Em 10/05/2017 00:53, Martin Hanson escreveu:
I have occasionally used virtualization (Qemu) for easy testing of some OS. I have also
played around with "containers" using FreeBSD Jails and Linux LXC, but I have
never ever thought of any of this as a security measurement or anything needed beyond
testing.
When I want isolation I run a single box (or boxes) and install OpenBSD on the
bare metal. Then I run whatever services are needed on that box or boxes. I
would then deploy a network with isolated segments.
Now, everyone is telling me I should run Docker and a completely different
setup.
I read up about Docker and found this:
"Containers are a solution to the problem of how to get software to run reliably
when moved from one computing environment to another. This could be from a developer's
laptop to a test environment, from a staging environment into production and perhaps from
a physical machine in a data center to a virtual machine in a private or public
cloud."
"Problems arise when the supporting software environment is not identical, says Solomon
Hykes, the creator of Docker, "You're going to test using Python 2.7, and then it's going
to run on Python 3 in production and something weird will happen. Or you'll rely on the
behavior of a certain version of an SSL library and another one will be installed. You'll run
your tests on Debian and production is on Red Hat and all sorts of weird things happen."
"And it's not just different software that can make a difference, he added, "The
network topology might be different, or the security policies and storage might be different
but the software has to run on it."
What the fuck?! Why in the world would anyone setup Debian as a testing
environment and then use Red Hat on production?! And different network topology?
Are people really that stupid?
If people really are that stupid they shouldn't be allowed near a computer in
the first place and certainly Docker or any container technology isn't going to
solve their problems!
It seems like the OpenBSD project is about the only project left nowadays where
people are still using their brains!
It seems you didn't read the documentation correctly. Do it again,
specially because containers do have their own security issues.
After that, I'm sure you will understand what the given example is
trying to achieve. You can use Debian as your (DEV/TEST) environment
because the image used on Docker will be RedHat based, but using the
kernel you're on. It is possible to do that, although it makes sense to
use the same RedHat as well, at least for QA environments.
Containers (and Docker didn't start as a container itself, but as
tooling to provide easy to use containers on Linux) is a different
concept of VMs because you don't need to run a entire operational system
just to get some isolation between applications. A container to boot
takes much less time than a VM, for example, and should use less
resources. Requirements are different too.
But those are not the only benefits. You should check about the relation
of Docker and DevOps. As always, there is no silver bullet, but those
practices makes some things possible and even easier to implement.
On the other hand, yes, all those layers of abstraction (e.g. AWS) leave
some IT professionals without really understanding what they are
doing... if this will be really a problem in the future it something we
will need to wait to see.
