<html><head></head><body><div>I do get it. Containers are basically a chroot with cgroup isolation. It's just I've seen too many that with a deployment script of "download a tarball from <a href="http://unknown_ip/">http://unknown_ip/</a> and run as root".</div><div><br></div><div>As an admin, I will happily build an environment to spec for the devs. That way they get a supportable setup that doesn't allow for them to run anything as root. Until EVERY line of code is evaluated under every condition, a stack smash as root is just a bad day/week/month/new-job event I would rather avoid.</div><div><br></div><div>On Mon, 2018-01-08 at 12:16 -0500, Ed Cashin wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div dir="ltr">Hmm. Containers are really just a mechanism to make advancements in process isolation easier to use.<div><br></div><div>You must be thinking of using containers instead of VMs or separate physical machines. It's easy to beat up on containers if you compare them to VMs or hardware isolation.</div><div><br></div><div>Usually I think of it as a choice between running a process in the global namespace or running the process with more isolation via cgroups, filesystem namespaces, etc. Running containers is really just running processes, like running a process in chroot but less broken.</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 8, 2018 at 12:05 PM, Jim Kinney via Ale <span dir="ltr"><<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>></span> wrote:<br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Devs LOVE containers. SysAdmins hate them. They are difficult to manage for updates (toss and rebuild) and most devs pull latest-greatest libs even though they are all right from git repo and not checked for problems. None of the security checks that exist for vm control work for containers and they leak like screen door on a submarine. <br>
<br>
Good for development. Should be barred from production use.<br><br><div class="gmail_quote"><span class="">On January 8, 2018 11:34:07 AM EST, DJ-Pfulio via Ale <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>> wrote:</span><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<pre class="m_1902115907063812518k9mail"><span class="">From the article, seems most enterprises still use VMs and real hardware<br>for their production loads. Containers are mostly used for development<br>needs, not production.<br><br><a href="https://www.theregister.co.uk/2018/01/08/container_shock_not_everybody_is_doing_it/" target="_blank">https://www.theregister.co.uk/<wbr>2018/01/08/container_shock_<wbr>not_everybody_is_doing_it/</a><br><br><hr><br></span><span class="">Ale mailing list<br><a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br><a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>See JOBS, ANNOUNCE and SCHOOLS lists at<br><a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br></span></pre></blockquote></div><span class="HOEnZb"><font color="#888888"><br>
-- <br>
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.</font></span></div><br>______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div></blockquote><div><span><pre><pre>-- <br></pre>James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
</pre></span></div></body></html>