Thoughts on Docker

I like the concept of Docker and containerization in general, but I have some pretty fundamental concerns:

Thought experiments:

  • How many deployed docker images were torn down and redeployed upon the revelation of heartbleed? Of shellshock? In practice, not in theory.
  • How many Docker images are regularly destroyed and redeployed for the purpose of updating their userlands? Again, in reality, even with the most agile orchestration.
  • How many Docker images are actually deployed with a minimal attack surface, that being only the executables and libraries they need, rather than entire userlands?
  • How many Docker images are given to IT/Ops as single filesystem images rather than multi-gigabyte change layers, contributing heavily to wasted storage space?
  • How can Docker images composed of random people’s aging Linux userlands ever be taken seriously in an environment that needs to be kept certified, stable and secure?
  • What is the benefit of Docker given the above, when LXC and Libvirt-LXC performs the same containerization and provides Ops with much greater flexibility in terms of orchestration and change management, and has for years?
  • Dan Walsh of Red Hat has much to say about the security of Docker and LXC containers – the most important statement he makes is that “containers don’t contain” – containers provide no security, they are only useful for the purpose of deploying applications in a manageable way. Given this, is it responsible to use containers based on full Linux filesystems? If you do, you’d better be ready to tear down your ENTIRE stack each and every time a major vulnerability comes to light.

Points worth pondering – these affect the future direction of container technology and shed light on the implications.

Running Systemd within a Docker image

NOTE: This is not for general purpose use – CAP_SYS_ADMIN grants the container a large number of dangerous privileges – this should be used only by a sysadmin (Ops) – not a developer – for the purpose of containerizing infrastructure.

Some of my insights gained on running systemd within docker – I’m aware the general idea is to run a single process, but that’s for developers. I’m a sysadmin, so I know that underlying “docker” as a management system is a full featured Linux namespace/cgroup facility allowing me to run a fully containerized Linux userland.

This is cobbled together from some of the example Dockerfiles provided by Red Hat’s Project Atomic as well as personal research into systemd, unprivileged container limitations, and the Linux capability system. This isn’t guaranteed to work on anything but the latest version of Docker at the time of this post – 1.4.1. May work on a previous version if it has support for –add-cap.

FROM centos:centos7
MAINTAINER "Brad Laue" <brad@brad-x.com>
RUN yum -y update; yum clean all \
yum -y swap -- remove fakesystemd -- install systemd systemd-libs \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
RUN systemctl mask getty.target swap.target
RUN systemctl disable graphical.target; systemctl enable multi-user.target
VOLUME ["/sys/fs/cgroup"]
VOLUME ["/run"]
VOLUME ["/export"]
ENV container=lxc
CMD ["/usr/lib/systemd/systemd"]

Build with:

docker build --rm -t bradlaue/centos-systemd .

Run with:

docker run -ti --cap-add=SYS_ADMIN -e container=lxc bradlaue/centos-systemd

Note this does not require a fully privileged container instance as many seem to indicate – systemd requires only CAP_SYS_ADMIN in order to avoid a segfault.

From here you can build out a container by installing/running standard Linux services in the normal systemd way, including process monitoring.

Pew Research Report – Net Threats

“There are too many institutional players interested in restricting, controlling, and directing ‘ordinary’ people’s ability to make, access, and share knowledge and creative works online — intellectual property rights holders, law enforcement and security agencies, religious and cultural censors, political movements and parties, etc. For a long time I’ve felt that the utopianism, libertarianism, and sheer technological skill of both professional and amateur programmers and engineers would remain the strongest counterbalance to these restrictive institutional pressures, but I’m increasingly unsure as the technologists themselves and their skills are being increasingly restricted, marginalized, and even criminalized.”

http://www.pewinternet.org/files/2014/07/Future-of-the-Internet_Net-Threats_070314.pdf

In A Battle For Web Traffic, Bad Bots Are Going After Grandma : All Tech Considered : NPR

If bad bots were left to their own devices, bad taste would dominate the Web. But, even worse, Kaminsky worries that this kind of advertising fraud is undermining the economics of the Web.

