Why would I need a container like Docker?!

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Why would I need a container like Docker?!

Martin Hanson
I have occasionally used virtualization (Qemu) for easy testing of some OS. I have also played around with "containers" using FreeBSD Jails and Linux LXC, but I have never ever thought of any of this as a security measurement or anything needed beyond testing.

When I want isolation I run a single box (or boxes) and install OpenBSD on the bare metal. Then I run whatever services are needed on that box or boxes. I would then deploy a network with isolated segments.

Now, everyone is telling me I should run Docker and a completely different setup.

I read up about Docker and found this:

  "Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environment, from a staging environment into production and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud."

  "Problems arise when the supporting software environment is not identical, says Solomon Hykes, the creator of Docker, "You're going to test using Python 2.7, and then it's going to run on Python 3 in production and something weird will happen. Or you'll rely on the behavior of a certain version of an SSL library and another one will be installed. You'll run your tests on Debian and production is on Red Hat and all sorts of weird things happen."

  "And it's not just different software that can make a difference, he added, "The network topology might be different, or the security policies and storage might be different but the software has to run on it."

What the fuck?! Why in the world would anyone setup Debian as a testing environment and then use Red Hat on production?! And different network topology?

Are people really that stupid?

If people really are that stupid they shouldn't be allowed near a computer in the first place and certainly Docker or any container technology isn't going to solve their problems!

It seems like the OpenBSD project is about the only project left nowadays where people are still using their brains!

Reply | Threaded
Open this post in threaded view
|

Re: Why would I need a container like Docker?!

Jiri B-2
On Wed, May 10, 2017 at 05:53:07AM +0200, Martin Hanson wrote:
> [... pathetic screaming ...]

Pathetic screaming doesn't help to anything.

And... there already has been an interest in zones/containers
in OpenBSD, see https://marc.info/?l=openbsd-tech&m=144617514431852&w=2

j.

Reply | Threaded
Open this post in threaded view
|

Re: Why would I need a container like Docker?!

Alceu R. de Freitas Jr.
In reply to this post by Martin Hanson
Em 10/05/2017 00:53, Martin Hanson escreveu:

> I have occasionally used virtualization (Qemu) for easy testing of some OS. I have also played around with "containers" using FreeBSD Jails and Linux LXC, but I have never ever thought of any of this as a security measurement or anything needed beyond testing.
>
> When I want isolation I run a single box (or boxes) and install OpenBSD on the bare metal. Then I run whatever services are needed on that box or boxes. I would then deploy a network with isolated segments.
>
> Now, everyone is telling me I should run Docker and a completely different setup.
>
> I read up about Docker and found this:
>
>   "Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environment, from a staging environment into production and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud."
>
>   "Problems arise when the supporting software environment is not identical, says Solomon Hykes, the creator of Docker, "You're going to test using Python 2.7, and then it's going to run on Python 3 in production and something weird will happen. Or you'll rely on the behavior of a certain version of an SSL library and another one will be installed. You'll run your tests on Debian and production is on Red Hat and all sorts of weird things happen."
>
>   "And it's not just different software that can make a difference, he added, "The network topology might be different, or the security policies and storage might be different but the software has to run on it."
>
> What the fuck?! Why in the world would anyone setup Debian as a testing environment and then use Red Hat on production?! And different network topology?
>
> Are people really that stupid?
>
> If people really are that stupid they shouldn't be allowed near a computer in the first place and certainly Docker or any container technology isn't going to solve their problems!
>
> It seems like the OpenBSD project is about the only project left nowadays where people are still using their brains!
>

It seems you didn't read the documentation correctly. Do it again,
specially because containers do have their own security issues.

After that, I'm sure you will understand what the given example is
trying to achieve. You can use Debian as your (DEV/TEST) environment
because the image used on Docker will be RedHat based, but using the
kernel you're on. It is possible to do that, although it makes sense to
use the same RedHat as well, at least for QA environments.

Containers (and Docker didn't start as a container itself, but as
tooling to provide easy to use containers on Linux) is a different
concept of VMs because you don't need to run a entire operational system
just to get some isolation between applications. A container to boot
takes much less time than a VM, for example, and should use less
resources. Requirements are different too.

