On 22 Apr 2015, at 21:51, Bobby Moss bobbyjmoss@me.com wrote:
On 22 Apr 2015, at 20:53, Adam Bower adam@thebowery.co.uk wrote:
On Wed, Apr 22, 2015 at 04:29:12PM +0100, Bobby Moss wrote:
That said, RHEL/CentOS 7 now comes with Docker, which removes that temptation as you can do what you like with the container without messing with the host system. Makes app deployment much easier & keeps host secure. It'll be good when this (eventually) becomes the norm.
Good luck with that approach. Having seen the utter shite that people are creating it scares the crap out of me with regard to security.
It's not an insurmountable challenge. For enterprises there's systems like Puppet or Ansible that can handle deployment of docker containers, app configurations and maintenance of system components. Theory is you keep all instances following consistent security policies and up to date, and any new instances are just as secure as what other in production systems
I probably should have mentioned here that some work needs to go into packaging, maintaining & testing components in this way internally. Your link talks of downloading containers & binaries from unknown sources. That's certainly not a good idea!
Admittedly I'm coming at this as a software engineer rather than a sysadmin. It's only through experience I've learned I can't always have the "new shinies" I want to use! lol
Example:
http://www.vitavonni.de/blog/201503/2015031201-the-sad-state-of-sysadmin-in-...
Anyone advocating any OS or distro over another because of "security" is quite frankly wrong, they are all insecure and securing them is part of the process of proper deployment.
Of course. But some systems have fewer holes & better commitment to patching vulnerabilities than others. While in theory you could secure any system, I don't think it's invalid to advocate systems that require less work to harden. :)
Adam
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!