Post AM1QyWFph7eZhEbeYC by ParadeGrotesque@mastodon.sdf.org
(DIR) More posts by ParadeGrotesque@mastodon.sdf.org
(DIR) Post #AM1G7JWfHzXBKWTESe by ParadeGrotesque@mastodon.sdf.org
2022-07-30T14:04:16Z
0 likes, 0 repeats
I have seen a few discussions about creating small(er) containers to avoid security issues.This is a subject upon which I have a little a bit of experience and strong opinions, so allow me to pontificate on this for a few minutes...The issue really is thinking containers are virtual machines. They are NOT. They are execution spaces.One of the best example I have seen is someone who said: "Think of containers as such a way to run a program & its dependencies, separate from the OS"(1/x)
(DIR) Post #AM1GTE50DbtuoGypWK by ParadeGrotesque@mastodon.sdf.org
2022-07-30T14:08:14Z
0 likes, 0 repeats
... And I think this is the best way to think about it. A container is simply a way to run software AND include all its dependencies with it.Think of it this way: you can run nginx as a service, on your OS, or you can run it within a container.The same thing happens in both cases: you have a web server and a proxy running. The difference is that, with a container, you don't have to install all of nginx dependencies on your OS, since they are in the container.(2/x)
(DIR) Post #AM1GrN5oMN2TiHs77I by ParadeGrotesque@mastodon.sdf.org
2022-07-30T14:12:36Z
0 likes, 0 repeats
... Now the problem begins when you don't really know what your application dependencies are.Because then, what is the easiest solution? Why, to put an entire OS in your container, of course!Going back to the example, if you program everything on, say, Linux Abanta 16.04, just include the whole OS, all the shells, utils and libs into your container. Problem solved!Except Linux Abanta 16.04 has been obsolete for a long while, of course. But, hey, you application runs now, right?(3/x)
(DIR) Post #AM1HHmPwpEp5mmsoHA by ParadeGrotesque@mastodon.sdf.org
2022-07-30T14:17:22Z
0 likes, 0 repeats
And, icing on the cake, the application is portable!Run the same app on Blue CaP Linux? Install Docker, download the container application, you are done!Does it make sense to install what is essentially a chole Abanta Linux on Blue Cap? Nope. But, hey, it works! W00t!And so on and so forth. Not knowing precisely what your applications dependencies are is the root of all evil in that case.(4/x)
(DIR) Post #AM1HddpJRlEJVqAhQu by ParadeGrotesque@mastodon.sdf.org
2022-07-30T14:21:19Z
0 likes, 0 repeats
Since security is, AT BEST, a very distant 2nd (3rd, 4th, etc) priority at the best of times, you can now understand why containers are so popular, and why their security is such a pile of d00d00. 💩 Anyhow. Containers are NOT virtual machines, not knowing exactly how your application runs and what its dependencies are will lead you to containers. And that is bad.And don't get me started on stuff like node.js, OK?(5/END)
(DIR) Post #AM1ICMxw7wP3M3lUHo by ND3JR@social.coop
2022-07-30T14:27:34Z
0 likes, 1 repeats
@ParadeGrotesque I read somewhere (I don't remember where) that containers are basically copy-and-paste for whole operating systems, and how copy-and-paste for code is considered bad practice for software developers. They seem not to make the connection that doing the same for whole operating systems is a bad idea!I had the "pleasure" of trying to Dockerize Nagios at my previous job. It was a mess, and containers don't work for anything that requires a custom config, like monitoring systems.
(DIR) Post #AM1ITM5SeB61YKNrhw by ParadeGrotesque@mastodon.sdf.org
2022-07-30T14:30:41Z
0 likes, 0 repeats
@ND3JR That is a very good analogy, indeed.
(DIR) Post #AM1Ir8NrFNdY0EKN1c by trebach@mstdn.social
2022-07-30T14:34:56Z
0 likes, 0 repeats
@ParadeGrotesque Unfortunately Laravel wants to containerize everything. I set it up a few days ago and it set up 6 containers, downloaded a good chunk of Ubuntu 22.04 into each, and then yelled at me until I turned off Apache and MySQL services so that their containers could use those ports
(DIR) Post #AM1JMFCXwvlc7ks4hs by ND3JR@social.coop
2022-07-30T14:37:15Z
0 likes, 1 repeats
@ParadeGrotesque Ah, here's where I read it: http://michael.orlitzky.com/articles/motherfuckers_need_package_management.xhtml
(DIR) Post #AM1KZfDybjJAYHVF7w by penguin42@mastodon.org.uk
2022-07-30T14:54:13Z
0 likes, 0 repeats
@ParadeGrotesque I think the earlier container uses were exactly full OS sets, it's only more recently that they've got lighter.
