I think there is something lost in translation between what docker does and what people think it does. The magic of things just working is powerful, which is part of docker’s success as well as the success of backwards compatible systems like the windows API. I agree that docker is a lame way to provide primary software distribution, but I think it serves a valid purpose as try-it-out software distribution. The part that freaks me out is the insane amount of trust in public docker registries. One bad egg with a container escape zero day and it’s all over.
Using containers from public registries is no worse than using third party software. In both cases there’s a risk of malicious code. The big difference is that for containers you can scan the image before running it, SBOMs are becoming ubiquitous so dependency vulnerabilities are easier to detect, and runtime protection software is more effective on containers because each container has a deterministic expected behaviour, making it easier to find deviations. I’d much rather manage runtime controls for containers than craft selinux policies.
The bottom line (which the OP article misses) is that while individual container configurations require more effort to set up the additional work to manage them at scale is low, whereas compliance for host based installs is requiring more and more effort. In fact given how popular curl | sh ... is becoming for host based installs I’d argue that they are regressing in terms of safety and reproducibility.
I think there is something lost in translation between what docker does and what people think it does. The magic of things just working is powerful, which is part of docker’s success as well as the success of backwards compatible systems like the windows API. I agree that docker is a lame way to provide primary software distribution, but I think it serves a valid purpose as try-it-out software distribution. The part that freaks me out is the insane amount of trust in public docker registries. One bad egg with a container escape zero day and it’s all over.
Using containers from public registries is no worse than using third party software. In both cases there’s a risk of malicious code. The big difference is that for containers you can scan the image before running it, SBOMs are becoming ubiquitous so dependency vulnerabilities are easier to detect, and runtime protection software is more effective on containers because each container has a deterministic expected behaviour, making it easier to find deviations. I’d much rather manage runtime controls for containers than craft selinux policies.
The bottom line (which the OP article misses) is that while individual container configurations require more effort to set up the additional work to manage them at scale is low, whereas compliance for host based installs is requiring more and more effort. In fact given how popular
curl | sh ...
is becoming for host based installs I’d argue that they are regressing in terms of safety and reproducibility.