<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body class=""><div>On Mon, 2018-01-08 at 12:38 -0500, Jerald Sheets wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class="">You solve this by only allowing an internal “hub” where you place “blessed” container images. Done.</div></blockquote><div><br></div><div>time. the most precious commodity. It's on the list and I'm certain it will be appreciated when it works. I've peeps asking to run containers on the HPC stack.</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class=""><br class=""></div><div class="">We blackhole docker hub internally, and there is no ingress to serving nodes from the outside. In short, if you want something inside, it has to go through a vetting process, and then I have to put it onto the internal hub. Outside of that, nothing goes on a serving node that isn’t explicitly blessed on an almost file-by-file basis.</div></blockquote><div><br></div><div>That process works in my mind but not in reality yet.</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class=""><br class=""></div><div class="">Docker is and can be secure. The problem is that most Systems folks are too lazy to build the infrastructure to make it so.</div></blockquote><div><br></div><div>along with the other 2 dozen infrastructure projects... yeah, too lazy :-)</div><div><br></div><div>Need to study more stuff on cgroups anyway. I really like the bit about being able to limit resources by application to avoid a runaway process eating a system. See comment about "time" above...</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class=""><br class=""></div><div class="">—j</div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class="">On Jan 8, 2018, at 12:05 PM, Jim Kinney via Ale <<a href="mailto:ale@ale.org" class="">ale@ale.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Devs LOVE containers. SysAdmins hate them. They are difficult to manage for updates (toss and rebuild) and most devs pull latest-greatest libs even though they are all right from git repo and not checked for problems. None of the security checks that exist for vm control work for containers and they leak like screen door on a submarine. <br class="">
<br class="">
Good for development. Should be barred from production use.<br class=""><br class=""><div class="gmail_quote">On January 8, 2018 11:34:07 AM EST, DJ-Pfulio via Ale <<a href="mailto:ale@ale.org" class="">ale@ale.org</a>> wrote:<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<pre class="k9mail">From the article, seems most enterprises still use VMs and real hardware<br class="">for their production loads. Containers are mostly used for development<br class="">needs, not production.<br class=""><br class=""><a href="https://www.theregister.co.uk/2018/01/08/container_shock_not_everybody_is_doing_it/" class="">https://www.theregister.co.uk/2018/01/08/container_shock_not_everybody_is_doing_it/</a><br class=""><br class=""><hr class=""><br class="">Ale mailing list<br class=""><a href="mailto:Ale@ale.org" class="">Ale@ale.org</a><br class=""><a href="http://mail.ale.org/mailman/listinfo/ale" class="">http://mail.ale.org/mailman/listinfo/ale</a><br class="">See JOBS, ANNOUNCE and SCHOOLS lists at<br class=""><a href="http://mail.ale.org/mailman/listinfo" class="">http://mail.ale.org/mailman/listinfo</a><br class=""></pre></blockquote></div><br class="">
-- <br class="">
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.</div>_______________________________________________<br class="">Ale mailing list<br class=""><a href="mailto:Ale@ale.org" class="">Ale@ale.org</a><br class="">http://mail.ale.org/mailman/listinfo/ale<br class="">See JOBS, ANNOUNCE and SCHOOLS lists at<br class="">http://mail.ale.org/mailman/listinfo<br class=""></div></blockquote></div><br class=""></blockquote><div><span><pre><pre>-- <br></pre>James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
</pre></span></div></body></html>