Though people “tend not to like advertisers, advertisers have paid for a network that allows greater interpersonal communication than any other time in history. Who paid for all this free service? They did,” he says.

Kaminsky’s firm works with advertises to fight this problem. He worries that advertisers will go back to the TV or other outlets, which are better protected against fraud.

I honestly wish they would. Such a move would radically change the current state of affairs online for the better. Profit seeking is not a solid modus operandi for building a communication / educational network that can truly benefit people.

http://www.npr.org/blogs/alltechconsidered/2014/07/03/328196199/in-a-battle-for-web-traffic-bad-bots-are-going-after-grandma

Nearly one-third of Americans aren’t ready for the next generation of technology | Science/AAAS

A new survey suggests that the digital divide has been replaced by a gap in digital readiness. It found that nearly 30% of Americans either aren’t digitally literate or don’t trust the Internet. That subgroup tended to be less educated, poorer, and older than the average American.

http://news.sciencemag.org/social-sciences/2014/07/nearly-one-third-americans-arent-ready-next-generation-technology

I would content that the greatest level of technical literacy inspires by far the greatest mistrust in the Internet. Held together by little bits of string and the lies marketing departments try to tell everyone, those with more age / experience are wise to think twice about depending on the Internet to manage their personal lives.

Doing so is a fools errand that younger people haven’t thought through, as is the case with so many other things in their lives.

Wozniak criticizes cloud dependence in light of NSA | CNET

Apple co-founder Steve Wozniak says he has sympathy for companies at odds with the NSA and its surveillance tactics, but that their own dependence on server farms is part of the problem.

“I think most companies, just like Apple, start out young and idealistic,” Wozniak said at the Apps World North America convention here. “But now all these companies are going to the cloud. And with the cloud you don’t have any control.”

Ain’t that the god damn truth.

http://news.cnet.com/8301-13579_3-57618399-37/wozniak-criticizes-cloud-dependence-in-light-of-nsa/?part=rss&subj=news&tag=title

Open Automotive Alliance

If automakers abandon system updates as quickly as cellphone manufacturers do, this will mean vast numbers of cars on the road with always-connected built-in computers with an even larger number of remote execution vulnerabilities than currently exist.

It could also spell trouble down the road for car owners in a new way. As computing features such as navigation and automatic pilot begin to take over the driving experience, will forced obsolescence become the norm? Liability and cost of ownership could become enormous.

http://www.openautoalliance.net/#press

Encrypt the Web Report: Who’s Doing What | Electronic Frontier Foundation

We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption.

Note these encryption methods relate to data in transit. Data at rest is still easily obtainable from the four providers on this chart who got perfect scores.

Your data will never be secure if you give it to other people. This is a basic concept.

https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what#crypto-chart

With over 1 million users and 30PB synced, BitTorrent speeds up Sync, adds iPad support, and debuts an API | TheNextWeb

Back in April, BitTorrent launched its open alpha, after a select 20,000 users managed to sync over 200TB worth of files. When the public beta arrived in July, users had synced 8 petabytes of data using the tool.

This truly is a testament to the gullibility of users. This software hasn’t been vetted at all. “It’s decentralized and keeps your data private, we swear” is all the assurance you get. For over a million people to have bought that line hook line and sinker is really sad.

Don’t trust software that claims to protect your privacy unless it was developed publicly.

Zelizer: Don’t underestimate risks of spying | CNN Opinion

The United States is not alone in facing these risks. One of the reasons Germans have been so sensitive to the recent revelations is their own history of how surveillance has been used aggressively, and violently, to target their own citizens.

Even if the NSA officials play by the rules and regulate themselves, their ability to contain information that could be enormously damaging to the United States and to individual citizens is greatly diminishing in the current era. They no longer are in full control, whatever their intentions might be.

Good article. It goes on to wish for an insightful dialog in order to curb the NSA’s reach. I think that’s naïve to say the least.

http://www.cnn.com/2013/11/04/opinion/zelizer-nsa-surveillance-risks/index.html