[Discuss] sandboxing web browsers

[jabr at blu.org (John Abreau)]

So your point is that some developers create piss-poor Docker deployments,
and therefore Docker is a piece of shit?. That logic could be applied to
any development system. I've seen plenty of piss-poor coding done in perl,
python, C, Fortran, and every other language I've ever reviewed.


That fact that an incompetent buffoon can misuse a tool to create badly
designed software does not mean that it's impossible for a skilled
programmer to use the tool correctly to create well-designed software.


On Mon, Jun 22, 2015 at 10:40 AM, Richard Pieri <richard.pieri at gmail.com>
wrote:

> On 6/21/2015 10:38 PM, Tom Metro wrote:
>
>> The Docker daemon runs as root. If the non-privileged user starting FF
>> is put in the docker group and allowed to start any container, then yes,
>> they have root. If instead a SetUID script or sudo rule is used to
>> launch a specific container, which does not launch a root shell, then
>> the resulting container and FF process won't have root privileges.
>>
>
> Docker requires root to initialize containers. It's how Docker was
> designed. It's a known design flaw and the Docker folks have gone on record
> stating that they don't intend to fix it. So, if you're going to let me
> start Docker containers then I will be able to elevate myself to root on
> the host. The only way to stop me is not to let me start Docker containers
> at all.
>
>
>  Docker does not work "perfectly well" in the first place in my experience.
>>>
>>
>> That may very well be your experience. But some of us use it daily and
>> find that it does the intended job.
>>
>
> FSVO "intended". My experience is that developers have been using Docker
> to rationalize piss-poor deployment practices. It doesn't matter to them if
> their run time environments are utter hell for users to recreate, just put
> it all in a container and copy the hell everywhere.
>
> One most egregious example that I've had to deal with, a project called
> ShareLaTeX, their environments are so bad that their containers are the
> only supported way of deploying. So bad that their containers don't work
> outside of their own environments.
>
> --
> Rich P.
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6