On Fri, Dec 7, 2018 at 11:35 AM John Hanks <griz...@gmail.com> wrote: > > But, putting it in a container wouldn't make my life any easier and would, > in fact, just add yet another layer of something to keep up to date.
i think the theory behind this is the containers allow the sysadmins to kick the can down the road and put the onus of updates on the container developer. but then you get into a circle of trust issue, whereby now you have to trust the container developers are doing something sane and in a timely manner. a perfect example that we pitched up to our security team was (this was few year ago mind you); what happens when someone embeds openssl libraries in the container. who's responsible for updating them? what happens when that container gets abandoned by the dev? and those containers are running with some sort of docker/root privilege menagire. this was back when openssl had bugs coming up left and right. yeah, that conversation stopped dead in its tracks and we put a moratorium on docker. but i don't think the theory lines up with the practice, and that's why dev's shouldn't be doing ops _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf