234 entries in 0.617s
gabriel_laddel: Instead, we stack layer after layer of additional convoluted crap on top of what we’ve already got because we don’t know how to fix it. Instead, we flit constantly from Thin to Mongrel to Passenger to Heroku to Bitnami to
Docker to whatever new way to deploy trivial apps came out yesterday. Instead, we obsess over adding better Sass integration to our frameworks.
trinque: remove
docker -> set up same application like a normal person with runit and users substituting for containers -> free up 5gb
assbot: Logged on 03-07-2015 02:19:38; trinque: the
docker daemon itself is this vast wad o' golang that runs as root
decimation: does
docker actually emulate a hardware nic like qemu
shinohai: i use
docker on hashbang, but it is like a Rube Goldberg cartoon
trinque: and also,
docker sets up and manages its own fancy virtual network between your containers
trinque: I would expect (as admittedly a casual in the kernel space) to find the same kinds of break-out flaws in
docker and linux containers as are found all the time in xen
trinque: assuming the hardware, kernel, distro,
docker, distro, and your proggy are perfect, sure!
decimation: people have emphasized
docker's security benefits
trinque: the
docker daemon itself is this vast wad o' golang that runs as root
☟︎ trinque: whereas xen is a hypervisor,
docker uses the linux containers thing, which effectively gives you multiple userspaces
trinque: decimation:
docker's a piece of shit for its own reasons
gabriel_laddel: "This has lead to no end of headaches when hacking on the bitcoind source. I've built bitcoinds in
Docker containers and shipped them off to virtualized servers in The Cloud, I've built them in virtual machines local to my own development machine and run them in the selfsame VMs, and I even burned a few hours today attempting to compile bitcoin nat
thestringpuller:
docker does this in a way similar to floppy drive press enter to boot kinda deal
thestringpuller: trinque: you and ben_vulpes would have some interesting conversations about
docker trinque: this
docker thing is a piece of siht
ben_vulpes: hm i think you'd want to run whm *in*
docker mircea_popescu: i dunno that i could be bothered to replace whm with
docker ben_vulpes: this, btw, is why i ops with
docker. excellent control of versions of everything.
mats: this is a bad idea and so is ntoskrnl support for
docker assbot: Using the
docker command to root the host (totally not a security issue) // reventlov's silly hacks ... (
http://bit.ly/1HKV0Dz )
ben_vulpes: trinque: a hack that i've seen to work is building for arch in a
docker container
ben_vulpes: punkman: yeah i guess now i try to
docker this thing
punkman: ben_vulpes: is that why rubyists love
docker?
trinque: among other lols, they want to eat
docker, manage your firewall, make the logger speak
http... thestringpuller: ben_vulpes:
docker is like being a kid at christmas all over again
ben_vulpes:
docker run -d to daemonize the proc in container
thestringpuller: davout: i'm running
docker on local machines and want a cardano to hold certain application keys. plug that up to one of the
docker servers. relatively easy airgap
davout: thestringpuller: i can't think of a purpose for which
docker-based deploys would be equivalent to a cardano based setup
thestringpuller: ben_vulpes: well I"m thinking of using
docker to deploy gpg server stuffs
ben_vulpes: for instance, i've got a client who (for some silly reasons) basically needs to throw out their Solr index on a daily basis. the approach to date has been to drop the index at a low-traffic time, rebuild, and hope nobody notices. with
docker, we can boot a new container, index into it, and then when the indexing is complete, shut the old solr container down and boot the new solr container.
☟︎ ben_vulpes: actually thestringpuller you can use
docker to compile c on whatever and ship the resulting binary to the raspi
ben_vulpes: <thestringpuller> ben_vulpes:
docker runs on rasbpi << and?
ben_vulpes: i wrote a thing that handles turning standard piles of software into running software on ec2 with
docker for environment isolation
ben_vulpes: well /etc/default/
docker but look at it through whatever lens you like baws
mircea_popescu: ben_vulpes check it out,
docker is like bdb, except differently named undocumented config file.
ben_vulpes: mats: today i discovered that
docker images have a 10GB limit unless you specify otherwise with dm.whatever options on the command line for the
docker daemon
mats_cd03: ben_vulpes: have you tried out Fig for
docker deployments? its nice.
mats_cd03: doing different things like studying the windows kernel, trying to learn malware analysis fundamentals and some of the tooling,
docker deployment for dev and prod for a friend's website, and working on the courts circus project
ben_vulpes: deploy pattern is "get code, load deps file into
docker,rebuild image with that, if build fails bail, run image, smoke test new container, if new container fails bail, then shut down old container and shoop new container into its place"
ben_vulpes: build pattern is: "install
docker. then, deploy apptuation."
ben_vulpes:
docker will keep containers up on its own just fine.
ben_vulpes: this is where
docker starts coming in handy: instead of burning many hours on chasing down platform and architecture details to get the thing to work on os x, i'm leaning towards just running 0.5.3 in a VM.
decimation doesn't use
docker, probably never will
decimation: re:
docker << my understanding is that it's pretty much a chroot jail combined with some cpu and ram and network limits
diametric: what makes it
docker is the whole management infrastructure around it
jurov: so.. does this
docker thing work with grsec and makes easier chroots with readonly-bind-mounted stuff?
diametric: what you end up with is an image you can use on any linux running
docker, be it ubuntu, gentoo, arch or lfs.
diametric: asciilifeform: now if you're relying on
docker to be a jail for the purposes of security, than that alone isn't ideal.
diametric: asciilifeform:
docker's purpose isn't security per se. an escape can be irrelevant. if anything its a nice system for compartmentalizing your system and preventing the pollution of your filesystem with random libraries needed by a single application.
diametric: asciilifeform: is there an incident that started the discussion? all i see here is a lot of "using
docker insecurely is insecure."
mats_cd03: immutability is one of the design mitigations in
docker undata: mircea_popescu: You can make changes to a
docker by hand, then make an image from that. It's better to stick to your Dockerfile, but you don't have to.
undata: mircea_popescu:
docker does run the risk of merely snapshotting the wad of mess and saying "ok, this wad worked, kind of" rather than actually understanding system state
mats_cd03: the VM is for protecting you from
docker, nto the other way around
undata: I like
docker for managing system state; I'm asking what the security value add is above just using the VM directly.
undata: mircea_popescu: you get that with host/vm, why
docker?
undata: mats_cd03: I believe it was a question of why both
docker and vm?
mats_cd03: 18:29:29 <+mircea_popescu> mats_cd03: mitigation involves layering. SELinux, one
docker per vm, <<< trhen why even bother ? am i dense ?
mircea_popescu: mats_cd03: mitigation involves layering. SELinux, one
docker per vm, <<< trhen why even bother ? am i dense ?
mats_cd03: i'm still learning how
docker works, though, so if i'm wrong here people should chime in and tell me so
assbot:
Docker security approach encourages privileged containers Issue #6616
docker/
docker GitHub
mats_cd03: mitigation involves layering. SELinux, one
docker per vm,
assbot: VMware Teams With
Docker, Google and Pivotal to Simplify Enterprise Adoption of Containers (NYSE:VMW)
assbot: New Windows Server containers and Azure support for
Docker | Microsoft Azure Blog
BingoBoingo: mats_cd03: So What is
docker exactly is it like a FreeBSD Jail a decade late or... Closer to something like Zen?
mats_cd03: vmware is also moving towards support for
docker when they were adamant about it for months prior to the switcharoo