Discussion:
[ale] Containers... use?
Raj Wurttemberg
2017-09-16 02:30:01 UTC
Permalink
Are any of you using containers for anything? Most of my customers are SAP
HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks cool...
I just can't find a use for it.



/Raj
Pete Hardie
2017-09-16 02:40:27 UTC
Permalink
I do not use containers, but the commentary I hear about them is mainly
that they allow an easy way to wrap all the dependencies for a
program/deliverable to be wrapped up in a container for simple delivery -
you bundle it all into a container, and any container deployer will isolate
that deployment - sort of a VM-lite isolation
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers are SAP
HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks cool...
I just can't find a use for it.
/Raj
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
Pete Hardie
--------
Better Living Through Bitmaps
Steve Litt
2017-09-16 03:54:24 UTC
Permalink
On Fri, 15 Sep 2017 22:30:01 -0400
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers
are SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology
looks cool... I just can't find a use for it.
I use Void Linux, which doesn't have the broad access to software that,
let's say, Debian has. Also, Debian has lots of software that doesn't
really work, or that their "devs" decided to put wierd defaults for. So
you take a distro that does a piece of software really well, and make a
container to run that piece of software. So far I've done that only
with VMs, but I'm going to try to do it with Vagrant pretty soon.

SteveT

Steve Litt
September 2017 featured book: Manager's Guide to Technical
Troubleshooting Brand new, second edition
http://www.troubleshooters.com/mgr
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Michael Potter
2017-09-16 04:27:25 UTC
Permalink
If a one knows how to install linux and install packages from the
commandline then this is a pretty good airplane book:
https://www.dockerbook.com/

airplane book = book that can be read without having to do the exercises or
otherwise be in front of a computer & can be read in a couple of hours.
Post by Steve Litt
On Fri, 15 Sep 2017 22:30:01 -0400
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers
are SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology
looks cool... I just can't find a use for it.
I use Void Linux, which doesn't have the broad access to software that,
let's say, Debian has. Also, Debian has lots of software that doesn't
really work, or that their "devs" decided to put wierd defaults for. So
you take a distro that does a piece of software really well, and make a
container to run that piece of software. So far I've done that only
with VMs, but I'm going to try to do it with Vagrant pretty soon.
SteveT
Steve Litt
September 2017 featured book: Manager's Guide to Technical
Troubleshooting Brand new, second edition
http://www.troubleshooters.com/mgr
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
Michael Potter
Tapp Solutions, LLC
www.tappsolutions.com
+1 770 815 6142 ** Atlanta ** ***@potter.name **
www.linkedin.com/in/michaelpotter
Schedule a meeting with me: https://calendly.com/michael-potter
DJ-Pfulio
2017-09-16 09:17:35 UTC
Permalink
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers are
SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks
cool... I just can't find a use for it.
I use cgroups, namespaces, and chroots all the time. Daily. Constantly.
Right now. I've only played with docker.

They are single use processes. No shells. No sshd. No patching.
Limited access to most of the hostOS file system.

Is that a "container"?

I would use containers for internal software development and deployment.
I'm not ready to place them on the internet at this point. If I allowed
php webapps to be internet facing, I'd run each of them in a container
with nothing else, so WHEN they are hacked, there isn't enough of an OS
there to have a shell, no editor, and do anything except run the webapp.
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jeff Layton
2017-09-16 12:54:50 UTC
Permalink
I use containers all the time for the day job and I use them a little at home. The day job is mostly Docker. It's really great and easy to use but the root access issue still bugs me.
I also use Singularity and it's great! Easy to install, use, and make containers. I use a little at work but more so at home. It allows me to create a container for some applications and then move them around my systems as needed.
YMMV.
Jeff
Post by Raj Wurttemberg
 
Are any of you using containers for anything? Most of my customers are
SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks
cool... I just can't find a use for it.
I use cgroups, namespaces, and chroots all the time. Daily.  Constantly.
Right now.  I've only played with docker.

They are single use processes. No shells. No sshd.  No patching.
Limited access to most of the hostOS file system.

Is that a "container"?

I would use containers for internal software development and deployment.
I'm not ready to place them on the internet at this point. If I allowed
php webapps to be internet facing, I'd run each of them in a container
with nothing else, so WHEN they are hacked, there isn't enough of an OS
there to have a shell, no editor, and do anything except run the webapp.
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Raj Wurttemberg
2017-09-19 01:38:03 UTC
Permalink
What kind of applications do you run in your docker containers? I was
thinking about using them for web/application servers. Some of my clients
use NFS mounts. I have looked into using persistent NFS storage. The NFS
exports are IP-restricted to the individual systems so static IPs are a
must as well. It would be cool to have a customer’s web server front-end
scale as the workload increased or decreased.



