How's life without Docker?

rbranco said:
With containers there's isolation baked in.
Click to expand...
There is much more to security than isolation (of which many common Docker containers also fail at).

Many companies are getting wiped out these days. And it is likely because people are spinning up random Docker containers without doing any kind of security audit.

That said, the mindset is broken more than the tech. People could just as easily misuse Jails. Running any public facing service without attention is careless. Whether it is Zones, Docker, Jails, Chroots or otherwise. But to be fair, this is obvious and doesn't need to be stated as such.
 
rbranco said:
With containers there's isolation baked in.
Click to expand...
Relying on someone else's isolation environment because it just happens to be there is more-lax than intentionally configuring an isolation environment. I've never used Docker, but there's probably a bunch of security things taken for granted like that, which leads to bad habits that I'm thinking that if you were vigilant enough to not fall into those habits eventually, you'd probably not be using Docker to start with :p

I've seen no reason to entertain Docker or containers yet, but they sound like conveniences. Why might someone use nginx's Docker? It can manual set-up mostly any OS, and it's a worse convenience than just paying someone to cover hosting :p Gotta trust somebody, so it's either the provider I'm paying to provide me with good service (so they're handling it), myself for manual config, or everyone involved with Docker + the Docker image itself. I can vet the software I use, and the provider I pay, but I can only trust Docker overall on a "everyone else uses it so I guess it's trustworthy enough" stance because Docker is huge as a concept and what all it offers (if I can vet the Docker code, I can vet just the software/manual conf way quicker).

BlueSky's PDS is Docker-only; that platform's centralized non-ActivityPub protocol is weird enough, but it's apparently complex enough they can't provide instructions for anyone else to install it so just cover it in a convenient Docker :p
 
Espionage724 said:
I've seen no reason to entertain Docker or containers yet, but they sound like conveniences. Why might someone use nginx's Docker? It can manual set-up mostly any OS, and it's a worse convenience than just paying someone to cover hosting :p Gotta trust somebody, so it's either the provider I'm paying to provide me with good service (so they're handling it), myself for manual config, or everyone involved with Docker + the Docker image itself. I can vet the software I use, and the provider I pay, but I can only trust Docker overall on a "everyone else uses it so I guess it's trustworthy enough" stance because Docker is huge as a concept and what all it offers (if I can vet the Docker code, I can vet just the software/manual conf way quicker).
Click to expand...
because customers want our products ready to work, and not follow a manual on how to instruct their nginx to access our stack. They can use an empty VM for a showcase on notebook, run that stuff in prod in the configuration we suggested them and we have tested. Of course they are free to integrate our nginx configuration into their configuration, and put all other containers that belong together in a virtual network and tweak various settings on database etc., but they do not have to (usually they don't because we work in an area with strict compliance policies, but for testing, why not)
 
JohnK said:
*blink-blink* 'challenge'?! Man, that's a career! Can you imagine the timeframe for a port for something like this coming from a weekend warrior (that must have been developed by a team)? I don't have the c-chops for something like that either (some of that is pretty deep stuff), but I'll start looking at it for ideas.
Click to expand...

Well, someone did manage to port ZFS to FreeBSD in under a week. Which is a pretty difficult and sensitive task since we're talking storage. With enough dedication and will, it can be done.
 
JohnK said:
I took that statement to mean that there should be reliable consistent method for creating it. Like a makefile is to the project. So, if you had a need for a thing (-e.g. I need a media server) you can download the 'makefile' to spin up a plex jail/media server quickly and consistently (destroy it and remake it 10 minutes later). ...this is what I was going after with my simple jail making scripts.

I could be way off though. Sorry.
Click to expand...
I enjoyed the SMF digression. I'm stunned I'm still finding out how much we lost when Oracle bought Sun.

In any case, the SMF discussion is certainly a lot more interesting than the same ol' tedious and predictable Docker evangelism.
 
I'm oblivious to most of the information you guys know because I live under a rock (I had my kids and and I didn't have time to play with computers much any more). I went from NetBSD -> OpenBSD -> kids (and then FreeNAS) -> FreeNAS died so now I'm here on FreeBSD trying to learn as fast as I can. I wish I had more experience with things you guys talk about but sometimes I think it's a blessing.
 
rbranco said:
SMF & Docker are completely different things. Why is SMF even mentioned in a thread about Docker? SMF is Solaris' systemd.
Click to expand...

Because it is SMF with which Docker borrowed it's ideas from. Before Docker, Solaris had SMF service instances and dependencies that define how applications are constructed. SMF also included a configuration repository (ie. Docker Registry, i'm looking at you); where SMF manifests are stored, vetted, and shared amongst individuals locally. This was separated from Zones; so you kept operational efficiency that administrators needed. In case you didn't know, Jails inspired Zones. Throw in FMA, and you get post mortem debugging down to bare metal. Docker can't do that. But I digress.

Docker is a convulated mish-mash of separation of concerns to appease hipster developers.
 
Beastie7 said:
Because it is SMF with which Docker borrowed it's ideas from. Before Docker, Solaris had SMF service instances and dependencies that define how applications are constructed. SMF also included a configuration repository (ie. Docker Registry, i'm looking at you); where SMF manifests are stored, vetted, and shared amongst individuals locally. This was separated from Zones; so you kept operational efficiency that administrators needed. In case you didn't know, Jails inspired Zones. Throw in FMA, and you get post mortem debugging down to bare metal. Docker can't do that. But I digress.

Docker is a convulated mish-mash of separation of concerns to appease hipster developers.
Click to expand...
I worked with both and they're not related in the slightest way.

