Date: Sun, 16 Feb 2020 20:46:39 -0600 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: Ihor Antonov <ihor@antonovs.family> Cc: "@lbutlr" <kremels@kreme.com>, FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Technological advantages over Linux Message-ID: <D3713D02-A39F-46C6-98E5-94A4ACDBD3C9@kicp.uchicago.edu> In-Reply-To: <20200216213229.syxeeerzcrvekj3t@sea-ll-10936> References: <20200214121620.GA80657@admin.sibptus.ru> <CAEJNuHwRs=6kOK9uiFzEAqCgSgvUb8Xm5o2VWnK-ND_zseowdg@mail.gmail.com> <20200214141600.GA82559@admin.sibptus.ru> <1eb61cba-5e28-e8ea-c418-a06f0f94ec86@kicp.uchicago.edu> <1F2DC40A-8C43-43DF-9168-661FDEC32989@kreme.com> <20200216213229.syxeeerzcrvekj3t@sea-ll-10936>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Feb 16, 2020, at 3:32 PM, Ihor Antonov <ihor@antonovs.family> = wrote: >=20 Thanks a lot, Ihor, for nice write-up! Gives those of us who are = ignorant about Linux Docker as I am general view of things, and = incentive to do our own reading. Valeri > On 2020-02-14 13:23, @lbutlr wrote: >> On 14 Feb 2020, at 09:00, Valeri Galtsev <galtsev@kicp.uchicago.edu> = wrote: >>> In my book docker is really a disadvantage, not advantage, compared = to FreeBSD jails >>=20 >> Dicker has the advantage of convenience and ease of = installing/removing dockers, but you trade that for not only poor = security, but another application layer between you and the service = which itself has had numerous security issues. >=20 >=20 > I've been reading this tread for a while, and now I can't help but to > add my 2 cents: >=20 > I am long-time Linux sysadmin/devops and I work with "docker" on a = daily > basis. Reading this thread I got an impression that a lot of folks on > BSD side have vague/wrong/incomplete understanding of Linux containers > so I want to introduce more structure into this topic. >=20 > First off, "docker" is really a misnomer. Nowadays linux world has a > whole bunch of container tools: moby (former docker), podman, kata > containers, cri-o etc. Not all of them are equal, some of them are = complete > user ecosystems, and some are just "bare" runtimes. There was a tool > named "docker" once with that name and the name really stuck, so = people > call things "docker" left and right.=20 >=20 > Second, there is no such thing as "linux containers" per se. There are = 2 > kernel mechanisms: namespaces(allow isolating a process from a the = rest > of the system, like network namespace, user namespace, pid namespace > etc) and cgroups(allow limit resource usage, like cpu, ram, = bandwitdh). > Combing various combinations of namespaces and cgroups you get > "containers". On a low level tools like docker et al do is manipulate=20= > namespaces and cgroups. >=20 > The design of namespaces is really the opposite to jails. With > jails you start with a completely isolated environment and then you = can > add different capabilites if necessary. With namespaces you start with > non-isolated process (process that shares namespaces with rest of the > system) and you unshare namespaces one by one. (I can't compare = resource > limiiting part as I am not familiar with how it is done on FreeBSD) >=20 > It does not mean that namespaces are less secure than jails, it is a = different > design, more involved, probably harder to get righ, but also more > flexible.=20 >=20 > Before docker it was very hard to use namespaces and cgroups for a > regular linux user. There was no one "jail" command. There were only > some system calls and scattered docs.(Well there was LXC, but not the > point) > What docker did(and was first to do it) is > provided a very convenient and pretty complete ecosystem to manage > namespaces and cgroups, including features like: > - scripting container creation (aka Dockerfile) and sharing it as code > - sharing compiled images=20 > - Dockerhub is a centralized location for sharing images( it is just > glorified fileserver that hosts a lot of tar.gz + some indexing ) > - sharing/re-using iamges ( FROM clasue in Dockerfile ) > - nice CLI tool to manage containers and images >=20 > And it hid deeply notion of namespaces and cgroups, so regular joes = were > able to use it without learning what kernel mechanisms make it = possible. > Writing a dockerfile is not very different from writing a shell script > really. It helped widespread adoption of the tool, but with this also > created a lot of misconceptions too. >=20 > One can argue that "docker" is too bloated and is not really secure. >=20 > Yes, it is partially true:=20 > - it makes some choices about how namespaces and cgroups are used, = maybe > not the way YOU want.=20 > - It is also a pretty big codebase in golang, that YOU did not audit = and > which is not really necessary if you want to manage things manually > and customize to you needs.=20 > - Yes, re-using images from the internet also introduces lots of = risks.=20 > - And yes, big army of regular joes who don't know how the tool works > allows misuse, miscofiguration etc. >=20 > But if you understand how it kerlnel works and when you understand = your > requirements it is becomes pretty easy to find a proper solutoin.=20 >=20 >=20 > Now coming to jails. jail is pretty low level tool. It should not be > compared to "docker". It can be compared to namespaces though. >=20 > I think it would be more productive to compare capabilities of = ecosystems.=20 > - Can you securely sandbox the process with jails or namespaces? > - Can you easily script sanbox creation? > - Can you share/re-use recepies or built images? > - What tools provides more control and what provides more productivity > insread? > - etc... >=20 > Where FreeBSD can improve IMHO is building ecosystem tools around = jails. IOCage and > Bastile are good projects, doing the right thing. But there are still > little to none ways to re-use/share images and build recepies > (AFAIK BasitleBSD is working in that direction). Some might argue that=20= > BSD community does not need those - could be. >=20 >> I use docker for things that are not very important on machines that >> are (relatively) unimportant. I would never use it on something like = a >> mail server or web server that has other people=E2=80=99s data on it. >=20 > Yes, use bubblewrap instead - really inspired by jails, minimal, > oriented for maximum security. = https://github.com/containers/bubblewrap=20 >=20 >=20 > ------------ > Ihor Antonov > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D3713D02-A39F-46C6-98E5-94A4ACDBD3C9>