/Raj
Post by Jeff Layton
I use containers all the time for the day job and I use them a little at
home. The day job is mostly Docker. It's really great and easy to use but
the root access issue still bugs me.
I also use Singularity and it's great! Easy to install, use, and make
containers. I use a little at work but more so at home. It allows me to
create a container for some applications and then move them around my
systems as needed.
YMMV.
Jeff
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers are
SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks
cool... I just can't find a use for it.
I use cgroups, namespaces, and chroots all the time. Daily. Constantly.
Right now. I've only played with docker.
They are single use processes. No shells. No sshd. No patching.
Limited access to most of the hostOS file system.
Is that a "container"?
I would use containers for internal software development and deployment.
I'm not ready to place them on the internet at this point. If I allowed
php webapps to be internet facing, I'd run each of them in a container
with nothing else, so WHEN they are hacked, there isn't enough of an OS
there to have a shell, no editor, and do anything except run the webapp.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jeff Layton
2017-09-19 13:02:10 UTC
Permalink
Well, the day job involves Deep Learning so I run some of the frameworks
in Docker. I think you can run a web/application server inside Docker. I
bet there are some blogs on the web about it.

Jeff
What kind of applications do you run in your docker containers?  I was
thinking about using them for web/application servers.  Some of my
clients use NFS mounts.  I have looked into using persistent NFS
storage. The NFS exports are IP-restricted to the individual systems
so static IPs are a must as well.  It would be cool to have a
customer’s web server front-end scale as the workload increased or
decreased.
/Raj
I use containers all the time for the day job and I use them a
little at home. The day job is mostly Docker. It's really great
and easy to use but the root access issue still bugs me.
I also use Singularity and it's great! Easy to install, use, and
make containers. I use a little at work but more so at home. It
allows me to create a container for some applications and then
move them around my systems as needed.
YMMV.
Jeff
On Saturday, September 16, 2017 5:18 AM, DJ-Pfulio
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my
customers are
Post by Raj Wurttemberg
SAP HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The
technology looks
Post by Raj Wurttemberg
cool... I just can't find a use for it.
I use cgroups, namespaces, and chroots all the time. Daily.  Constantly.
Right now.  I've only played with docker.
They are single use processes. No shells. No sshd.  No patching.
Limited access to most of the hostOS file system.
Is that a "container"?
I would use containers for internal software development and deployment.
I'm not ready to place them on the internet at this point. If I allowed
php webapps to be internet facing, I'd run each of them in a container
with nothing else, so WHEN they are hacked, there isn't enough of an OS
there to have a shell, no editor, and do anything except run the webapp.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
<http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
<http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
<http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
<http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Joey Kelly
2017-09-16 23:23:49 UTC
Permalink
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers are SAP
HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks cool...
I just can't find a use for it.
I've played around with FreeBSD jails. They work. I wanted MariaDB, but would
have had to remove MySQL which would have broken too many packages, so in a
jail it went.

On a related note, I've heard from sources that Docker is the Wrong Place (tm)
to put an RDBMS. but a jail is database-safe.
--
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jim Kinney
2017-09-17 02:21:32 UTC
Permalink
From a sysadmin perspective, containers make it far to easy to bypass all security protocols. Until it's live, it's a binary blob waiting to suck in code from unknown sources and send information to unknown locations. Virtual machine security is better and more understood than containers.

Until I can get a SHA256 signed docker container with sig I trust, I can't allow them to touch my storage cluster.

How do containers get updated for security patches? They don't. Toss it and rebuild. That sets up a churn of install new containers which will in time dull the build process security focus. Time passes and a mission critical process is running on a gaping security hole that can't be patched because the F+@$ing developer who built it got a better job offer and left. Developers don't have the responsibility for the integrity of the system, network, environment. Just their code. The sysadmin is on the hook for that blob of festering code rot that lets <fill in a cracking team name here> gain root in a container attached to a few TB of patient/banking/insurance/ANYTHING data and suddenly the sysadmin makes headline news .

Yeah. Not a fan. Lots more work to do before containers move beyond lab curiosity for me.

Chroots work well. Add cgroups and its rather locked down.

VMs are mostly decent (some security issues with shared RAM and networking).
Post by Raj Wurttemberg
Are any of you using containers for anything? Most of my customers are SAP
HANA (2 to 4TB of RAM and 20 to 60 CPU cores). The technology looks cool...
I just can't find a use for it.
/Raj
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
Steve Litt
2017-09-17 21:11:38 UTC
Permalink
On Sat, 16 Sep 2017 22:21:32 -0400
Post by Jim Kinney
Chroots work well. Add cgroups and its rather locked down.
What part do cgroups add to the mix?

SteveT

Steve Litt
September 2017 featured book: Manager's Guide to Technical
Troubleshooting Brand new, second edition
http://www.troubleshooters.com/mgr
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jim Kinney
2017-09-17 21:32:24 UTC
Permalink
Best explanation is wikipedia

https://en.m.wikipedia.org/wiki/Cgroups

Short answer: it's how you set usage limits on a process.
Post by Steve Litt
On Sat, 16 Sep 2017 22:21:32 -0400
Post by Jim Kinney
Chroots work well. Add cgroups and its rather locked down.
What part do cgroups add to the mix?
SteveT
Steve Litt
September 2017 featured book: Manager's Guide to Technical
Troubleshooting Brand new, second edition
http://www.troubleshooters.com/mgr
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
Steve Litt
2017-09-18 04:01:01 UTC
Permalink
On Sun, 17 Sep 2017 17:32:24 -0400
On September 17, 2017 5:11:38 PM EDT, Steve Litt
Post by Steve Litt
On Sat, 16 Sep 2017 22:21:32 -0400
Post by Jim Kinney
Chroots work well. Add cgroups and its rather locked down.
What part do cgroups add to the mix?
SteveT
Best explanation is wikipedia
https://en.m.wikipedia.org/wiki/Cgroups
Short answer: it's how you set usage limits on a process.
So if I understand you correctly, cgroups doesn't directly enhance
security, but instead "locks down" how much of certain resources a
process and any of its spawned processes can use. If I'm not mistaken,
the chroot enhances security. That sound right?

