[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /λ/ - 22663



File: 1490532074275.png (346.78 KB, 166x300, Strip-Nous-sommes-tous-Full-stack-english650-final.jpg)

No.22663

traditional Linux admin here with openstack experience. Why should I care about containers? this seems like a developer thing that after 4 years of LXC and prayer cults has turned into something I now have to support at the system level. as a Linux sysadmin i cant find a reason id use this instead of KVM.

-Panic a container, you've panicked the hypervisor

-give access to the docker hypervisor? thats root access on the system

-hypervisor host has to maintain a rube-goldberg machine of iptables to route and load balance port traffic.

-rarely do traditional developers even begin to understand docker or microservices, theyre just going to pack everything into the container and turn it into a mini-VM.

  No.22666

I always thought the same thing.

Maybe I am a dumbass but I always thought a simple chroot jail was plenty.

  No.22667

When containers are done in a sane way they are stable and easier to manage than vm's. Freebsd jails solve all the problems you listed but won't make people more security conscious.

  No.22678

>>22667
This lainon gets it. Solaris Zones are schway af as well. If you're able to deal with slowlaris' soykaf.

It's just linux containers that suck. And don't even mention docker. That's a disaster waiting to happen

  No.22679

>>22678
>disaster waiting to happen
How so? The people where I work seem pretty enthusiastic about it.

  No.22680

Containers are much more lightweight than a full VM, so if you don't need all the separation (and overhead) that VMs provide, they are a good choice.

  No.22681

>>22666
to implement proper container-ing, need more than just chroot.

if you're on lunix, try chroot + process namespacing + only bindmount-ing in the necessary things and link stuff through some kinda defined message-passing only

  No.22684

>>22681
protip: firejail is the best tool for this

  No.22685

>>22679
As OP mentioned

> give access to the docker hypervisor? thats root access on the system


I personally don't like that.

Subuids might (or might not at all) help, but I'm still pretty sure they're not turned on by default and even if you turn them on all the containers run with the same mapping.

> The people where I work seem pretty enthusiastic about it.


The hype is still strong and people tend not to care about security as long as it is the latest and most hyped thing.

> rarely do traditional developers even begin to understand docker or microservices, theyre just going to pack everything into the container and turn it into a mini-VM.


Yeah, that is like kicking dead whales down the beach. It was primarily made for scaling cloud soykaf, just slapping everything into a docker for no reason just doesn't make sense.

  No.22686

The current direction of this conversation makes it more appropriate for /tech/, but I'd like to see it steered in a programming direction if this isn't wanted.

  No.22691

>>22663

including UI design outside of how elements load in "the stack" makes as much sense as including customer relations as part of the stack

  No.22692

>>22686

dude mods need to calm now, you've killed some half decent threads and boards and now you wonder why your userbase is shrinking

  No.22695

File: 1490657370517.png (370.57 KB, 187x200, qC0NICR.png)

>>22686
okay. op here,
so better question:
what is an infrastructure task in linux that could be turned into a docker/kubernetes instance and offered in a microservice context? as I see it, microservices are the exclusive realm of developers, not operations, but my job listings all demand I understand docker/kubernetes/rancher/etc...

  No.22696

>>22695
Microservices are specifically made for a given context. It's a "style" of making a service, you can't turn something into one. Well that's a lie, the devs could, but no one is going to ask ops to chop up a big rails project into microservices, and its pretty much impossible without re-writing it. The devs basically just write the microservice and give it to you. Usually it's already in a docker container because it makes hooking it up to all the other ones a lot easier.


Docker isn't just a microservice thing though, it's more about putting each program(or a microservice) into it's own container. You could dockerize(containerize?) a wordpress install: container for mysql, one for the php app, one for nginx. Or do the same for a mail server, or IRC server.

  No.22697

>>22696
>>22695

the microservice/container distinction is symptom of linux's poor (unix clone) design

  No.22698

>>22686
I think so too, but you should just silently move it, it barely affects the discussion, rather than just block it, as you've been doing (I may be using selective memory or lacking context for those other threads though, case I'm wrong about this).
But yeah, the subject is essentially sysadmin isn't it?

  No.22699

I don't know anything about it, but I assume it's like apps, everything is an app now, container is the new app. Where is app store for containers. Containers store please.

  No.22700

A microservice is like a bastardised Erlang process. Except nobody understood this when they got popular and now we got a whole new load of bullsoykaf to deal with.