https://upload.academy/ https://www.youtube.com/c/MichaelCrilly
- movedxLearning to manage an operating system in full, and having a healthy amount of paranoia, is a good first step.
- You’ll set yourself up for success if you check the dependencies of anything you run, regardless of it being containerised. Use something like Snyk to scan containers and repositories for known exploits and see if anything stands out.
Then you need to run things with as least privilege as possible. Sadly, Docker and containers in general are an anti-pattern here because they’re about convenience first, security second. So the OP should have run the contains as read-only with tight resource limits and ideally IP restrictions on access if it’s not a public service.
Another thing you can do is use Tailscale, or something like it, to keep things being a zero trust, encrypted, access model. Not suitable for public services of course.
And a whole host of other things.
- Thanks for only doing this like, ten years later after all the damage is done.
- Very cool.
I started using my IT and data management skills on film sets to provide data security around the footage. It’s been a breath of fresh air to use advanced concepts in a field that’s very hands on and a big team effort. A lot of communication and working together. It’s been great.
- You don’t learn in production. We’re talking about running production workloads here, not a localised lab. You can learn just fine locally with or without docker and other tooling that “eases” deployment of software. But when it comes to production it’s best to have a solid idea of what you’re doing and what a real production system requires.
Sadly, when people learn locally with “docker compose up” that becomes their baseline, their reality, and they believe everything else is taken of for them. Actually, you’re still running a process that’s bound to a network port (but with extra steps, because you used a container), and the entire ecosystem around that still needs to be secured.
That’s what’s been lost as of late :-(
- Thanks for sharing and clarifying those details :)
And yes, jails are way better, but here we are.
- > Dockerfiles are also an excellent way to distribute FOSS to people who unlike you or I cannot really manage a systems, install software, etc without eventually making a mess or getting lost (i.e. jr developers?).
Read what you just said:
> ... to people who unlike you or I cannot really manage a systems ...
These are people who should not be running systems.
> I build my important images from scratch all the time...
I doubt it, but assuming you're telling the truth, then you're a rare cookie because my clients don't even do that, and they're either government bodies with millions in funding or enterprises with 60,000 employees across the entire globe.
Again, the art of the operating system, and managing it, has been lost. It's been replaced with something that adds even more problems, security or otherwise, for the sake of convenience.
I hope everything works out super well for you, friend.
- You couldn't be further from the truth, though.
What you're saying here is: someone new to this simply uses Docker and everything just works and is fine. The support is heavily reduced (for you, not the user) and so everything is good.
And that mentality is why we have crazy botnets doing terabytes per-second attacks these days -- your users just firing up a VM, using "docker compose up", and walking away because "it just works". The reality is, that system falls out of date pretty quickly, and exploit is found and patched, but that patch never sees the light of day for that user.
It's awesome you can get a user up and running so quickly, but the sheer amount of work required to actually maintain a server is too much for the average EVE Online player trying to run some ESI tool
- From another commentator: "Lenovo T480s works great with FreeBSD."
It was a Lenovo T480s :)
- > FreeBSD doesn't afford you any more or less control over how the system works than Linux.
And yet, I'm constantly patching and working around lib issues on Linux (on the desktop), but never with FreeBSD. That's the point being made. Linux is a lot of stuff mashed together to make a system, and it works really well, but FreeBSD is a collection of components carefully curated and maintained as one and works very, very well most of the time.
If Linux works for you, use it. No one is trying to convert you.
- I think that’s true yeah.
- > Yeah ok ... 500 out of 500 supercomputers running Linux ...
So what? Big whoop.
- Sigh. Yes. It’s the boring choice and therefore the better choice a lot of the time. Not all of the time, but most of the time.
Impatience and lost skills is why it’s not a mainstream player.
- Why does it have to? Why does everything have to supper everything? Why can’t a project have a focus on servers and that’s its “thing”?
Also it’s OSS — contribute that support if you’re so passionate about it.
- Linux is OK. It’s a mess compared to BSD, but it’s OK. It’s the lazy man’s solution. It’s mainly for people who only want to “docker compose up” and walk away. The art of the OS has been lost. People think the OS is something to be abstracted away as much as possible and it’s evil and hard to secure. Shame.
- I’ve been using it in VMs just fine. Used it on my desktop just fine for a year. Used it on laptops just fine.
You might have just hit a bad hardware setup that’s outside the scope of support. It happens.
- For years and years to come. You’ll never need to update that box, frankly.
- Lovely stuff. The industry would be so much better off if the family of BSDs had more attention and use.
I run some EVE Online services for friends. They have manual install steps for those of use not using containers. Took me half a day to get the stack going on FBSD and that was mostly me making typos and mistakes. So pleased I was able to dodge the “docker compose up” trap.
- I feel like you may never have used it. Would that be true?
- I once upgraded a FreeBSD system from 8 to 12 with a single command. I don’t recall having to reboot — might have needed to.
Can you give that shot for me on Linux? Could you spin up a Ubuntu 14 VM and do a full system update to 24.04 without problems? Let me know how you go.
I once needed help with a userland utility and the handbook answered the question directly. More impressive was the conversation I had with a kernel developer, who also maintains the userland tools — not because they choose too but because the architecture dictates that the whole system is maintained as a whole.
Can you say the same for Linux? You literally cannot. Only Arch and RedHat (if you can get passed the paywall) have anything that comes close to the FreeBSD Handbook.
FreeBSD has a lot going for it. It just sits there and works forever. Linux can do the same, if you maintain it. You barely need to maintain a FreeBSD system outside of updating packages.
Most people who use containers a lot won’t find a home in FreeBSD, and that’s fine. I hope containers never come to the BSD family. Most public images are gross and massive security concerns.
But then, most people who use FreeBSD know you don’t need containers to run multiple software stacks on the same OS, regardless of needing multiple runtimes or library versions. This is a lost art because today you just go “docker compose up” and walk away because everything is taken care of for you… right? Guys? Everything is secure now, right?