Jose said:
I enjoyed the SMF digression. I'm stunned I'm still finding out how much we lost when Oracle bought Sun.

In any case, the SMF discussion is certainly a lot more interesting than the same ol' tedious and predictable Docker evangelism.
Click to expand...
I'm aware that containers are abused and I'm not doing Docker evangelism. But I'm tired of all this FUD by people who are clearly misinformed.
 
kpedersen said:
Docker absolutely has a use-case and market and I personally have used it before. Quick and dirty evaluation of convoluted complex software.

... but then you throw it away and do a proper job of engineering a server.

RAD and prototyping is nothing to be ashamed of. Poorly maintained servers are something to be ashamed of ;)
Click to expand...
Again, these are entirely different things.

Docker is more than just servers, because you can run any software on them.
Docker is more than just packaging, because I can run any version of any software I want.
 
rbranco said:
Docker is more than just servers, because you can run any software on them.
Click to expand...
Agreed. Any software can be poorly maintained.

rbranco said:
Docker is more than just packaging, because I can run any version of any software I want.
Click to expand...
A lot of packaging systems support multiple versions. You dont need Docker for that. But again, I agree, Docker is more than just packaging. It is overkill for that use-case.
 
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
Oh, how! The ubiquitous Linux has become hard to take... and we are discussing the death of FreeBSD in the neighboring thread. You should read at least at night how the entire Linux ecosystem is being infected today... I am shocked. There was no such crap 20 years ago, when I started using the CalderaLinux distribution. With such a trend, all Ubuntu containers will soon be eaten by moths. But it is stylish, possible, youthful...
 
USerID said:
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
Oh, how! The ubiquitous Linux has become hard to take... and we are discussing the death of FreeBSD in the neighboring thread. You should read at least at night how the entire Linux ecosystem is being infected today... I am shocked. There was no such crap 20 years ago, when I started using the CalderaLinux distribution. With such a trend, all Ubuntu containers will soon be eaten by moths. But it is stylish, possible, youthful...
Click to expand...

nginx: the propagation malware

This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
Click to expand...
Heh, I'm still wondering why someone would use a nginx Docker :p
 
USerID said:
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
Oh, how! The ubiquitous Linux has become hard to take... and we are discussing the death of FreeBSD in the neighboring thread. You should read at least at night how the entire Linux ecosystem is being infected today... I am shocked. There was no such crap 20 years ago, when I started using the CalderaLinux distribution. With such a trend, all Ubuntu containers will soon be eaten by moths. But it is stylish, possible, youthful...
Click to expand...
No Docker installation listens on a network socket by default. The figures are small:
> Analysis of Shodan shows that in April 2025, there were 520 published Docker APIs over port 2375 worldwide.
 
Espionage724 said:
Heh, I'm still wondering why someone would use a nginx Docker :p
Click to expand...
EDIT: And this is malware called "nginx" to hide. It's not the well-known Web server.

Everything is containerized in modern deployment environments. I like to count the layers of virtualization, just for fun.

your code -> Java virtual machine -> dockerized Linux -> EC2 virtual machine running some other Linux? -> hardware? (There probably are more layers.)

And then there's the Kubernetes monstrosity that tries to manage the virtualization circus. I try to learn as little as possible about it, but I couldn't help learning that this "mesh" network scheme still needs an external load balancer!
 
Jose said:
EDIT: And this is malware called "nginx" to hide. It's not the well-known Web server.

Everything is containerized in modern deployment environments. I like to count the layers of virtualization, just for fun.

your code -> Java virtual machine -> dockerized Linux -> EC2 virtual machine running some other Linux? -> hardware? (There probably are more layers.)

And then there's the Kubernetes monstrosity that tries to manage the virtualization circus. I try to learn as little as possible about it, but I couldn't help learning that this "mesh" network scheme still needs an external load balancer!
Click to expand...
Docker doesn't add any real layer because it's not virtualization. The container shares the same kernel with the host. The only thing Docker does is setting up the chroot on steroids that containers are with namespaces, cgroups & then hardening with seccomp + SELinux/AppArmor.

Virtualization with containers can be done with Kata Containers though.
 
rbranco said:
Docker doesn't add any real layer because it's not virtualization.
Click to expand...
Docker (Linux) requires virtualization/emulation to work on any OS that isn't Linux.

Just like Jails (FreeBSD) requires virtualization/emulation to work on any OS that isn't FreeBSD.

Both are effectively chroots on steroids. Many of us on these forums prefer to avoid messy Linux so go with the latter.

(If Linux was a proper OS and had official tooling around its containers, I doubt Docker as a product would even exist).
 
kpedersen said:
Docker (Linux) requires virtualization/emulation to work on any OS that isn't Linux.

Just like Jails (FreeBSD) requires virtualization/emulation to work on any OS that isn't FreeBSD.
Click to expand...
The vast majority of Linux containers run on Linux, so what's your point? Docker is not virtualization.

kpedersen said:
(If Linux was a proper OS and had official tooling around its containers, I doubt Docker as a product would even exist).
Click to expand...
Linux had containers before Docker with LXC and OpenVZ, so that's not true.

This is what Docker co-founder said:

> If WASM+WASI existed in 2008, we wouldn't have needed to created Docker. That's how important it is. Webassembly on the server is the future of computing. A standardized system interface was the missing link. Let's hope WASI is up to the task!

https://twitter.com/x/status/1111004913222324225
View: https://x.com/solomonstre/status/1111004913222324225
 
You must log in or register to reply here.
Back
Top
OSZAR »