When you control cgroups, do you interact with the /sys/fs/cgroup tree?

Thanks,

SteveT

Steve Litt
September 2017 featured book: Manager's Guide to Technical
Troubleshooting Brand new, second edition
http://www.troubleshooters.com/mgr
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jim Kinney
2017-09-18 11:43:45 UTC
Permalink
Yep. The chroot provides only what can be run and cgroups controls the resources.

I don't write directly into sys tree (usually). Sysctl.conf is my preferred method. Cgroups has conf file for everything, /etc/cgconfig.conf. The man page cgconfig.conf has multiple examples.
Post by Steve Litt
On Sun, 17 Sep 2017 17:32:24 -0400
On September 17, 2017 5:11:38 PM EDT, Steve Litt
Post by Steve Litt
On Sat, 16 Sep 2017 22:21:32 -0400
Post by Jim Kinney
Chroots work well. Add cgroups and its rather locked down.
What part do cgroups add to the mix?
SteveT
Best explanation is wikipedia
https://en.m.wikipedia.org/wiki/Cgroups
Short answer: it's how you set usage limits on a process.
So if I understand you correctly, cgroups doesn't directly enhance
security, but instead "locks down" how much of certain resources a
process and any of its spawned processes can use. If I'm not mistaken,
the chroot enhances security. That sound right?
When you control cgroups, do you interact with the /sys/fs/cgroup tree?
Thanks,
SteveT
Steve Litt
September 2017 featured book: Manager's Guide to Technical
Troubleshooting Brand new, second edition
http://www.troubleshooters.com/mgr
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
Jerald Sheets
2017-09-18 13:09:53 UTC
Permalink
Docker containers with Kubernetes or Mesos orchestration is the “now” in web microservices all the way up to enterprise applications. Further “densifying” existing hardware and enabling the autoscaling of current infra is the most common use.

I’ve got about 80k systems utilizing containers (lxc and Docker) and am migrating wholesale to Docker. We’re also using the container model to easily ship app images between public cloud providers and on-prem cloud as well as to deliver Development fully functional deploy images for testing in each of the supported environments.

Just think “virtualized apps instead of machines” and you’ve got it.

As for security, there are tools for that.
As for orchestration, there are tools for that.
As for logging and visibility, there are tools for that.

And in each case there are both productized and open source solutions available.

I hear the same skepticism we all had to VMs in 1997-2000 with containers, and it’s everything the same all over again, IMO.

It’s the way you massively scale today in huge enterprises (I have over 160k nodes in our environments)

I’d strongly encourage any Sysadmin to know containers (lxc or Docker), as it will be very important moving forward in the industry.


—Jerald
Lightner, Jeffrey
2017-09-18 13:15:56 UTC
Permalink
We use CoreOS/Docker for containers and have implemented some Production processes in such environments.

As someone else noted the location of containers that can be downloaded is not ideal from a security standpoint. DevOps to allow developers to spin up things quickly sounds like a good idea until you realize a developer’s mission is implementation with little concern for sustainability.

RedHat Atomic moved to Docker more than a year ago and they vet the containers you download from them so if you were going to use it in Production I’d suggest looking at that rather than the CoreOS/Docker route specifically for security.

While it is true most containers don’t come with all the tools an admin might want, you CAN install other packages within them. Also you can install “toolbox” in the base OS that will let you run many tools. On CoreOS that installs as Fedora and you can install any tools within the toolbox as well.

An important point about containers is that they are not full VMs. However, like VMs you can have dissimilar containers run on the same underlying server so that you might have CoreOS as the underlying OS yet have Ubuntu, CentOS, Fedora, Suse containers.

From: ale-***@ale.org [mailto:ale-***@ale.org] On Behalf Of Jerald Sheets
Sent: Monday, September 18, 2017 9:10 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Containers... use?

Docker containers with Kubernetes or Mesos orchestration is the “now” in web microservices all the way up to enterprise applications. Further “densifying” existing hardware and enabling the autoscaling of current infra is the most common use.

I’ve got about 80k systems utilizing containers (lxc and Docker) and am migrating wholesale to Docker. We’re also using the container model to easily ship app images between public cloud providers and on-prem cloud as well as to deliver Development fully functional deploy images for testing in each of the supported environments.

Just think “virtualized apps instead of machines” and you’ve got it.

As for security, there are tools for that.
As for orchestration, there are tools for that.
As for logging and visibility, there are tools for that.

And in each case there are both productized and open source solutions available.

I hear the same skepticism we all had to VMs in 1997-2000 with containers, and it’s everything the same all over again, IMO.

It’s the way you massively scale today in huge enterprises (I have over 160k nodes in our environments)

I’d strongly encourage any Sysadmin to know containers (lxc or Docker), as it will be very important moving forward in the industry.


—Jerald
Jim Kinney
2017-09-18 15:34:25 UTC
Permalink
It doesn't matter about my lack of security prefs (yes, I'm whining about 'new stuff' like systemd haters. It's only due to lack of time to do the deep dig into functionals and get comfortable with the process.) it's getting rolled out or I get rolled over.

It still seems like continuation of chroot meet VM and had a baby application with all new toolchain.
Post by Jerald Sheets
Docker containers with Kubernetes or Mesos orchestration is the “now”
in web microservices all the way up to enterprise applications.
Further “densifying” existing hardware and enabling the autoscaling of
current infra is the most common use.
I’ve got about 80k systems utilizing containers (lxc and Docker) and am
migrating wholesale to Docker. We’re also using the container model to
easily ship app images between public cloud providers and on-prem cloud
as well as to deliver Development fully functional deploy images for
testing in each of the supported environments.
Just think “virtualized apps instead of machines” and you’ve got it.
As for security, there are tools for that.
As for orchestration, there are tools for that.
As for logging and visibility, there are tools for that.
And in each case there are both productized and open source solutions available.
I hear the same skepticism we all had to VMs in 1997-2000 with
containers, and it’s everything the same all over again, IMO.
It’s the way you massively scale today in huge enterprises (I have over
160k nodes in our environments)
I’d strongly encourage any Sysadmin to know containers (lxc or Docker),
as it will be very important moving forward in the industry.
—Jerald
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
Jerald Sheets
2017-09-18 13:18:46 UTC
Permalink
Post by Jim Kinney
From a sysadmin perspective, containers make it far to easy to bypass all security protocols. Until it's live, it's a binary blob waiting to suck in code from unknown sources and send information to unknown locations. Virtual machine security is better and more understood than containers.
You host your own hub. That’s the answer. We’re prevented from “reaching out” to the ‘net for anything at all. I’ve built my own container registries internally, and only pull images *I* have rolled from there. I never touch DockerHub.
Post by Jim Kinney
Until I can get a SHA256 signed docker container with sig I trust, I can't allow them to touch my storage cluster.
Again, the setup is necessary, but you can completely lock it down to your own internal resources. This is a non-issue.
Post by Jim Kinney
How do containers get updated for security patches? They don't. Toss it and rebuild.
You do it. Don’t rely on Docker or the community. Roll your own images (just like folks who use custom AMIs) and maintain full control of “all the things”.
Post by Jim Kinney
That sets up a churn of install new containers which will in time dull the build process security focus.
Which is why we automate. I personally use Puppet, as that is my SME domain, but I’ve seen workflows for both Chef and Ansible. Also a non-issue.
All containers should be curated by Systems. The Developers should submit them for security scanning, or you should employ a DevSecOps model for deployment. i.e., federate security scanning by providing OS, App, transport, penetration, and network security testing as APIs that devs can leverage instead of leaving them to security. Left to their own devices, unreasonable deploy timelines set for them, and golf-playing pointy-hairs with unreasonable ship date requirements, it’ll never happen.

This should all be automated and part of a security CI/CD pipeline without which a “pass” from the security field, cannot ever be deployed into production. This is how we do it.
Post by Jim Kinney
Developers don't have the responsibility for the integrity of the system, network, environment. Just their code. The sysadmin is on the hook for that blob of festering code rot that lets <fill in a cracking team name here> gain root in a container attached to a few TB of patient/banking/insurance/ANYTHING data and suddenly the sysadmin makes headline news .
Which doesn’t really happen in containerized applications. ESPECIALLY if you’re orchestrating them properly, and the curation of the containers is where they belong: in Systems and Security circles.

FUD doesn’t play well here, and this smacks of FUD to me.

Not to call you out, Jim. :D


The real issue is automation should be a core component of Security, Operations, QA, Development, AND Deployment. None of this crap should be touched with human hands any more. That’s how you end up with an Equifax website with a U/P of admin:admin, thus this morning’s news.


—jms
Solomon Peachy
2017-09-18 13:34:37 UTC
Permalink
Post by Jerald Sheets
All containers should be curated by Systems. The Developers should
submit them for security scanning, or you should employ a DevSecOps
model for deployment. i.e., federate security scanning by providing
OS, App, transport, penetration, and network security testing as APIs
that devs can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for them, and
golf-playing pointy-hairs with unreasonable ship date requirements,
it’ll never happen.
This should all be automated and part of a security CI/CD pipeline
without which a “pass” from the security field, cannot ever be
deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.

Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.

- Solomon </grumble>
--
Solomon Peachy pizza at shaftnet dot org
Coconut Creek, FL ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum videtur.
Jerald Sheets
2017-09-18 14:14:12 UTC
Permalink
Post by Solomon Peachy
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
Being a security guy for a FinTech that has global reach
. no one is allowed to “just download an image”. If it doesn’t come from us, it’s disallowed for use. We have a rather large self-service platform that hosts them, and the images have to be built and maintained by us. It’s a nice use for new interns.


—j
Jim Kinney
2017-09-18 15:52:02 UTC
Permalink
I'm very close to the point of isolating my docker junkies in every possible way and letting their stuff get broken into. That will be the only way to get the political leverage to be able tell a PhD faculty "NO. It ALL runs through me and upstream university security. No exception."
Post by Solomon Peachy
Post by Jerald Sheets
All containers should be curated by Systems. The Developers should
submit them for security scanning, or you should employ a DevSecOps
model for deployment. i.e., federate security scanning by providing
OS, App, transport, penetration, and network security testing as APIs
that devs can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for them, and
golf-playing pointy-hairs with unreasonable ship date requirements,
it’ll never happen.
This should all be automated and part of a security CI/CD pipeline
without which a “pass” from the security field, cannot ever be
deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Solomon Peachy pizza at shaftnet dot org
Coconut Creek, FL ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum videtur.
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
Jeff Hubbs
2017-09-18 16:49:18 UTC
Permalink
Can someone help characterize for me how Anaconda fits into this whole
container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be the
only way to get the political leverage to be able tell a PhD faculty
"NO. It ALL runs through me and upstream university security. No
exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should employ
a DevSecOps model for deployment. i.e., federate security
scanning by providing OS, App, transport, penetration, and
network security testing as APIs that devs can leverage
instead of leaving them to security. Left to their own
devices, unreasonable deploy timelines set for them, and
golf-playing pointy-hairs with unreasonable ship date
requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
lnxgnome
2017-09-18 21:25:11 UTC
Permalink
Jeff,

  Are you asking about Anaconda https://www.anaconda.com/ or Anaconda
https://fedoraproject.org/wiki/Anaconda ?

  For the first, there is...
https://github.com/ContinuumIO/docker-images/tree/master/anaconda
  For the second, there is...
http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/
Post by Jeff Hubbs
Can someone help characterize for me how Anaconda fits into this whole
container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be
the only way to get the political leverage to be able tell a PhD
faculty "NO. It ALL runs through me and upstream university security.
No exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should
employ a DevSecOps model for deployment. i.e., federate
security scanning by providing OS, App, transport,
penetration, and network security testing as APIs that devs
can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for
them, and golf-playing pointy-hairs with unreasonable ship
date requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jeff Hubbs
2017-09-19 13:57:07 UTC
Permalink
I was referring to the first one. I'm trying to get used to the notion
of a package management system that runs underneath or beside the
operating system's.
Post by lnxgnome
Jeff,
  Are you asking about Anaconda https://www.anaconda.com/ or Anaconda
https://fedoraproject.org/wiki/Anaconda ?
  For the first, there is...
https://github.com/ContinuumIO/docker-images/tree/master/anaconda
  For the second, there is...
http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/
Post by Jeff Hubbs
Can someone help characterize for me how Anaconda fits into this
whole container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be
the only way to get the political leverage to be able tell a PhD
faculty "NO. It ALL runs through me and upstream university
security. No exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should
employ a DevSecOps model for deployment. i.e., federate
security scanning by providing OS, App, transport,
penetration, and network security testing as APIs that devs
can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for
them, and golf-playing pointy-hairs with unreasonable ship
date requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jerald Sheets
2017-09-19 15:25:54 UTC
Permalink
That’s what Jim and I were bantering about. There’s “DockerHub” which provides baked images, and there are several official ones from the vendors there. You can also have your own space (a lot like GitHub) where you curate and manage your own images, and reference those directly instead of the publicly managed ones by “God knows who”


Check it out.

https://hub.docker.com/ <https://hub.docker.com/>


—jms
I was referring to the first one. I'm trying to get used to the notion of a package management system that runs underneath or beside the operating system's.
Jeff,
Are you asking about Anaconda https://www.anaconda.com/ <https://www.anaconda.com/> or Anaconda https://fedoraproject.org/wiki/Anaconda <https://fedoraproject.org/wiki/Anaconda> ?
For the first, there is... https://github.com/ContinuumIO/docker-images/tree/master/anaconda <https://github.com/ContinuumIO/docker-images/tree/master/anaconda>
For the second, there is... http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/ <http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/>
Can someone help characterize for me how Anaconda fits into this whole container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every possible way and letting their stuff get broken into. That will be the only way to get the political leverage to be able tell a PhD faculty "NO. It ALL runs through me and upstream university security. No exception."
All containers should be curated by Systems. The Developers should
submit them for security scanning, or you should employ a DevSecOps
model for deployment. i.e., federate security scanning by providing
OS, App, transport, penetration, and network security testing as APIs
that devs can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for them, and
golf-playing pointy-hairs with unreasonable ship date requirements,
it’ll never happen.
This should all be automated and part of a security CI/CD pipeline
without which a “pass” from the security field, cannot ever be
deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Niel Bornstein
2017-09-19 17:24:07 UTC
Permalink
I'll also put this right here:

http://port.us.org/
Post by Jerald Sheets
That’s what Jim and I were bantering about. There’s “DockerHub” which
provides baked images, and there are several official ones from the
vendors there. You can also have your own space (a lot like GitHub)
where you curate and manage your own images, and reference those
directly instead of the publicly managed ones by “God knows who”

