Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] sandboxing web browsers

So your point is that some developers create piss-poor Docker deployments,
and therefore Docker is a piece of shit?. That logic could be applied to
any development system. I've seen plenty of piss-poor coding done in perl,
python, C, Fortran, and every other language I've ever reviewed.

That fact that an incompetent buffoon can misuse a tool to create badly
designed software does not mean that it's impossible for a skilled
programmer to use the tool correctly to create well-designed software.

On Mon, Jun 22, 2015 at 10:40 AM, Richard Pieri <richard.pieri at>

> On 6/21/2015 10:38 PM, Tom Metro wrote:
>> The Docker daemon runs as root. If the non-privileged user starting FF
>> is put in the docker group and allowed to start any container, then yes,
>> they have root. If instead a SetUID script or sudo rule is used to
>> launch a specific container, which does not launch a root shell, then
>> the resulting container and FF process won't have root privileges.
> Docker requires root to initialize containers. It's how Docker was
> designed. It's a known design flaw and the Docker folks have gone on record
> stating that they don't intend to fix it. So, if you're going to let me
> start Docker containers then I will be able to elevate myself to root on
> the host. The only way to stop me is not to let me start Docker containers
> at all.
>  Docker does not work "perfectly well" in the first place in my experience.
>> That may very well be your experience. But some of us use it daily and
>> find that it does the intended job.
> FSVO "intended". My experience is that developers have been using Docker
> to rationalize piss-poor deployment practices. It doesn't matter to them if
> their run time environments are utter hell for users to recreate, just put
> it all in a container and copy the hell everywhere.
> One most egregious example that I've had to deal with, a project called
> ShareLaTeX, their environments are so bad that their containers are the
> only supported way of deploying. So bad that their containers don't work
> outside of their own environments.
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at

John Abreau / Executive Director, Boston Linux & Unix
Email jabr at / WWW / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /