How's life without Docker?

So the question I'd like to ask to BSD community is: when you're on BSD do you miss Docker and in its absence what's your favorite way to spin up and manage services on a server?
I don't miss it, I have never used Docker a lot in the past. Recently I've been playing around with it a little bit on my own homebrew NAS.

For me it has it pros and cons, like everything. I do see why its got this mass appeal, because it takes away lots of configuration steps required to get certain things running. Just edit the docker.yml file, pull it and start it. That's quite convenient, and for many less tech-savy people really a time saver. It makes installing stuff almost as easy as download apps on an iPhone.

The downside is of course you've got to trust the maintainers of these recipes. And if they do make bad settings, your docker instance will have it, too. It means that you do know quite less what's going on on your own machine then before.

Also when installing many stuff it can happen that you've got 2 Postgres instances running on the same bare metal in parallel, and other things.

The downsides of Docker: in 2019 the top ten most popular docker images contained at least 30 vulnerabilities... each. I sincerely doubt that has improved.

 
I would not blame the technology here but the vendor(s). If they ship vulnerable container images they highly likely will ship vulnerable vm images should they offer those, and probably they do not take security seriously anyway so probably also their product is flawed. Or probably installation instructions with old Linux Distros or libraries. We once had to install a softwarestack from a vendor who gave us installation instructions which told us to use an Ubuntu LTS version which was EOL two months later (and Ubuntu LTS have a support timeframe of 5 years)
 
But how I said I noticed how down the road debugging and servicing a running service based on Docker feels more cumbersome compared to Jails/VM/bare metal in most occasions so I'm reevaluating the actual productivity boost you get from Docker
Precisely why I stopped using docker. Jails gives so much more freedom when debugging, adding plugins (like smb-client for Nextcloud), and just overall customization of a preferred application environment.
 
Precisely why I stopped using docker. Jails gives so much more freedom when debugging, adding plugins (like smb-client for Nextcloud), and just overall customization of a preferred application environment.
And Jails are the best primitives for containerization. Containers in Linux are an abstraction from namespaces & cgroups, with hardening added in. Jails are first-class citizens in FreeBSD. I see untapped potential here.
 
Docker daemon has been seen and known for being a security issue since day one, so what?
The industrial scale of the disaster is impressive. As a user, I read such news every 2-3 months...
The Linux ecosystem is no longer a cake.
---
Palo Alto Networks specialists have discovered 30 malicious images in the official Docker container repository. The specialists’ “finds” were downloaded more than 20,000,000 times and were engaged in hidden cryptocurrency mining.
---
CrowdStrike analysts have noticed that Docker images downloaded more than 150,000 times were used to organize DDoS attacks against government websites and news organizations in Russia and Belarus.
---
Sysdig experts have found that over 1,600 images on Docker Hub exhibit various malicious behaviors. They may hide cryptocurrency miners, embedded secrets that can be used as backdoors, DNS compromise malware, and website redirectors.
---
Analysts from the RWTH Aachen University have published a study that found that tens of thousands of container images on Docker Hub contain various secrets, putting software, online platforms, and users at risk of mass attacks.
---
A new malware campaign targeting vulnerable Docker services installs the XMRig miner and 9hits application on hacked hosts. As a result, the attackers monetize the hacked systems not only through mining, but also by generating traffic.
---
Hackers are targeting misconfigured Apache Hadoop YARN, Docker, Confluence, and Redis servers with a new Go-based malware that automates the discovery and compromise of new hosts.
---
Palo Alto Networks experts have discovered a strange cryptojacking worm called Graboid, which uses Docker Engine (Community Edition) containers to spread.
---
Aqua Security has reported attacks that have been occurring in recent months. Unknown attackers scan the network for Docker servers that use API ports that are open to anyone, without passwords. These unprotected hosts are eventually compromised and infected with a mining malware called Kinsing.
---
Since 2017, criminals have increasingly attacked Docker and Kubernetes systems, which had already become widespread by that time.
Although such attacks have become commonplace nowadays, many web developers still do not understand how to properly configure Docker, leaving their servers vulnerable to attackers. The most common of these mistakes is leaving API endpoints for remote administration accessible over the Internet without authentication.
In recent years, such vulnerable servers have been actively searched for and infected by Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT and other malware, then deploying backdoors or miners on the servers.
Now, specialists from the Chinese company Qihoo 360 have discovered a new malware, Blackrota, which also attacks vulnerable Docker servers. The malware is a simple backdoor Trojan, essentially a simplified version of the CobaltStrike beacon, implemented in the Go language. So far, only a Linux version of the malware has been discovered, and it is unclear how exactly it is used. Researchers are not sure whether there is a Windows version, whether Blackrota is used to mine cryptocurrency, or whether the attackers need powerful cloud servers for DDoS attacks.