(DIR) Post #AM1Mu0DiSHRHMxCtea by xk051@mastodon.sdf.org
2022-07-30T15:20:19Z
0 likes, 0 repeats
@ParadeGrotesque This is the way I've imagined containers to work. I started seeing 'containers' after having used virtualbox, basically, for awhile and i did understand this was more like an 'instance sandbox'. What's still sort of confusing to me is how containers work with WSL.
(DIR) Post #AM1OTZtLv9xE5mD3rc by ParadeGrotesque@mastodon.sdf.org
2022-07-30T15:37:57Z
0 likes, 0 repeats
@penguin42 Technically speaking, containers are derived from jails and chroot, but even then, there was no need to run a full OS. Only what was strictly necessary.
(DIR) Post #AM1QyWFph7eZhEbeYC by ParadeGrotesque@mastodon.sdf.org
2022-07-30T16:05:56Z
0 likes, 0 repeats
@uriel @penguin42 True, and thanks for reminding me of Solaris zones, but the truth of the matter is that containers are just an excuse for lazy programmers to recreate virtual machines, when they could be so much more.
(DIR) Post #AM1Th7xX4ObBHmRePA by javierg@mstdn.social
2022-07-30T16:36:22Z
0 likes, 0 repeats
@ParadeGrotesque Flatpacks
(DIR) Post #AM1bmX95ecCATtwKsS by ParadeGrotesque@mastodon.sdf.org
2022-07-30T18:07:00Z
0 likes, 0 repeats
@uriel Up to a certain point, you are right, and automation is a good thing.On the other hand, the fact that all the "solutions" you mentioned are pretty much horrible (yes, even virtual machines - especially VMs in fact) says a lot about the state of computing in the XXIst Century.@penguin42
(DIR) Post #AM1cxnByQxHLO8DlxY by ParadeGrotesque@mastodon.sdf.org
2022-07-30T18:20:15Z
0 likes, 0 repeats
@javierg Nope. Been there, done that.
(DIR) Post #AM1dGPKjMdyCtTC3pA by xk051@mastodon.sdf.org
2022-07-30T15:23:58Z
0 likes, 0 repeats
@ParadeGrotesque Like, I see this button that says, DockerHub now integrated with WSL, and I click it, and there's stuff, but I couldn't tell you the first thing about dependencies in all that. Probably, less efficient than it sounds? Probably, inline for speed? No idea.
(DIR) Post #AM1dGPnRdswGKWcza4 by ParadeGrotesque@mastodon.sdf.org
2022-07-30T18:23:38Z
0 likes, 0 repeats
@xk051 As far as I know, WSL is (sorta, kinda) a (slow) VM integrated in Windows.So, Docker for WSL is just putting containers on top of this Linux VM running in Windows.At least, that's my understanding. I hate Windows, and I am not using that stuff, except for $DAYJOB, where it's strictly Macrohard LookOut and Office stuff.
(DIR) Post #AM1dpR4WtLZiQCJn7Y by xk051@mastodon.sdf.org
2022-07-30T18:29:59Z
0 likes, 0 repeats
@ParadeGrotesque That sounds like the hard way if I'm trying to dodge compilings. What I use in WSL is for specific tools. Its automagic systemd and ports and network drives and...its convenient to have all the linuxy flavored backend to some of the tools; emacs, qgis, gnome and kde factory, apt all plugged in and humming.
(DIR) Post #AM1ej5fhe3EwGYFC2i by fedops@fosstodon.org
2022-07-30T18:39:59Z
0 likes, 0 repeats
@ParadeGrotesque agreed.The only good use case for containers as far as I'm concerned is if you are forced to use underlying infrastructure you have no control over. IOW, cloud platforms. Then you pack everything and the kitchen sink into your container and push it out. It actually makes sense in that context, because the cloud platform can be extremely minimal and there is no redundancy of services.@uriel @penguin42
(DIR) Post #AM1k8SNYr8Z5hafo3c by ParadeGrotesque@mastodon.sdf.org
2022-07-30T19:40:38Z
0 likes, 0 repeats
@uriel I don't think my criticisms were on virtualization or containers: it is definitely the responsibility of each programmer and managers to adhere to strict coding rules and take security seriously.And agreed, definitely, on making software makers more responsible for what they prouce.@penguin42