Check it out.
https://hub.docker.com/
—jms
Post by Jeff Hubbs
I was referring to the first one. I'm trying to get used to the notion
of a package management system that runs underneath or beside the
operating system's.
Post by lnxgnome
Jeff,
Are you asking about Anaconda https://www.anaconda.com/ or Anaconda
https://fedoraproject.org/wiki/Anaconda ?
For the first, there is...
https://github.com/ContinuumIO/docker-images/tree/master/anaconda
For the second, there is...
http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/
Post by Jeff Hubbs
Can someone help characterize for me how Anaconda fits into this
whole container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be
the only way to get the political leverage to be able tell a PhD
faculty "NO. It ALL runs through me and upstream university
security. No exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should
employ a DevSecOps model for deployment. i.e., federate
security scanning by providing OS, App, transport,
penetration, and network security testing as APIs that devs
can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for
them, and golf-playing pointy-hairs with unreasonable ship
date requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jim Kinney
2017-09-19 17:42:27 UTC
Permalink
SWEET!
LDAP auth means my IPA process can be used to further brutalize, er,
um, manage user access to specialty locations as required.
Post by Niel Bornstein
http://port.us.org/
Post by Jerald Sheets
That’s what Jim and I were bantering about. There’s “DockerHub”
which
provides baked images, and there are several official ones from the
vendors there. You can also have your own space (a lot like
GitHub)
where you curate and manage your own images, and reference those
directly instead of the publicly managed ones by “God knows who”

Check it out.
https://hub.docker.com/
—jms
Post by Jeff Hubbs
I was referring to the first one. I'm trying to get used to the notion
of a package management system that runs underneath or beside the
operating system's.
Post by lnxgnome
Jeff,
Are you asking about Anaconda https://www.anaconda.com/ or Anaconda
https://fedoraproject.org/wiki/Anaconda ?
For the first, there is...
https://github.com/ContinuumIO/docker-images/tree/master/anacon
da
For the second, there is...
http://atodorov.org/blog/2015/10/28/building-docker-images-with
-anaconda/
Post by Jeff Hubbs
Can someone help characterize for me how Anaconda fits into this
whole container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be
the only way to get the political leverage to be able tell a PhD
faculty "NO. It ALL runs through me and upstream university
security. No exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should
employ a DevSecOps model for deployment. i.e., federate
security scanning by providing OS, App, transport,
penetration, and network security testing as APIs that devs
can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for
them, and golf-playing pointy-hairs with
unreasonable ship
date requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security
field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are
sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just
"download an image"
from the likes of DockerHub and then deploy it, with no
real thought
towards ongoing maintainence or security
concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
James Taylor
2017-09-19 19:17:17 UTC
Permalink
And I’ll add this, if anyone’s interested

-jt

James Taylor
***@eastcobbgroup.com <mailto:***@eastcobbgroup.com>
678-697-9420
Post by Jim Kinney
SWEET!
LDAP auth means my IPA process can be used to further brutalize, er, um, manage user access to specialty locations as required.
http://port.us.org/ <http://port.us.org/>
Post by Jerald Sheets
That’s what Jim and I were bantering about. There’s “DockerHub” which
provides baked images, and there are several official ones from the
vendors there. You can also have your own space (a lot like GitHub)
where you curate and manage your own images, and reference those
directly instead of the publicly managed ones by “God knows who”

Check it out.
https://hub.docker.com/ <https://hub.docker.com/>
—jms
Post by Jeff Hubbs
I was referring to the first one. I'm trying to get used to the notion
of a package management system that runs underneath or beside the
operating system's.
Jeff,
Are you asking about Anaconda https://www.anaconda.com/ <https://www.anaconda.com/> or Anaconda
https://fedoraproject.org/wiki/Anaconda <https://fedoraproject.org/wiki/Anaconda> ?
For the first, there is...
https://github.com/ContinuumIO/docker-images/tree/master/anaconda <https://github.com/ContinuumIO/docker-images/tree/master/anaconda>
For the second, there is...
http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/ <http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/>
Post by Jeff Hubbs
Can someone help characterize for me how Anaconda fits into this
whole container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be
the only way to get the political leverage to be able tell a PhD
faculty "NO. It ALL runs through me and upstream university
security. No exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should
employ a DevSecOps model for deployment. i.e., federate
security scanning by providing OS, App, transport,
penetration, and network security testing as APIs that devs
can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for
them, and golf-playing pointy-hairs with unreasonable ship
date requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
James Taylor
2017-09-19 19:29:11 UTC
Permalink
Maybe this time with the URL.

https://www.suse.com/products/caas-platform/ <https://www.suse.com/products/caas-platform/>
Post by James Taylor
And I’ll add this, if anyone’s interested

