. Still, we need a better way for software deployment, and there doesn't seem to be one.


Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!