<html v="urn:schemas-microsoft-com:vml" o="urn:schemas-microsoft-com:office:office" w="urn:schemas-microsoft-com:office:word" m="http://schemas.microsoft.com/office/2004/12/omml"><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /><meta name="Generator" content="Microsoft Word 15 (filtered medium)" /><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang="EN-US" link="#0563C1" vlink="#954F72">From a sysadmin perspective, containers make it far to easy to bypass all security protocols. Until it's live, it's a binary blob waiting to suck in code from unknown sources and send information to unknown locations. Virtual machine security is better and more understood than containers. <br>
<br>
Until I can get a SHA256 signed docker container with sig I trust, I can't allow them to touch my storage cluster.<br>
<br>
How do containers get updated for security patches? They don't. Toss it and rebuild. That sets up a churn of install new containers which will in time dull the build process security focus. Time passes and a mission critical process is running on a gaping security hole that can't be patched because the F+@$ing developer who built it got a better job offer and left. Developers don't have the responsibility for the integrity of the system, network, environment. Just their code. The sysadmin is on the hook for that blob of festering code rot that lets <fill in a cracking team name here> gain root in a container attached to a few TB of patient/banking/insurance/ANYTHING data and suddenly the sysadmin makes headline news .<br>
<br>
Yeah. Not a fan. Lots more work to do before containers move beyond lab curiosity for me.<br>
<br>
Chroots work well. Add cgroups and its rather locked down.<br>
<br>
VMs are mostly decent (some security issues with shared RAM and networking).<br><br><div class="gmail_quote">On September 15, 2017 10:30:01 PM EDT, Raj Wurttemberg <rajaw@c64.us> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="WordSection1"><p class="MsoNormal"></p><p> </p><p class="MsoNormal">Are any of you using containers for anything? Most of my customers are SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks cool... I just can't find a use for it.</p><p></p><p class="MsoNormal"></p><p> </p><p class="MsoNormal">/Raj</p><p></p><p class="MsoNormal"></p><p> </p></div></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.</body></html>