-jt
James Taylor
678-697-9420
Post by Jim Kinney
SWEET!
LDAP auth means my IPA process can be used to further brutalize, er, um, manage user access to specialty locations as required.
http://port.us.org/ <http://port.us.org/>
Post by Jerald Sheets
That’s what Jim and I were bantering about. There’s “DockerHub” which
provides baked images, and there are several official ones from the
vendors there. You can also have your own space (a lot like GitHub)
where you curate and manage your own images, and reference those
directly instead of the publicly managed ones by “God knows who”

Check it out.
https://hub.docker.com/ <https://hub.docker.com/>
—jms
Post by Jeff Hubbs
I was referring to the first one. I'm trying to get used to the notion
of a package management system that runs underneath or beside the
operating system's.
Jeff,
Are you asking about Anaconda https://www.anaconda.com/ <https://www.anaconda.com/> or Anaconda
https://fedoraproject.org/wiki/Anaconda <https://fedoraproject.org/wiki/Anaconda> ?
For the first, there is...
https://github.com/ContinuumIO/docker-images/tree/master/anaconda <https://github.com/ContinuumIO/docker-images/tree/master/anaconda>
For the second, there is...
http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/ <http://atodorov.org/blog/2015/10/28/building-docker-images-with-anaconda/>
Post by Jeff Hubbs
Can someone help characterize for me how Anaconda fits into this
whole container business?
Post by Jim Kinney
I'm very close to the point of isolating my docker junkies in every
possible way and letting their stuff get broken into. That will be
the only way to get the political leverage to be able tell a PhD
faculty "NO. It ALL runs through me and upstream university
security. No exception."
On September 18, 2017 9:34:37 AM EDT, Solomon Peachy
All containers should be curated by Systems. The Developers
should submit them for security scanning, or you should
employ a DevSecOps model for deployment. i.e., federate
security scanning by providing OS, App, transport,
penetration, and network security testing as APIs that devs
can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for
them, and golf-playing pointy-hairs with unreasonable ship
date requirements, it’ll never happen.
This should all be automated and part of a security CI/CD
pipeline without which a “pass” from the security field,
cannot ever be deployed into production. This is how we do it.
The unspoken assumption here is that your needs are sufficient to make
this (completely necessary!) administrative overhead worthwhile.
Unfortunately, much like VMs before, most shops just "download an image"
from the likes of DockerHub and then deploy it, with no real thought
towards ongoing maintainence or security concerns. Because those cost
time/effort -- and therefore and money.
- Solomon </grumble>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb
related and reflect authenticity.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale <http://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
DJ-Pfulio
2017-09-18 13:39:09 UTC
Permalink
Jerald, I bet a presentation on your docker deployment techniques would
have a full house of interested ALEer.
Oct or Nov meetings need a topic. ;)
FUD doesn’t play well here, and this smacks of FUD to me.  
Some things require time to be proven. Old guys have learned that hype
is seldom true. We've been burned before. Things need time to mature
if you don't want to be bleeding edge, spinning with constant updates.

When I was 25, bleeding edge seemed like the best place. Around 45 ...
not so much. We had systems that worked, where predictable, and met the
requirements better than previously deployed stuff.

From the outside, there are some technologies that have great hype and
may prove to be great - someday - after they mature a little.

Remember when openstack was all the rage? How many years did it take to
NOT need a fork-lift upgrade between versions?

Docker/Containers seem very useful, but it wasn't that long ago that
root escalation break-outs were being found every few months, regardless
of the claims from the container people. I think the docker container
format has "won the war", but the requirement for docker to run as root
on the docker-host is still troubling. Just a little more maturity is
needed.

Is that FUD?

And for about 6 videos from Redhat reps for container best practices,
look on youtube for the SELF 2016 conference. Some more details provided
beyond what Jerald is saying here with a little more depth in those.


_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mail
Phil Turmel
2017-09-18 13:46:25 UTC
Permalink
Yes! Please?
Post by DJ-Pfulio
Jerald, I bet a presentation on your docker deployment techniques would
have a full house of interested ALEer.
Oct or Nov meetings need a topic. ;)
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jerald Sheets
2017-09-18 14:24:53 UTC
Permalink
Post by DJ-Pfulio
Jerald, I bet a presentation on your docker deployment techniques would
have a full house of interested ALEer.
Oct or Nov meetings need a topic. ;)
Unfortunately, I can share with you guys in a semi-private forum. I cannot share publicly nor can I speak publicly.

