From owner-freebsd-questions@freebsd.org Mon Feb 17 02:52:30 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB25524A807 for ; Mon, 17 Feb 2020 02:52:30 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 48LT6k2RzFz42Kc for ; Mon, 17 Feb 2020 02:52:30 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from [192.168.43.231] (unknown [172.58.139.142]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 437814E65B; Sun, 16 Feb 2020 20:46:41 -0600 (CST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Technological advantages over Linux From: Valeri Galtsev In-Reply-To: <20200216213229.syxeeerzcrvekj3t@sea-ll-10936> Date: Sun, 16 Feb 2020 20:46:39 -0600 Cc: "@lbutlr" , FreeBSD Content-Transfer-Encoding: quoted-printable Message-Id: References: <20200214121620.GA80657@admin.sibptus.ru> <20200214141600.GA82559@admin.sibptus.ru> <1eb61cba-5e28-e8ea-c418-a06f0f94ec86@kicp.uchicago.edu> <1F2DC40A-8C43-43DF-9168-661FDEC32989@kreme.com> <20200216213229.syxeeerzcrvekj3t@sea-ll-10936> To: Ihor Antonov X-Mailer: Apple Mail (2.3608.60.0.2.5) X-Rspamd-Queue-Id: 48LT6k2RzFz42Kc X-Spamd-Bar: +++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [7.72 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none]; RECEIVED_SPAMHAUS_PBL(0.00)[142.139.58.172.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; RECEIVED_SPAMHAUS_XBL(5.00)[142.139.58.172.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.4]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(0.12)[ip: (0.36), ipnet: 128.135.0.0/16(0.18), asn: 160(0.14), country: US(-0.05)]; NEURAL_SPAM_MEDIUM(1.00)[0.999,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000,0]; RCVD_IN_DNSWL_NONE(0.00)[70.20.135.128.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; MID_RHS_MATCH_FROM(0.00)[]; GREYLIST(0.00)[pass,body]; RCVD_COUNT_TWO(0.00)[2] X-Spam: Yes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 02:52:30 -0000 > On Feb 16, 2020, at 3:32 PM, Ihor Antonov = wrote: >=20 Thanks a lot, Ihor, for nice write-up! Gives those of us who are = ignorant about Linux Docker as I am general view of things, and = incentive to do our own reading. Valeri > On 2020-02-14 13:23, @lbutlr wrote: >> On 14 Feb 2020, at 09:00, Valeri Galtsev = wrote: >>> In my book docker is really a disadvantage, not advantage, compared = to FreeBSD jails >>=20 >> Dicker has the advantage of convenience and ease of = installing/removing dockers, but you trade that for not only poor = security, but another application layer between you and the service = which itself has had numerous security issues. >=20 >=20 > I've been reading this tread for a while, and now I can't help but to > add my 2 cents: >=20 > I am long-time Linux sysadmin/devops and I work with "docker" on a = daily > basis. Reading this thread I got an impression that a lot of folks on > BSD side have vague/wrong/incomplete understanding of Linux containers > so I want to introduce more structure into this topic. >=20 > First off, "docker" is really a misnomer. Nowadays linux world has a > whole bunch of container tools: moby (former docker), podman, kata > containers, cri-o etc. Not all of them are equal, some of them are = complete > user ecosystems, and some are just "bare" runtimes. There was a tool > named "docker" once with that name and the name really stuck, so = people > call things "docker" left and right.=20 >=20 > Second, there is no such thing as "linux containers" per se. There are = 2 > kernel mechanisms: namespaces(allow isolating a process from a the = rest > of the system, like network namespace, user namespace, pid namespace > etc) and cgroups(allow limit resource usage, like cpu, ram, = bandwitdh). > Combing various combinations of namespaces and cgroups you get > "containers". On a low level tools like docker et al do is manipulate=20= > namespaces and cgroups. >=20 > The design of namespaces is really the opposite to jails. With > jails you start with a completely isolated environment and then you = can > add different capabilites if necessary. With namespaces you start with > non-isolated process (process that shares namespaces with rest of the > system) and you unshare namespaces one by one. (I can't compare = resource > limiiting part as I am not familiar with how it is done on FreeBSD) >=20 > It does not mean that namespaces are less secure than jails, it is a = different > design, more involved, probably harder to get righ, but also more > flexible.=20 >=20 > Before docker it was very hard to use namespaces and cgroups for a > regular linux user. There was no one "jail" command. There were only > some system calls and scattered docs.(Well there was LXC, but not the > point) > What docker did(and was first to do it) is > provided a very convenient and pretty complete ecosystem to manage > namespaces and cgroups, including features like: > - scripting container creation (aka Dockerfile) and sharing it as code > - sharing compiled images=20 > - Dockerhub is a centralized location for sharing images( it is just > glorified fileserver that hosts a lot of tar.gz + some indexing ) > - sharing/re-using iamges ( FROM clasue in Dockerfile ) > - nice CLI tool to manage containers and images >=20 > And it hid deeply notion of namespaces and cgroups, so regular joes = were > able to use it without learning what kernel mechanisms make it = possible. > Writing a dockerfile is not very different from writing a shell script > really. It helped widespread adoption of the tool, but with this also > created a lot of misconceptions too. >=20 > One can argue that "docker" is too bloated and is not really secure. >=20 > Yes, it is partially true:=20 > - it makes some choices about how namespaces and cgroups are used, = maybe > not the way YOU want.=20 > - It is also a pretty big codebase in golang, that YOU did not audit = and > which is not really necessary if you want to manage things manually > and customize to you needs.=20 > - Yes, re-using images from the internet also introduces lots of = risks.=20 > - And yes, big army of regular joes who don't know how the tool works > allows misuse, miscofiguration etc. >=20 > But if you understand how it kerlnel works and when you understand = your > requirements it is becomes pretty easy to find a proper solutoin.=20 >=20 >=20 > Now coming to jails. jail is pretty low level tool. It should not be > compared to "docker". It can be compared to namespaces though. >=20 > I think it would be more productive to compare capabilities of = ecosystems.=20 > - Can you securely sandbox the process with jails or namespaces? > - Can you easily script sanbox creation? > - Can you share/re-use recepies or built images? > - What tools provides more control and what provides more productivity > insread? > - etc... >=20 > Where FreeBSD can improve IMHO is building ecosystem tools around = jails. IOCage and > Bastile are good projects, doing the right thing. But there are still > little to none ways to re-use/share images and build recepies > (AFAIK BasitleBSD is working in that direction). Some might argue that=20= > BSD community does not need those - could be. >=20 >> I use docker for things that are not very important on machines that >> are (relatively) unimportant. I would never use it on something like = a >> mail server or web server that has other people=E2=80=99s data on it. >=20 > Yes, use bubblewrap instead - really inspired by jails, minimal, > oriented for maximum security. = https://github.com/containers/bubblewrap=20 >=20 >=20 > ------------ > Ihor Antonov > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++