[talk] Containerization

Edward Capriolo edlinuxguru at gmail.com
Sat Apr 8 13:15:24 EDT 2017


On Sat, Apr 8, 2017 at 12:04 PM, Pete Wright <pete at nomadlogic.org> wrote:

>
>
> On 04/08/2017 07:01, Edward Capriolo wrote:
>
>
>
> On Sat, Apr 8, 2017 at 9:38 AM, Jesse Callaway <bonsaime at gmail.com> wrote:
>
>>
>>
>> On Sat, Apr 8, 2017 at 12:19 AM, Sujit K M <kmsujit at gmail.com> wrote:
>>
>>> On Sat, Apr 8, 2017 at 4:17 AM, Mark Saad <mark.saad at ymail.com> wrote:
>>> > All
>>> >    I have a thought experiment head over to
>>> http://99percentinvisible.org/
>>> > and listen to the current talk on containerization ; and how it
>>> transforms
>>> > the dock cities . It has some good background on 70's urban blight
>>> with the
>>> > decline of the dock worker jobs and how this drags the related
>>> economies
>>> > down .  So now think about how this works with regards to computer
>>> > containers. Does docker / vms supplant the old way of by hand rolling
>>> > software ? Do we loose admin jobs like we lost longshoreman? Is a super
>>> > container ship on the horizon for operating systems. It's damn
>>> interesting
>>> > to think about . Does the shipping industry parallel developers and
>>> > administrators dealing with docker and vms ? You decide .
>>> >
>>> Too Much Automation?
>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at lists.nycbug.org
>>> http://lists.nycbug.org/mailman/listinfo/talk
>>>
>>
>>
>> I used to work for a small web design firm that needed someone to manage
>> their TWO servers, to cram all the customers we could into one box and help
>> troubleshoot email issues, as their dedicated sysadmin. I had seriously a
>> single 100 line bash script that did my job, and the rest of the time I
>> spent tuning our phone system to improve call quality to the SF office.
>>
>> Eventually I had to quit because they couldn't make payroll during a lull
>> in acquiring customers. I don't think this position is available anymore,
>> but the good news is that the people working there continue to make great
>> custom websites. They have absolutely no need for someone in particular to
>> maintain an operating system on a given piece of hardware, and that's great
>> for their business.
>>
>> Now at my current position we have a very small team who manages quite a
>> large amount of infrastructure. Millions and millions of dollars of
>> hardware and networking. However, I've never seen any of it. Someone DOES
>> have the job of racking it all up and replacing broken hard disks on the
>> SAN, but I'll never know who or even what brand of disks they use or even
>> what type of SAN. There are fewer of these jobs per resource managed due to
>> increased efficiency, I would assume.
>>
>> So that small business admin maintaining a LAMP platform is gone. That
>> job doesn't exist. Soon enough, and it's happening right now at my
>> employer, the dedicated DevOps team also will go. Their jobs will be given
>> to three positions which will not go away.. the accountant/controller, the
>> security chief (one person), and the application developer who is also
>> interested a bit in plumbing.
>>
>> Remember what "computers" used to be when they were people? No, nobody
>> does. Yes the traditional sysadmin has been replaced by a computer program.
>> There is a rack-and-stack person and a person who designs datacenters and a
>> person who ensures uptime and someone who makes sure the VPN is up. But
>> nobody is upgrading Apache in-place and crossing their fingers.
>>
>> --
>> -jesse
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>>
>
> Think about this: FreeBSD ports vs Fedora packages, vs Debian whatevers,
> vs mac freshports. The industry was wasting a lot of time packaging and
> re-packaging things.
>
> I used to use linux vserver which had a similar system to create
> containers:  vserver --create --name mything --ip 34.34.34.34 --src
> rsync:/myweb/server/
>
> Docker just become an easy efficient way to share packages. It lets the
> people who build the software build a package and distribute to all people
> that have docker. This is much more efficient then having every distro of
> every unix/linux build a package  ./configure && make && make install &&
> customize.
>
> That is why it is winning. Speed/cross platform/ ease of use.
>
> Take for example a piece of software like c-actor framework. The freebsd
> port struggles somewhat because none of the devs are on that platform. The
> user really does not want to take up that burden, they just want to use it.
> If a docker exists you just use that on any platform and you can deploy it
> to amazon container service as well your going to be more inclined to use
> that then to get sidetracked into fixing a port which is not actually what
> you want to do.
>
>
> meh not sure i really agree here - i've seen people struggling to use
> docker in prod (both standalone as well as using Mesos/DCOS and Kubernetes)
> and really they spend more time fighting their tools than actually
> administrating and understanding their infrastructure.  The DCOS team has
> done *3* complete delete/reinstall cycles because it's "easier than
> upgrading" - i.e. they have no idea as to how their infrastructure is
> actually being build.  why are they using DCOS - they think they want
> zookeeper/ha-proxy etc but have no idea as to how to admin it.  not really
> a good recipe for stable infrastructure.
>
> the pure docker team as far as i can tell doesn't have a handle as to what
> bits their images are being built with.  oh ssl vuln we need to patch, well
> time to rebuild all our docker images and re-deploy an entire new stack and
> hope i didn't miss any systems.  oh admin left or cycled ssh keys, well
> configuration management is for fools - we'll just redeploy our entire
> docker infrastructure.
>
> imho there may be valid use cases for jails/containers - but i've rarely
> seen it implemented correctly.  and when i do see it implemented in a sane
> manner it really does look like traditional systems architecture containing:
>
> 1) configuration mgmt is in place with strong auditing/reporting
> 2) detailed auditing of software installed using either native or software
> stack (pip, npm, etc.) packages
>
>
> -pete
>
> --
> Pete Wrightpete at nomadlogic.org
> @nomadlogicLA
>
> "the pure docker team as far as i can tell doesn't have a handle as to
what bits their images are being built with.  oh ssl vuln we need to patch,
well time to rebuild all our docker images and re-deploy an entire new
stack and hope i didn't miss any systems.  oh admin left or cycled ssh
keys, well configuration management is for fools - we'll just redeploy our
entire docker infrastructure."

Also one note: From the developer side. I have a new theory it is called
the "use cool shit before auditors understand it" theory. The theory is
quite simple:
If you run a standard server your auditors have tools that you MUST run.
tools that scan for vulnerabilities, tools that look if you can log in as
root. Make sure the database in encrypted at rest.  No one wants to deal
with these audits.
So if you use DCOS on Mesos, why? THE ENTIRE THING IS SO NEW THAT NO ONE
UNDERSTAND IT AND NO AUDIT TOOLS EXISTS, SO ITS ACTUALLY POSSIBLE TO WORK
AND DO COOL SH!T WITHOUT AN ARMY OF PEOPLE FORCING YOU TO FILL OUT CHECK
BOXES LEFT AND RIGHT!

Here is how it works.
SSH server requires patching. Move entire app to docker mesos. There IS NO
SSH SERVER!
Auditor wants list of everyone with login access to database. There is NO
LOGIN ACCESS!

As soon as companies start making audit tools for docker and mesos the
auditors will start ruining that too...

Get ready to move to Lambda!

Crap now hashicorp is making some tool to sell to auditors to manage
Lambda!!

Move to this https://cloudi.org/

Just keep moving to stay one step ahead checkbox compliance army...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20170408/fdf3742b/attachment.htm>


More information about the talk mailing list