---
Researchers from Prevasio analyzed 4,000,000 publicly available Docker images hosted on Docker Hub and found that more than half of them have critical vulnerabilities, and several thousand images contain malicious or potentially dangerous elements.
For the analysis, the specialists used their own Prevasio Analyzer service, which had to work non-stop for a month on 800 machines.
The analysis revealed that 51% of the 4,000,000 images analyzed contain packages or dependencies with at least one critical vulnerability, and another 13% are vulnerable to high-severity bugs.
About 6,400 images (0.16% of the total) were classified as malicious or potentially dangerous due to the presence of malware, cryptocurrency miners, hacking tools, a malicious npm package (flatmap-stream), and Trojan applications. Worse, it turned out that all of these images had been downloaded more than 300,000,000 times. Cryptocurrency miners were found in 44% of the 6,400 containers. While in many cases, developers are honest about their images containing miners, sometimes the miners are hidden.
 
The industrial scale of the disaster is impressive. As a user, I read such news every 2-3 months...
This is peanuts! PyPI, NPM, Crates, etc is an order of magnitude worse because Docker/Podman at least has isolation.

And the container ecosystem has come with solutions like CVE & vulnerability scanners.
 
The vast majority of Linux containers run on Linux, so what's your point? Docker is not virtualization.
No. Docker is Linux (so I would hope the vast majority run on Linux haha!) and to run that on other platforms, thats where virtualization comes in.

WebAssembly is not the first to come up with some kind of portable ABI and it certainly won't be the last to fail at it either.
Linux had containers before Docker with LXC and OpenVZ, so that's not true.
You misunderstood (not sure how because I even mentioned containers existing in the post you quoted...). I stated that the tooling was weak, the official tooling around it was not of the same quality as Jails. Docker made a name for itself by making it "quick n' easy".

The project's page is full of broken links to Covid-19 related sites. How can I trust this?
Just like any open-source project really. It is up to you to audit it. But unless you *really* like the Docker workflow, I wouldn't bother either. Trust the upstream source of the service you want to run. Not some docker image either.
 
And Jails are the best primitives for containerization. Containers in Linux are an abstraction from namespaces & cgroups, with hardening added in. Jails are first-class citizens in FreeBSD. I see untapped potential here.

You misunderstand. Jails is Unix Containers. The very concept came from FreeBSD. It is the de facto model for secure process isolation -> this is the design constraint. This isn't something you can just tack on afterwards. cgroups and namespaces are not containers. It's resource compartmentalization.

The only implementation to succeed Jails is Zones. But even Zones upholds that same design constraint.
 
You misunderstand. Jails is Unix Containers. The very concept came from FreeBSD. It is the de facto model for secure process isolation -> this is the design constraint. This isn't something you can just tack on afterwards. cgroups and namespaces are not containers. It's resource compartmentalization.

The only implementation to succeed Jails is Zones. But even Zones upholds that same design constraint.

Take a look at these projects:
- https://github.com/dfr/ocijail
- https://github.com/samuelkarp/runj

There are people here that don't read the fine blog by the FreeBSD Foundation:

 
Take a look at these projects:
- https://github.com/dfr/ocijail
- https://github.com/samuelkarp/runj

There are people here that don't read the fine blog by the FreeBSD Foundation:


Again, this is all about compliance due to the fact that Linux has more market share and influence in the enterprise. I'm talking about the technology itself. Someone can replace all of this (which is really just a management layer) with bastilleBSD and Ansible. Docker is not (or at least a flavor of) Unix Containers. Linux marketing has confused you.
 
There are people here that don't read the fine blog by the FreeBSD Foundation:
I think some people don't realize it is just our LinuxEmu at play to run Docker/Linux.

And OCI is not Docker+DockerHub so people don't care. Might as well just use a Jail in that case.

Linux marketing has confused you.
This is basically it (or at least Docker marketing). Their angle is "cross platform server management" so I can see why people fall for this fantasy.
 
This is basically it (or at least Docker marketing). Their angle is "cross platform server management" so I can see why people fall for this fantasy.

You can't make this s**t up. Cross-platform in the Linux community means, between Ubuntu, RHEL, Oracle Linux, SLES, etc. It's all the same s**t. It's hilariously stupid. Ugh. lol
 
I think some people don't realize it is just our LinuxEmu at play to run Docker/Linux.

And OCI is not Docker+DockerHub so people don't care. Might as well just use a Jail in that case.


