Martin Hanson wrote: > I have occasionally used virtualization (Qemu) for easy testing of some > OS. I have \ also played around with "containers" using FreeBSD Jails > and Linux LXC, but I have \ never ever thought of any of this as a > security measurement or anything needed beyond \ testing. > > When I want isolation I run a single box (or boxes) and install OpenBSD > on the bare \ metal. Then I run whatever services are needed on that box > or boxes. I would then \ deploy a network with isolated segments. > > Now, everyone is telling me I should run Docker and a completely > different setup. > > I read up about Docker and found this: > > "Containers are a solution to the problem of how to get software to > run reliably \ when moved from one computing environment to another. > This could be from a \ developer's laptop to a test environment, from a > staging environment into production \ and perhaps from a physical > machine in a data center to a virtual machine in a \ private or public > cloud." > > "Problems arise when the supporting software environment is not > identical, says \ Solomon Hykes, the creator of Docker, "You're going to > test using Python 2.7, and \ then it's going to run on Python 3 in > production and something weird will happen. Or \ you'll rely on the > behavior of a certain version of an SSL library and another one \ will > be installed. You'll run your tests on Debian and production is on Red > Hat and \ all sorts of weird things happen." > > "And it's not just different software that can make a difference, he > added, "The \ network topology might be different, or the security > policies and storage might be \ different but the software has to run on > it." > > What the fuck?! Why in the world would anyone setup Debian as a testing > environment \ and then use Red Hat on production?! And different network > topology? >
Let me give you an example. I run Red Hat on all our computing nodes and clusters in the Lab. Among 90+ people in our crew we have deep-learning guys guys who like to use shit like Caffe and TensorFlow http://caffe.berkeleyvision.org/ https://www.tensorflow.org/ which is a research grade software. We even use shit like http://www.ros.org/ to collect data. Building such things on Ubuntu let alone anything else on which the software has not being even tested can make grown up man cry. So guess what is my solution. I use http://singularity.lbl.gov/ to run Ubuntu virtual kernel in Red Hat userland (to anybody familiar with vkernel on DragonFly BSD this should sound familiar) and DOCKER to install the software we need. Please don't try to read the documentation for Singularity as the guy is in the serious need for some kind mental help or at least a good technical writer on his team. Our "deliverables" to many government agencies are Docker images. That is the contract which pays mine and many other salaries. Hopefully now it makes sense. > Are people really that stupid? > I am not a particularly bright guy but I never thought of myself as stupid. Now when you brought to my attention it makes perfect sense. That is exactly the reason why I am struggling so much to produce any publications. Cheers, Predrag > If people really are that stupid they shouldn't be allowed near a > computer in the \ first place and certainly Docker or any container > technology isn't going to solve \ their problems! > > It seems like the OpenBSD project is about the only project left > nowadays where \ people are still using their brains!
