[ale] [barely OT] Containerization

DJ-Pfulio djpfulio at jdpfu.com
Thu Oct 26 17:05:32 EDT 2017


On 10/24/2017 10:03 AM, Michael H. Warfield wrote:
> On Sat, 2017-10-21 at 06:03 -0400, DJ-Pfulio wrote:
>> Think services for a container.  MongoDB is good.  MongoDB with any
>> GUI tool
>> inside the container is bad.
> No it's not.  I use containers with NX remote desktops and GUI
> connections there run like a top.  Why is MongoDB with a GUI tool
> inside of a container bad?

Been awhile since you posted. ...

Ok - "bad" is a little simplistic in the same way that saying "never do X"
really doesn't always, 100.0000%, apply.

The terms "new" and "shiny" get the attention of humans more than perhaps they
should.

IMHO, container security is still a huge trap. Breaking out of a container to
the parent process/host happened all the time just last year.  I have doubts
that container security has come THAT far in such a short time period.

I recall seeing where networking from 1 container could be access by another
container.  Don't recall when or where or which specific container "type" had
that issue.

Containers have generally been pushed for the "cat video" people - those running
non-mission critical services with non-critical data just because the security
questions still remain.

As you know, claims about security mean nothing.  Only time, which constant
attacks and surviving those attacked means anything.  In 2015, I thought
container security needed until 2021 to get some real-world use and "shelf life"
before it would be ready for general use.

I do appreciate people who like/need to be on the bleeding edge of these things
taking the hit for the rest of us.

Lots of technologies have had great advertising that didn't pan out just a few
years later.  I'm hopeful that containers prove to be fine for general purpose
use and certainly can see a use-case today for cat-video-like needs.  I wouldn't
put my daily desktop into one or provide a remote desktop for someone needing
access to brokerage tools without hosting it in a well-understood, single
user-VM above it.

So for someone really new to containers, following the "best practice path"
traveled by others is (usually) a smart idea.  That means limiting the container
to the single service it should provide. Not having generic dev and hacking
tools inside the container and most often, not having even ssh available.

For now.

I do like container-like solutions for single applications on a normal desktop
or inside a normal VM.  Firejail is one of those.  Flatpacks and other
all-inclusive package delivery solutions are others.

Linux container technology is changing very fast, so it is very possible that
the newest versions, leveraging the newest kernels, have solved every security
problem.  I doubt it, but it could/may have already happened.

Didn't realize I'd written so much. sorry.


More information about the Ale mailing list