This is basically it (or at least Docker marketing). Their angle is "cross platform server management" so I can see why people fall for this fantasy.
You're mixing and confusing lots of different things.

Podman is docker-cli compatible and reuses lots of code from Docker. You can run FreeBSD containers with it.

OCI is the Open Container Initiative. It's a set of standards or specifications that Docker adheres to.
 
You're mixing and confusing lots of different things.

Podman is docker-cli compatible and reuses lots of code from Docker. You can run FreeBSD containers with it.

OCI is the Open Container Initiative. It's a set of standards or specifications that Docker adheres to.
No. What I stated above still stands fine. Perhaps double check. Again, I think you are misunderstanding.
  • "OCI is not Docker+DockerHub"
  • "Docker {...} to run that on other platforms, thats where virtualization comes in."
  • "podman {...} We have projects like Focker. But thats not enough for what people want."
Cross-platform in the Linux community means, between Ubuntu, RHEL, Oracle Linux, SLES, etc.
People *love* restricting themselves to a single platform and monoculture. It is a compulsion at this point.

This whole thing reminds me of OpenVR and Valve's actual implementation SteamVR (which is the only implementation there will ever be). Thats akin to OCI and Docker. Its a clever marketing trick, nothing more.
 
Contrary to common Ubuntu belief you dont't need to wrap a chroot environment around every service or even application. I've been told some clever folks are about to invent shared libraries!
no need, but if you stick to security best practices, to the least privilege principle in this case, you use software in a contained environment.
 
If you want secure containment of applications or in-house services for your customers in production; you should be using FreeBSD. It's one differentiating and practical reason to switch to it. I have yet to see Docker used in production at scale for any web facing service. "On my laptop" simply doesn't count.
 
If you want secure containment of applications or in-house services for your customers in production; you should be using FreeBSD. It's one differentiating and practical reason to switch to it. I have yet to see Docker used in production at scale for any web facing service. "On my laptop" simply doesn't count.

Docker got superseded by Kubernetes. Guess which vendor migrated from FreeBSD to Linux to be able to run Kubernetes workloads?

You clearly don't know the industry, so I won't waste any more time on this thread.
 
If you want secure containment of applications or in-house services for your customers in production; you should be using FreeBSD. It's one differentiating and practical reason to switch to it. I have yet to see Docker used in production at scale for any web facing service. "On my laptop" simply doesn't count.
since the FreeBSD community always emphasizes Netflix I assume most here know the company. They heavily rely on Linux containers, most of their work is being done with applications contained in Linux containers.
 
Docker got superseded by Kubernetes.
This kind of stuff is *exactly* why we use FreeBSD. Official tooling is better than constantly flittering between new products.

Guess which vendor migrated from FreeBSD to Linux to be able to run Kubernetes workloads?

You clearly don't know the industry, so I won't waste any more time on this thread.
We know that most of the industry is focused on Linux. But this is a FreeBSD forums. Why were you wasting your time on this thread trying to tell us what everyone already knows? We already chose FreeBSD because it better fits our use-cases.

They heavily rely on Linux containers, most of their work is being done with applications contained in Linux containers.
Containers yes; Docker no.

No-one is disputing that containers are good (Many of us use Jails daily). But this thread (via the title) is specifically about Docker. Because that is where the misinformation and marketing has crept in.
 
No-one is disputing that containers are good (Many of us use Jails daily). But this thread (via the title) is specifically about Docker. Because that is where the misinformation and marketing has crept in.
Exactly. It's difficult to distinguish if a person really means Docker - the product or company - or uses the term Docker to describe Linux containers. Docker is legacy, and whenever I talk to CEOs, managers or someone else not very knowledgeable about the container ecosystem in Linux these person almost always talk about Docker, but actually mean Linux containers.
 
Docker got superseded by Kubernetes. Guess which vendor migrated from FreeBSD to Linux to be able to run Kubernetes workloads?

Moving the goalpost now huh? They switched to Linux for its driver support. This was explicitly stated on their forums.

Besides, Ansibles replaces Docker/Kubernetes for orchestration related tasks. We don't have to switch to an entirely different tool.

You clearly don't know the industry, so I won't waste any more time on this thread.

With Jail Native Computing, companies can become the lubrication of innovation needed for future generations of industry.
 
since the FreeBSD community always emphasizes Netflix I assume most here know the company. They heavily rely on Linux containers, most of their work is being done with applications contained in Linux containers.

I read Netflix uses Linux on the frontend due to lack of OpenJDK support on FreeBSD? No?

FreeBSD still does all of the heavy lifting on the internet, however.
 
Back
Top
OSZAR »