Re: [dev] containers opinion

From: Kamil Cholewiński <harry666t_AT_gmail.com>
Date: Fri, 23 Sep 2016 22:48:55 +0200

On Fri, 23 Sep 2016, stephen Turner <stephen.n.turner_AT_gmail.com> wrote:
> whats the suckless view of containers and why? what about a
> containerized init helper where sinit calls the container program and
> then runs daemons and the rest of the system from containers? Do you
> feel containers offer additional security/stability?

Containers DO NOT add any security. Unsharing resources does. If you are
serious about security, proper privilege separation is the way to go.
But it requires thought and careful design, something chronically
missing in that whole the "move fast, break things" crowd.

Stability - no. Unstable and shitty code is going to stay unstable and
shitty, no matter how many layers you wrap it in. A Good operating
system will shield one application from misbehaviors of another,
**by default**.

> Just thinking about "cloud" stuff again and daydreaming about servers.

Yes, this is where containers shine. The developer writes a Dockerfile,
builds and tests the image on his laptop, does it work? :shipit:

Then the sysop guy just clicks around on the GCP admin panel to spin up
a Kubernetes cluster, points it at the image, and viola, fuken deployed.

For me, as a sysop, the image/container workflow finally makes the pain
of deploying the unstable and shitty code to production bearable,
because it confines the unimaginably imaginative developers' inventions
into a conceptually simple and uniform package. Finally I only have to
deal with one kind of crap, as opposed to 20 different kinds of crap.

I welcome containers with ovations and fanfares.

> I suppose with a system as small as suckless offers it might be a moot
> point by the time you fire up several VM instances. VM's would add a
> semi redundancy in the event of a single failure in that it wouldn't
> take down the other services but then you have other issues if the
> system fails anyways right?!

Last time I checked, sta.li was shifting focus to the embedded space.
Maybe I'm too old for this job, but I just... don't run my production
workloads on a bag of potatoes.

Also... Face it. The reason why we have containers, is because most
applications are a stinking pile of crap, and we needed a way to confine
them into something manageable. If the people that wrote all of that
shitty code cared about being suckless, they'd have to harakiri.

Now once you have a container, it doesn't matter at all, which host OS
is it running under. On AWS, your cluster runs Amazon Linux, some sort
of bastardised CentOS knockoff. On GCP, your clusters run on Debian
Wheezy. (Yes, I WTF'd and LOL'd, but hey, if it works, it ain't broke.)
Is there any difference? No, the Docker daemon is a single, statically
linked binary.

<3,K.
Received on Fri Sep 23 2016 - 22:48:55 CEST