💾 Archived View for gemini.panda-roux.dev › log › entry › 10 captured on 2022-04-29 at 11:46:00. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-04-28)
-=-=-=-=-=-=-
Posted on Saturday June 12, 2021
Recently, my job has required me to become familiar with Docker containers, and the general concepts behind containerization in general. I've had some feelings about this.
Whenever my coworkers and I are asked to immerse ourselves in a new technology or set of concepts, we'll stressed by the development. Hard-shifting to a new way of thinking is difficult, especially at a company with a major "we've always done it this way" problem. Grasping new ideas to the point of being able to implement them in any kind of professional capacity takes serious effort. On top of this, we've got to perform our usual work-related tasks. All in all, it's a substantial personal burden, and one that employers are of course happy to ask us to oblige.
Why not just contract a consultant that's an expert in the matter? Ah yeah, that whole capitalist greed thing: why spend more when you can just ask your employees to work harder?
On the other hand, this kind of scenario is incredibly helpful when it comes to professional development (read: shit I can put on a resume). I'm being given permission to expand my skill set on company time on the assertion that it will benefit my current employer (which it will). Now, however, when I inevitably need to find new work in a couple of years, I've got a background in containerization (more or less). At least I'm getting something out of this.
Going into this project I really had no idea what the notion of "containerization" entailed. All I knew was that it was yet another tech-bro marketing buzzword that my boss had caught whiff of, so I resented the idea. Why should I have to put in extra effort to learn to use another vapid fad tech?
I had a few questions going into this that I thought I'd try and answer by the end of the week. The rest of this post will be concerned with those, and my attempts to answer them.
Please understand that I'm still very new to all of this, so my explanations will most likely be insufficient and/or inaccurate.
Containerization lets you deploy and run applications in a neat little package, with all of their libraries and environmental requirements bundled into a single file. Applications that are run this way are securely isolated from one another in the same manner as traditional VMs ought to be, but without the bulky overhead of running an entire operating system for each instance.
The best way I can think of to conceptualize containers is in terms of how regular software is compiled and linked. Building a container is sort of like statically-linking not just the libraries that the application uses, but also the environment variables, filesystem, and underlying OS plumbing. The result is a thing you can run anywhere, without requiring the use of external (i.e. shared) libraries, *or* shared filesystems *or* shared OS features (because the image brings all of that with it).
Kind of, yes, but missing a few bulky parts, so it's more lightweight. It's faster to start up and shut down as well because it's not running an entire OS kernel.
Because those are more expensive to run and maintain. Beyond that I'm not sure.
- panda-roux -
next: "A Beautiful Summer Day"
prev: "So, what now? (CW: see top of post)"
[2021-07-17 22:05:38] Supernova (0da44):
Oh yes, I had to learn docker for a new job 3 years ago. I'm still learning new stuff about it. It does add some security feature but also has some things that need to be hardened better. For example many docker containers run as root, so if these containers get access back to the host, they have root on the host! I recommend running the Docker Bench for Security audit found here: https://github.com/docker/docker-bench-security which checks your dockers against the CIS docker benchmark. It will tell you things that should be hardened.
[2021-07-17 23:08:41] panda-roux (d8842):
re: Supernova, even in the month since I've written this post, I have learned a ton; I'd never seen this security benchmark though, so I appreciate the suggestion! I'll be sure to give it a shot this week.
[2021-07-17 23:09:59] panda-roux (d8842):
I think the most eye-opening thing I've since learned about Docker is just how much time I was wasting by not using docker-compose.