But those are not the only benefits. You should check about the relation
of Docker and DevOps. As always, there is no silver bullet, but those
practices makes some things possible and even easier to implement.

On the other hand, yes, all those layers of abstraction (e.g. AWS) leave
some IT professionals without really understanding what they are
doing... if this will be really a problem in the future it something we
will need to wait to see.

Reply | Threaded
Open this post in threaded view
|

Re: Why would I need a container like Docker?!

Predrag Punosevac-2
In reply to this post by Martin Hanson
Martin Hanson wrote:

> I have occasionally used virtualization (Qemu) for easy testing of some
> OS. I have \ also played around with "containers" using FreeBSD Jails
> and Linux LXC, but I have \ never ever thought of any of this as a
> security measurement or anything needed beyond \ testing.
>
> When I want isolation I run a single box (or boxes) and install OpenBSD
> on the bare \ metal. Then I run whatever services are needed on that box
> or boxes. I would then \ deploy a network with isolated segments.
>
> Now, everyone is telling me I should run Docker and a completely
> different setup.
>
> I read up about Docker and found this:
>
>   "Containers are a solution to the problem of how to get software to
> run reliably \ when moved from one computing environment to another.
> This could be from a \ developer's laptop to a test environment, from a
> staging environment into production \ and perhaps from a physical
> machine in a data center to a virtual machine in a \ private or public
> cloud."
>
>   "Problems arise when the supporting software environment is not
> identical, says \ Solomon Hykes, the creator of Docker, "You're going to
> test using Python 2.7, and \ then it's going to run on Python 3 in
> production and something weird will happen. Or \ you'll rely on the
> behavior of a certain version of an SSL library and another one \ will
> be installed. You'll run your tests on Debian and production is on Red
> Hat and \ all sorts of weird things happen."
>
>   "And it's not just different software that can make a difference, he
> added, "The \ network topology might be different, or the security
> policies and storage might be \ different but the software has to run on
> it."
>
> What the fuck?! Why in the world would anyone setup Debian as a testing
> environment \ and then use Red Hat on production?! And different network
> topology?
>

Let me give you an example. I run Red Hat on all our computing nodes and
clusters in the Lab. Among 90+ people in our crew we have deep-learning
guys guys who like to use shit like Caffe and TensorFlow

http://caffe.berkeleyvision.org/

https://www.tensorflow.org/

which is a research grade software. We even use shit like

http://www.ros.org/

to collect data.

Building such things on Ubuntu let alone anything else on which the
software has not being even tested can make grown up man cry. So guess
what is my solution. I use

http://singularity.lbl.gov/

to run Ubuntu virtual kernel in Red Hat userland (to anybody familiar
with vkernel on DragonFly BSD this should sound familiar) and DOCKER to
install the software we need. Please don't try to read the documentation
for Singularity as the guy is in the serious need for some kind mental
help or at least a good technical writer on his team.


Our "deliverables" to many government agencies are Docker images. That
is the contract which pays mine and many other salaries.


Hopefully now it makes sense.


> Are people really that stupid?
>

I am not a particularly bright guy but I never thought of myself as
stupid. Now when you brought to my attention it makes perfect sense.
That is exactly the reason  why I am struggling so much to produce any
publications.


Cheers,
Predrag

> If people really are that stupid they shouldn't be allowed near a
> computer in the \ first place and certainly Docker or any container
> technology isn't going to solve \ their problems!
>
> It seems like the OpenBSD project is about the only project left
> nowadays where \ people are still using their brains!

Reply | Threaded
Open this post in threaded view
|

Re: Why would I need a container like Docker?!

Erik Lauritsen
In reply to this post by Martin Hanson
> Now, everyone is telling me I should run Docker and a completely different setup.

"devops" are web developers with root, they need stuff like Docker or they
end up breaking everything.

"sysadmin" knows how to handle the bare metal!

> What the fuck?! Why in the world would anyone setup Debian as a testing environment
> and then use Red Hat on production?! And different network topology?
>
> Are people really that stupid?

Yes.