@sir what does containers have to do with shitty sysadmins who don't know how to security?

@xj9 crutch

@sir do illumos and freebsd admins have this problem or is it a linux master race issue? I think containers are great, but it seems like a lot of the new gen developers are ..not very informed about their craft.

@xj9 correllation does not imply causation. If Linux is the default choice, then anyone using a non-default choice is likely to have put more thought into their system

@sir 2015 and this still applies huh.

Imagine if properly administrating servers didn't require sacrificing yourself to Satan, and if using Docker wasn't an invitation to grabbing random binaries into prod

@sir What do you think about the solution that NixOS is building? It is kind of like the declarative, deterministic approach of Docker but better

@jelle not into it. These things are a solution looking for a problem

@sir The problem is that other configuration systems are not declarative, so you build up cruft if you want to delete services. I've used Ansible and wanted to remove a postfix installation, but there are so many pieces to an email system that just removing the config from Ansible leaves a lot of random files hanging around.

@xj9 @sir To be fair, Solaris Zones and BSD Jails are far less insecure than Docker, and don't end up with shipping an entire OS's worth of new vulnerabilities.

Jessie Frazelle (ex-Docker Core) has a post where she goes to great lengths to stress that Zones and Jails are not, in fact, containers. Kind of inaccurate in most senses but it does sort of shed light on why Linux has this problem in spades versus illumos and Free/DragonflyBSD.

In short, excess choice naturally leads to uninformed and naive people foregoing all choice, which is a problem when shipping defaults that aren't aimed for security.

@sir You can build your own docker containers, but that also depends on the software you need being nicely installable.

@jelle I don't like Ansible, either. I don't use any tools at all to fill this niche.

@kick @xj9

>In short, excess choice naturally leads to uninformed and naive people foregoing all choice, which is a problem when shipping defaults that aren't aimed for security.

See, I don't like this part. Because I know my shit, I am capable of reasoning about my system without sane defaults as a crutch. By no means am I against sane defaults, but in this case they're being used as an argument away from learning your shit so you can admin your system properly.

I don't think we should leave this knowledge in the hands of a few dedicated specialists who study systems and security. This is symptomatic of the broader complexity explosion in software. I prefer to design my systems to be as simple as possible so that anyone can easily understand them and reckon about their design and security implications, which leads to far more robust systems than making docker do the right thing by default does.

@sir @xj9 I don't disagree, I was just summarizing her blog post.

@sir @xj9 Though I think I must have made a part of her argument unclear: she claims that _Docker_ is complex by design, not a tool at managing complexity.

@kick @xj9 sorry, you weren't unclear, I was just using Docker as a stand-in for all of these systems.


I agree in general that the current situation is a mess. Ideally all the deps would be packaged by distros, and the few things that aren't packaged would be a simple offline build.

But I think Maven isn't the worst offender, there's pypi and npm afterall.
IIRC Maven Central does require signatures, and IMO it's a better quality repo than pypi and npm. (Can't say the same about dozens of 3rd party Maven repos around the net.)

@sir I feel that configuration systems are similar to using git. If you're working on your own, using git for version management is not strictly needed, but it is very nice. In the same way, if you're adminning a system together you need a configuration system, but it's very responsible to use if you're working on your own as well

@Wolf480pl I think the author wrote about Maven because that's what they were familiar with. The arguments work anyway.

@kick @sir

the strained "container" definition is odd to me because the term container predates docker by a lot. i think jails and zones are a nice way to organize and isolate services on a machine. that said, i agree with the sentiment in general. i just don't think containers are the actual problem here. maybe they make bad decisions easier to make, but isn't it still the responsibility of the developers involved to make sure reasonable things are happening?

@sir Basically the "stack" became a "heap".

@sir I think containerization is really great for internal development. You're afforded so much freedom to run it on any "platform" the same.

But you're right the way it's used for distribution is dumb. Very little is verifiable.

Personally I try to only download images from trusted sources who publish the dockerfile and have the images built verifiably (public CI)

It's still a farcry from proper package management and I've had to build many custom dockerfiles as a result.

@sir I've been on both sides of this argument. On one hand, we have numerous linux distros with different sets of libraries and packages, and packaging software even for the two most popular ones (CentOS and Debian) is just an enormous pain in the ass. We switched to Docker for deployment eventually just to save time and manpower, because having an extra person on staff just for software deployment is an overkill. We still build everything in house though.