this post was submitted on 21 Oct 2024
64 points (90.0% liked)

Programmer Humor

19652 readers
2205 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 26 points 1 month ago (1 children)

If you think docker/container are for security, you're doing it wrong.

[–] [email protected] 6 points 1 month ago (1 children)

Sure it's for security... securing my host systems, you goomba. You devs being heve hoed out of my deployment and migration is one of the greatest releases ever, next fo busting a nut. Keep your filthy containers and VMs. Stay outta my host systems.

I'm a computer custodian and I absolutely hate the devs. They are maniacs. Harumph.

[–] anzo 1 points 3 weeks ago (1 children)

Docker is not rootless. Is only safe as long as the container (or those web devs) doesn't use nsenter or anything similar to get root access outside of it ;)

[–] [email protected] 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Wrong again, though it is a fairly recent feature and as an answer to Podman and to meet OCI standards.

[–] anzo 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Ah, my bad "again"... should have mentioned that there's the advance configuration option that 1% of the geeks do

[–] [email protected] 1 points 3 weeks ago (1 children)

It's not a question of being a geek, but securing your entire supply chain. If you don't already vet container image layers and cosigning said containers, chances are you're already in risky rivers all the same.

In essence the rooted mode was never that big of a risk when compared to the actual runtimes. Certain attacks don't even care about being in a user container if it deals with breaking the kernel itself, even with SELinux and AppArmor taken into account.

Rootless containers aren't a magic bullet as a result. The only thing that you should concern yourself with is what you're pushing to prod, how you layer your images and cosigning so that you can source... every mess... to every desk jockey junior...

You....

Do not...

Mess with my infra.

1000000363

[–] anzo 2 points 3 weeks ago (1 children)

Indeed. Also, I am concerned about self-hosting enthusiasts that install docker (without the advance rootless mode) and blindly run containers. Sometimes these containers are even made by third parties, independent of the app developers. Unfortunately, the supply chain there is up for grabs...

[–] [email protected] 1 points 3 weeks ago

I can recommend utilizing watchtower for image updates and ChainGuard registry for image layering if someone is using Docker. Watchtower should be fairly easy to implement, even across images, and chainguard meets with governmental and military standards. They are also quite lightweight images, since they've gone over to a new base distro that cuts down on a lot of cruft.

[–] [email protected] 21 points 1 month ago

Eight years old and still hits home for the most part. Nowadays though, what I get is mostly "we're moving to Azure" from clients that have no business in the cloud. Some environments are just not possible to move to a cloud environment without a redesign from scratch.

[–] [email protected] 10 points 1 month ago (6 children)

Not a dev-ops guys, just how useful /useless is docker?

[–] [email protected] 36 points 1 month ago (1 children)

Honestly? Pretty fucking awesome if you get it configured correctly. I don't think it's super useful for production (I prefer chef/vagrant) but for dev boxes it's incredible at producing consistent environments even on different OSes and architectures.

Anything that makes it less painful for a dev to destroy and rebuild an environment that's corrupt or even just a bit spooky pays for itself almost immediately.

[–] MajorHavoc 8 points 1 month ago

I don't think it's super useful for production (I prefer chef/vagrant)

Yeah!

Docker and OCI get abused a lot to thoughtlessly ship a copy of the developer's laptop into production.

Life is so much simpler after taking the time to build thoughtful correct recipes in an orchestration tool.

Anything that makes it less painful for a dev to destroy and rebuild an environment that's corrupt or even just a bit spooky pays for itself almost immediately.

Exactly. The learning curve is mean, but it's worth it quickly as soon as the first mystery bug dies in a rebuild fire.

[–] [email protected] 13 points 1 month ago (1 children)

In my experience, very, but it's also not magic. Being able to package an application with its environment and ship it to any machine that can run Docker is great but it doesn't solve the fact that modern deployment architecture can become extremely complicated, and Docker adds another component that needs configuration and debugging to an already complicated stack.

[–] [email protected] 3 points 1 month ago (1 children)

And a new set of dependency problems depending on the base image. And then fighting layers both to optimize size, and with some image hubs, "why won't it upload that one file change? It's a different file now! The hashes can't possibly be the same!" And having to find hackey ways to slap it so the correct files are in the correct places.

Then manipulating multi-arch manifests to work reliably for other devs in a cross-processor environment so they don't have to know how the sausage works...

[–] RustyShackleford 1 points 1 month ago

so they don't have to know how the sausage ~~works~~ is made...

[–] [email protected] 5 points 1 month ago

Docker came about as the answer to the "it works on my machine" problem. What it does is bundle everything your application should need into a box so that you can run it basically everywhere.

For Dev's this also means that if it runs for you it should run for everyone.

Since docker came out we've had a lot of advancement in compilers & interpreters, it's generally pretty easy to compile to another platform today and it's pretty rare for an interpreter to have a meltdown because of your OS. I imagine we'll see less docker going forwards but enterprise is slow moving.

[–] [email protected] 5 points 1 month ago

Containers are great. Including Docker. I don't like that it modifies firewall rules on its own and I don't like how many projects want you to pass the Docker socket into a container.

[–] [email protected] 5 points 1 month ago

It's a way to provide standard configuration for your programs without one configuration interfering with another.

Honestly, almost all alternatives work better. But docker is the one you can run on any system without large changes.

[–] [email protected] 4 points 1 month ago

I think they’re really useful, there are alternatives that I think have feature parity at this point but the concepts of containerization are the same

[–] [email protected] 6 points 1 month ago (1 children)
[–] RustyShackleford 2 points 1 month ago* (last edited 1 month ago)

You should, you invertebrate node hipster.

┬──┬ ノ( ゜-゜ノ)

(╯°□°)╯︵ ┻━┻

(/s)

[–] [email protected] 3 points 1 month ago

A container in a container...

[–] [email protected] 3 points 1 month ago

Based and vagrant pilled.