[TriLUG] The sad state of sysadmin in the age of containers

Fri Mar 13 12:22:47 EDT 2015

I also have not had enough coffee today :)

More capabilities means more management and I do think Puppet or an other
configuration management tool can be a help rather than an exploitation
tool (though for sure that's what you saw).  So the trick is to dial back
the customer that sees all the cool new stuff and let them know these
issues are not trivial... yet.

I think that one of these conf management tools may become smart enough in
the future to take a more active role in validating and the like from
foreign authors but for now we are going to have to work with what we
have.  Build your own and validate what you believe and trust you have at
all times.  This is the same for VDI or VMWare or vBlock or what have you.
The atomic problems have been automated to be easier but the customer
expects much much more so our jobs are at least as difficult to manage.  We
have to be good at letting people know how difficult it is while ensuring
what we are expressing is real.

So ummm... thanks for expressing what is real :)  I've been thinking about
this quite a bit myself lately.  It's more of a philosophical question than
a technical one I feel.

sean

On Fri, Mar 13, 2015 at 11:20 AM, Sean Alexandre via TriLUG <
trilug at trilug.org> wrote:

> From:
> The sad state of sysadmin in the age of containers
>
> http://www.vitavonni.de/blog/201503/2015031201-the-sad-state-of-sysadmin-in-the-age-of-containers.html
>
> System administration is in a sad state. It in a mess.
>
> I'm not complaining about old-school sysadmins. They know how to keep
> systems
> running, manage update and upgrade paths.
>
> This rant is about containers, prebuilt VMs, and the incredible mess they
> cause
> because their concept lacks notions of "trust" and "upgrades".
>
> Consider for example Hadoop. Nobody seems to know how to build Hadoop from
> scratch. It's an incredible mess of dependencies, version requirements and
> build tools.
>
> None of these "fancy" tools still builds by a traditional make command.
> Every
> tool has to come up with their own, incomptaible, and non-portable "method
> of
> the day" of building.
>
> And since nobody is still able to compile things from scratch, everybody
> just
> downloads precompiled binaries from random websites. Often without any
> authentication or signature.
>
> NSA and virus heaven. You don't need to exploit any security hole anymore.
> Just
> make an "app" or "VM" or "Docker" image, and have people load your
> malicious
> binary to their network.
>
> The Hadoop Wiki Page of Debian is a typical example. Essentially, people
> have
> given up in 2010 to be able build Hadoop from source for Debian and offer
> nice
> packages.
>
> To build Apache Bigtop, you apparently first have to install puppet3. Let
> it
> download magic data from the internet. Then it tries to run sudo puppet to
> enable the NSA backdoors (for example, it will download and install an
> outdated
> precompiled JDK, because it considers you too stupid to install Java.) And
> then
> hope the gradle build doesn't throw a 200 line useless backtrace.
>
> I am not joking. It will try to execute commands such as e.g.
>
> /bin/bash -c "wget
> http://www.scala-lang.org/files/archive/scala-2.10.3.deb ; dpkg -x
> ./scala-2.10.3.deb /"
>
> Note that it doesn't even install the package properly, but extracts it to
> your
> root directory. The download does not check any signature, not even SSL
> certificates. (Source: Bigtop puppet manifests)
>
> Even if your build would work, it will involve Maven downloading unsigned
> binary code from the internet, and use that for building.
>
> Instead of writing clean, modular architecture, everything these days
> morphs
> into a huge mess of interlocked dependencies. Last I checked, the Hadoop
> classpath was already over 100 jars. I bet it is now 150, without even
> using
> any of the HBaseGiraphFlumeCrunchPigHiveMahoutSolrSparkElasticsearch (or
> any
> other of the Apache chaos) mess yet.
>
> Stack is the new term for "I have no idea what I'm actually using".
>
> Maven, ivy and sbt are the go-to tools for having your system download
> unsigned
> binary data from the internet and run it on your computer.
>
> And with containers, this mess gets even worse.
>
> Ever tried to security update a container?
>
> Essentially, the Docker approach boils down to downloading an unsigned
> binary,
> running it, and hoping it doesn't contain any backdoor into your companies
> network.
>
> Feels like downloading Windows shareware in the 90s to me.
>
> When will the first docker image appear which contains the Ask toolbar? The
> first internet worm spreading via flawed docker images?
>
> Back then, years ago, Linux distributions were trying to provide you with
> a safe operating system. With signed packages, built from a web of trust.
> Some
> even work on reproducible builds.
>
> But then, everything got Windows-ized. "Apps" were the rage, which you
> download
> and run, without being concerned about security, or the ability to upgrade
> the
> application to the next version. Because "you only live once".
> --
> This message was sent to: Sean Korb <spkorb at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/spkorb%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome

-- 
Sean Korb spkorb at spkorb.org http://www.spkorb.org
'65,'68 Mustangs,'68 Cougar,'78 R100/7,'60 Metro,'59 A35,'71 Pantera #1382
"The more you drive, the less intelligent you get" --Miller
"Computers are useless.  They can only give you answers." -P. Picasso