【理论Full Flavor】τπεory :verifyblack:
1+
mk

@theorytoe

1. i'm using docker
2. i don't use "the cures"
3. nobody "suppresses" ftp

you're retarded

1+
:gnu:+bonifartius 𒂼𒄄

@mk @theorytoe you missed the point. containers just make things harder. they are nice rube goldberg machines for shit languages like python which are hell to deploy.

when just installing everything from packages, things will receive timely security patches of the distribution.

when using VMs, one has to upgrade a few VMs for this. not great, not terrible.

with containers one has to hope that some image down the stack will be upgraded to include the fix, while the whole setup provides worse isolation than VMs (which already is prone to leakage). with containers the isolation is essentially the same as for plain linux users and chroot. no improvement. cgroups limiting resource usage can be set by the init system, i think systemd does this already.

containers sure have their use case, but mostly they are a crappy solution waiting for problems.

in the end the image is a meme which makes the point that ftp-ing a directory full of php scripts worked better than all the modern shit.

1+
【理论Full Flavor】τπεory :verifyblack:
@bonifartius @mk
I can attest to this
containers are a solution to a self-inflicted problem being that people dont want to actually write software that is runable bare-metal

for starters, containers provide no security (docker daemon manager process runs as root, therefore on a basic level one would have to be retarded to think that is good security practice -- it is not). secondly docker works fine for prebuilt images, but I have never had a good experience with compose ever, it has always broken stuff and it never works. it is basically a glorified chroot with ""chroot management"" so you can install others rubbish onto your system

as well docker seems to try to plug into load balancing with k8s/k3s and if you have done any level of k8s management you will know it is a nighmare. when you could just run on a few hosts and incorporate a load balancer. this option is way easier on setup but also on maintenance since its just plain old hosts.

if you cant run software bare-metal without hassle its not good software
1+
Sexy Moon
@theorytoe @mk @bonifartius lxc containers can be run unprivileged and even root inside the container is an unprivileged user
1+
【理论Full Flavor】τπεory :verifyblack:
@Moon @mk @bonifartius
yeah I keep forgetting about lxc because my debian system is too old to get it working :marseykernelpanic:
or rather lxc is too new
1
Sexy Moon
@theorytoe @mk @bonifartius anyway to contribute to this thread the problem with containers is really the problem with the os which is by default you can access everything not locked down, rather than having no access and needing to be passed in capabilities to do anything.
1
:gnu:+bonifartius 𒂼𒄄
Follow

@Moon @theorytoe @mk well, if things run as root they need to be locked down ;) a user can't do very much given permissions aren't set badly, privileged ports can't be used, etc.

it doesn't help that to do things like using chroot, namespaces, cgroups one has to be root - it means docker or lxc likely will be run as root.

would be nice if more things would use capabilities.

· · 0 · 0 · 0
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…

v3.5.19-qoto · Privacy policy