Are the containerized applications you’re finally moving into production truly reformed, cloud-ready, and tailored for orchestration and continuous integration? Or are many of them mainly containerized refits of the client/server applications your organization has been using since the Clinton administration?

In a presentation delivered Monday afternoon at Configuration Management Camp 2017 in Gent, Belgium, Puppet senior software engineer Gareth Rushgrove updated his familiar theme of enterprises not really knowing what they’re containerizing. That update brought with it some new and startling evidence that organizations simply containerizing existing legacy workloads are overwhelming those who are taking the opportunity to re-engineer them for efficiency and security.

“I think, among people who just focus on containers and just think about that worldview,” said Rushgrove in a follow-up interview with The New Stack, “the conversations are often being quite idealized.”

Rushgrove suggested that if one were to survey developers, and from that sample determine how many are using scratch containers ― which he characterized as the “ideal” often posited by proponents of new stacks ― or using Nix , or a similar tool, for version control; or using a minimal linux distribution within their containers such as Alpine Linux , one would see a great many hands raised.

“That’s what they’re doing, and that’s what the people around them are doing,” he said. “From seeing what some of our customers and what some larger organizations are doing, pulling their data from GitHub, it’s really not what’s happening in the real world.”

The New Stack and the Big World

Rushgrove was inspired by a recent blog post by Docker contributor David Gageot , who created a SQL query for Google BigQuery capable of extracting the identities of the base Linux images included in containers pushed to the GitHub public archive ― some 281,212 Docker files, by Gageot’s count. Some 9.5 percent of all images queries used the full Ubuntu 14.04 as their base Linux image, and about 19.4 percent of those files in total were shown to include some version of Ubuntu.

Alpine Linux ― an intentionally lightweight distribution suggested, though not necessarily intended, for use in containers ― ranked far lower on Gageot’s list, with the most frequently used version placing #30 among Linux versions, and with “Alpine” showing up in the titles of fewer than two one-hundredths of one percent of Docker files on GitHub.

“Yes, Alpine usage appears to be growing more quickly than other things,” said Rushgrove. “But it’s coming from such a low start.”

Actually, Rushgrove may be intrigued to learn that the preponderance of surveyed developers does not tilt so heavily towards the “ideal.”

“I think, among people who just focus on containers and just think about that worldview … the conversations are often being quite idealized” Gareth Rushgrove

In an August 2016 survey of container developers conducted by container analysis firm Anchore , given a list of 15 container host operating systems including minimalized container-specific kernels, plus “None” and “Other,” some 34.5 percent of respondents said they use Ubuntu, compared to 13.7 percent for CoreOS (now called Container Linux ), 3.6 percent for RancherOS , 1.8 percent for Red Hat Atomic , and 2.5 percent for Ubuntu’s own Core .

As Rushgrove deduced from Gageot’s data, citing one of his slides from Monday, “The majority of people using Docker are using images containing an entire operating system filesystem.” That statement prompted Chef product manager Julian C. Dunn to tweet later that day, “Yeah, this is awful and terrifying.”

Yeah, this is awful and terrifying @garethr #cfgmgmtcamp pic.twitter.com/Eq8QX4LbWh

― Julian C. Dunn (@julian_dunn) February 6, 2017

Ever since Docker first burst onto the scene, there have been suggestions ― and there have also been demonstrations ― that a fully contained Linux kernel hosted by another full Linux kernel, presented an attack surface the size of a large planet. Last December, Aporeto engineer Stefano Stabellini argued in The New Stack that, while such a configuration may be difficult to hack, it may be equally difficult to reliably secure.

Paving the Cow Paths

But speaking with us, Rushgrove surprised us by playing down that concern.

“I think the idea that that’s wrong is sort of misleading,” he said. The container “purist,” in his view, may argue that the ideal of containerization is based on the original Google Borg model . Though Gageot’s data presents startlingly irrefutable evidence that this ideal has not been as widely disseminated as idealists may wish, Rushgrove suggests that the solution to the terror Dunn cited ― rather than step up our evangelism as to why the ideal model is preferable ― is to begin securing the model that organizations are actually choosing.

“The thing that Docker hit on, in particular, was a really easy way for people to use their software inside containers,” he went on, “without having to rebuild the world. And I think the direct result of that path of least resistance is using entire operating system filesystems inside containers. It doesn’t matter whether it’s good or bad, or a better or worse idea. It’s what people are doing for compatibility reasons. It’s what will get us to a world of containers in the real world.”

The real problem that the developer tool community must now face, Rushgrove suggested, deals only partly with security: Tools makers are building and refining their products and

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: LinuxDockerUbuntuGitGitHubSQLCoreOS
分页:12
转载请注明
本文标题:Puppet Engineer: Peeking Inside Containers, You Find the Stack Isn’t All That N ...
本站链接:http://www.codesec.net/view/531876.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(47)