I’ve got the lawyers working on my approval just to present on Puppet at a local users group without my employer’s name attached. It’s a nightmare.
Post by DJ-Pfulio
Post by Jerald Sheets
FUD doesn’t play well here, and this smacks of FUD to me.
Some things require time to be proven. Old guys have learned that hype
is seldom true. We've been burned before. Things need time to mature
if you don't want to be bleeding edge, spinning with constant updates.
When I was 25, bleeding edge seemed like the best place. Around 45 ...
not so much. We had systems that worked, where predictable, and met the
requirements better than previously deployed stuff.
I’m 50. I’ve been doing this since CP/M was my primary desktop and Vax/VMS was my playground. I’m not new to this.
Post by DJ-Pfulio
From the outside, there are some technologies that have great hype and
may prove to be great - someday - after they mature a little.
Remember when openstack was all the rage? How many years did it take to
NOT need a fork-lift upgrade between versions?
I implemented that for AMEX. They did upgrades atomically over time. Not an issue. The problem was that no one at OpenStack (whoever the heck’s implementation you chose) could tell you the proper foundation for a smooth architecture. If you happened to stumble over it, good on you. We didn’t until we had someone who had show us what to do. Everything there forward was cake.
Post by DJ-Pfulio
Docker/Containers seem very useful, but it wasn't that long ago that
root escalation break-outs were being found every few months, regardless
of the claims from the container people. I think the docker container
format has "won the war", but the requirement for docker to run as root
on the docker-host is still troubling. Just a little more maturity is
needed.
Eh?

containerd definitely runs as root (like Apache, NginX, et al.) because daemon. However, root is not needed to work with the container. I just had this grippiest with a guy internally here. Everything was done post-install by just adding individual users to the docker group. No sudo necessary, and no root access required. After all, if daemon control is the only thing requiring root interaction (by the sysadmin), I don’t see a problem there.

Second, the people who were ding root escalations had intimate knowledge of cgroups. Once the vendors realized they couldn’t get away with “we’ll just leave that for now to make a ship date” any more, things started to clean up nicely.

There are also several security methodologies out there
 we’ve built our own proprietary ones involving chrooting, zoned access, ingress/egress rules, and quite a bit of tomfoolery, honestly, but the product is mostly secure OOTB and is securable with an easily automatable process. Time to secure? About one Puppet run.
Post by DJ-Pfulio
Is that FUD?
And for about 6 videos from Redhat reps for container best practices,
look on youtube for the SELF 2016 conference. Some more details provided
beyond what Jerald is saying here with a little more depth in those.
That’s good fodder there, but always remember that those guys are extremely myopic in their views, statements, and architectures. YMMV when trying to apply the principles to a self-rolled environment.


—jms
Jim Kinney
2017-09-18 15:48:31 UTC
Permalink
I'm miserably aware of some large-scale admin stuff I need to implement. Always a challenge with 1.5 people full time and 3 full time people's worth of work.

Highest priority is to host our own hub. The devels are all "this is just research" until they bypass everything and point a proxy they control at a vm running their latest container.
Post by Jim Kinney
Post by Jim Kinney
From a sysadmin perspective, containers make it far to easy to bypass
all security protocols. Until it's live, it's a binary blob waiting to
suck in code from unknown sources and send information to unknown
locations. Virtual machine security is better and more understood than
containers.
You host your own hub. That’s the answer. We’re prevented from
“reaching out” to the ‘net for anything at all. I’ve built my own
container registries internally, and only pull images *I* have rolled
from there. I never touch DockerHub.
Post by Jim Kinney
Until I can get a SHA256 signed docker container with sig I trust, I
can't allow them to touch my storage cluster.
Again, the setup is necessary, but you can completely lock it down to
your own internal resources. This is a non-issue.
Post by Jim Kinney
How do containers get updated for security patches? They don't. Toss
it and rebuild.
You do it. Don’t rely on Docker or the community. Roll your own
images (just like folks who use custom AMIs) and maintain full control
of “all the things”.
Post by Jim Kinney
That sets up a churn of install new containers which will in time
dull the build process security focus.
Which is why we automate. I personally use Puppet, as that is my SME
domain, but I’ve seen workflows for both Chef and Ansible. Also a
non-issue.
Post by Jim Kinney
Time passes and a mission critical process is running on a gaping
built it got a better job offer and left.
All containers should be curated by Systems. The Developers should
submit them for security scanning, or you should employ a DevSecOps
model for deployment. i.e., federate security scanning by providing
OS, App, transport, penetration, and network security testing as APIs
that devs can leverage instead of leaving them to security. Left to
their own devices, unreasonable deploy timelines set for them, and
golf-playing pointy-hairs with unreasonable ship date requirements,
it’ll never happen.
This should all be automated and part of a security CI/CD pipeline
without which a “pass” from the security field, cannot ever be deployed
into production. This is how we do it.
Post by Jim Kinney
Developers don't have the responsibility for the integrity of the
system, network, environment. Just their code. The sysadmin is on the
hook for that blob of festering code rot that lets <fill in a cracking
team name here> gain root in a container attached to a few TB of
patient/banking/insurance/ANYTHING data and suddenly the sysadmin makes
headline news .
Which doesn’t really happen in containerized applications. ESPECIALLY
if you’re orchestrating them properly, and the curation of the
containers is where they belong: in Systems and Security circles.
FUD doesn’t play well here, and this smacks of FUD to me.
Not to call you out, Jim. :D
The real issue is automation should be a core component of Security,
Operations, QA, Development, AND Deployment. None of this crap should
be touched with human hands any more. That’s how you end up with an
Equifax website with a U/P of admin:admin, thus this morning’s news.
—jms
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
Loading...