On Fri, Dec 7, 2018 at 11:35 AM John Hanks <griz...@gmail.com> wrote:
>
>  But, putting it in a container wouldn't make my life any easier and would, 
> in fact, just add yet another layer of something to keep up to date.

i think the theory behind this is the containers allow the sysadmins
to kick the can down the road and put the onus of updates on the
container developer.  but then you get into a circle of trust issue,
whereby now you have to trust the container developers are doing
something sane and in a timely manner.

a perfect example that we pitched up to our security team was (this
was few year ago mind you); what happens when someone embeds openssl
libraries in the container.  who's responsible for updating them?
what happens when that container gets abandoned by the dev?  and those
containers are running with some sort of docker/root privilege
menagire.  this was back when openssl had bugs coming up left and
right.  yeah, that conversation stopped dead in its tracks and we put
a moratorium on docker.

but i don't think the theory lines up with the practice, and that's
why dev's shouldn't be doing ops
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit 
http://www.beowulf.org/mailman/listinfo/beowulf

Reply via email to