Date: Sun, 16 Feb 2020 13:32:29 -0800 From: Ihor Antonov <ihor@antonovs.family> To: "@lbutlr" <kremels@kreme.com> Cc: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Technological advantages over Linux Message-ID: <20200216213229.syxeeerzcrvekj3t@sea-ll-10936> In-Reply-To: <1F2DC40A-8C43-43DF-9168-661FDEC32989@kreme.com> References: <20200214121620.GA80657@admin.sibptus.ru> <CAEJNuHwRs=6kOK9uiFzEAqCgSgvUb8Xm5o2VWnK-ND_zseowdg@mail.gmail.com> <20200214141600.GA82559@admin.sibptus.ru> <1eb61cba-5e28-e8ea-c418-a06f0f94ec86@kicp.uchicago.edu> <1F2DC40A-8C43-43DF-9168-661FDEC32989@kreme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-02-14 13:23, @lbutlr wrote: > On 14 Feb 2020, at 09:00, Valeri Galtsev <galtsev@kicp.uchicago.edu> wr= ote: > > In my book docker is really a disadvantage, not advantage, compared t= o FreeBSD jails >=20 > Dicker has the advantage of convenience and ease of installing/removing= dockers, but you trade that for not only poor security, but another appl= ication layer between you and the service which itself has had numerous s= ecurity issues. =20 I've been reading this tread for a while, and now I can't help but to add my 2 cents: I am long-time Linux sysadmin/devops and I work with "docker" on a daily basis. Reading this thread I got an impression that a lot of folks on BSD side have vague/wrong/incomplete understanding of Linux containers so I want to introduce more structure into this topic. First off, "docker" is really a misnomer. Nowadays linux world has a whole bunch of container tools: moby (former docker), podman, kata containers, cri-o etc. Not all of them are equal, some of them are comple= te user ecosystems, and some are just "bare" runtimes. There was a tool named "docker" once with that name and the name really stuck, so people call things "docker" left and right.=20 Second, there is no such thing as "linux containers" per se. There are 2 kernel mechanisms: namespaces(allow isolating a process from a the rest of the system, like network namespace, user namespace, pid namespace etc) and cgroups(allow limit resource usage, like cpu, ram, bandwitdh). Combing various combinations of namespaces and cgroups you get "containers". On a low level tools like docker et al do is manipulate=20 namespaces and cgroups. The design of namespaces is really the opposite to jails. With jails you start with a completely isolated environment and then you can add different capabilites if necessary. With namespaces you start with non-isolated process (process that shares namespaces with rest of the system) and you unshare namespaces one by one. (I can't compare resource limiiting part as I am not familiar with how it is done on FreeBSD) It does not mean that namespaces are less secure than jails, it is a diff= erent design, more involved, probably harder to get righ, but also more flexible.=20 Before docker it was very hard to use namespaces and cgroups for a regular linux user. There was no one "jail" command. There were only some system calls and scattered docs.(Well there was LXC, but not the point) What docker did(and was first to do it) is provided a very convenient and pretty complete ecosystem to manage namespaces and cgroups, including features like: - scripting container creation (aka Dockerfile) and sharing it as code - sharing compiled images=20 - Dockerhub is a centralized location for sharing images( it is just glorified fileserver that hosts a lot of tar.gz + some indexing ) - sharing/re-using iamges ( FROM clasue in Dockerfile ) - nice CLI tool to manage containers and images And it hid deeply notion of namespaces and cgroups, so regular joes were able to use it without learning what kernel mechanisms make it possible. Writing a dockerfile is not very different from writing a shell script really. It helped widespread adoption of the tool, but with this also created a lot of misconceptions too. One can argue that "docker" is too bloated and is not really secure. Yes, it is partially true:=20 - it makes some choices about how namespaces and cgroups are used, maybe not the way YOU want.=20 - It is also a pretty big codebase in golang, that YOU did not audit and which is not really necessary if you want to manage things manually and customize to you needs.=20 - Yes, re-using images from the internet also introduces lots of risks.=20 - And yes, big army of regular joes who don't know how the tool works allows misuse, miscofiguration etc. But if you understand how it kerlnel works and when you understand your requirements it is becomes pretty easy to find a proper solutoin.=20 Now coming to jails. jail is pretty low level tool. It should not be compared to "docker". It can be compared to namespaces though. I think it would be more productive to compare capabilities of ecosystems= .=20 - Can you securely sandbox the process with jails or namespaces? - Can you easily script sanbox creation? - Can you share/re-use recepies or built images? - What tools provides more control and what provides more productivity insread? - etc... Where FreeBSD can improve IMHO is building ecosystem tools around jails. = IOCage and Bastile are good projects, doing the right thing. But there are still little to none ways to re-use/share images and build recepies (AFAIK BasitleBSD is working in that direction). Some might argue that=20 BSD community does not need those - could be. > I use docker for things that are not very important on machines that > are (relatively) unimportant. I would never use it on something like a > mail server or web server that has other people=E2=80=99s data on it. Yes, use bubblewrap instead - really inspired by jails, minimal, oriented for maximum security. https://github.com/containers/bubblewrap=20 ------------ Ihor Antonov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200216213229.syxeeerzcrvekj3t>