1. i'm using docker
2. i don't use "the cures"
3. nobody "suppresses" ftp
you're retarded
Conversation
Notices
-
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 02:09:35 JST 
mk
-
:gnu:+bonifartius 𒂼𒄄 (bonifartius@qoto.org)'s status on Wednesday, 31-Jan-2024 02:09:36 JST 
:gnu:+bonifartius 𒂼𒄄
@mk @theorytoe you missed the point. containers just make things harder. they are nice rube goldberg machines for shit languages like python which are hell to deploy.
when just installing everything from packages, things will receive timely security patches of the distribution.
when using VMs, one has to upgrade a few VMs for this. not great, not terrible.
with containers one has to hope that some image down the stack will be upgraded to include the fix, while the whole setup provides worse isolation than VMs (which already is prone to leakage). with containers the isolation is essentially the same as for plain linux users and chroot. no improvement. cgroups limiting resource usage can be set by the init system, i think systemd does this already.
containers sure have their use case, but mostly they are a crappy solution waiting for problems.
in the end the image is a meme which makes the point that ftp-ing a directory full of php scripts worked better than all the modern shit.
xianc78 and † top dog :pedomustdie: like this. -
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 10:34:04 JST 
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @bonifartius
>what does "running containers" have to do with bare-metal?
lol its literally not bare metal
you are running a process under a hypervisor
thats not bare metal† top dog :pedomustdie: likes this. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:34:05 JST
mk
"containers are a solution to a self-inflicted problem being that people dont want to actually write software that is runable bare-metal"
what does "running containers" have to do with bare-metal? you can run containers within a bare-metal system. it doesn't make sense.
-
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 10:34:06 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@bonifartius @mk
I can attest to this
containers are a solution to a self-inflicted problem being that people dont want to actually write software that is runable bare-metal
for starters, containers provide no security (docker daemon manager process runs as root, therefore on a basic level one would have to be retarded to think that is good security practice -- it is not). secondly docker works fine for prebuilt images, but I have never had a good experience with compose ever, it has always broken stuff and it never works. it is basically a glorified chroot with ""chroot management"" so you can install others rubbish onto your system
as well docker seems to try to plug into load balancing with k8s/k3s and if you have done any level of k8s management you will know it is a nighmare. when you could just run on a few hosts and incorporate a load balancer. this option is way easier on setup but also on maintenance since its just plain old hosts.
if you cant run software bare-metal without hassle its not good software† top dog :pedomustdie: likes this. -
:gnu:+bonifartius 𒂼𒄄 (bonifartius@qoto.org)'s status on Wednesday, 31-Jan-2024 10:38:17 JST
:gnu:+bonifartius 𒂼𒄄
@mk @theorytoe
- vms can use dynamic allocation for years now.
- containers provide absolutely no additional security.running on the host is perfectly fine. it only requires one to know what one is doing, of course.
lastly, i'd be careful to calling other people retard when using "bro".
† top dog :pedomustdie: likes this. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:38:18 JST
mk
your solution is to..what?
run everything in their own VM? -> ressource nightmare
run everything on one host (without container)? -> security nightmarebro..you're retarded.
-
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:38:19 JST
mk
im running a proxmox server with 2 virtual machines (pfsense and docker).
my docker vm hosts these services:
openldap
nextcloud
peertube 1
peertube 2
mastodon
hedgedoc
gogs
excalidraw
elk_cluster
searx
lightning network daemon (testnet)
lightning network daemon (mainnet)
bitcoin fullnode
bitcoin mempool stats
wordpress
mailcow emailserver -
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 10:39:17 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@bonifartius @mk plus youre adding more stuff to the dependency chain. If you have more things that could be compromised then that is unequivocally more insecure my pure logic alone † top dog :pedomustdie: likes this. -
:gnu:+bonifartius 𒂼𒄄 (bonifartius@qoto.org)'s status on Wednesday, 31-Jan-2024 10:39:18 JST
:gnu:+bonifartius 𒂼𒄄
@mk @theorytoe
pretty easy, they can't be more safe than the technologies they are composed of. in practice they are more insecure because of the bullshit update mechanisms. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:39:19 JST
mk
"containers provide absolutely no additional security"
then it would be pretty easy for you to proof your statement? i'm waiting.
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 10:43:16 JST 
† top dog :pedomustdie:
@theorytoe @mk @bonifartius
:mfw: SIR, YOU MUST BE RUNNING SHINATOR'S OTHERWISE YOU WILL DIE BECAUSE YOU WONT ADD MORE COMPLEXITY THAT LEADS TO FAILURE. -
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 10:47:42 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @bonifartius
yeah, i know that
but docker in itself is still virtualization, even if you arent emulating a full system, you are still virtualizing pretty much everything minus the kernel
its basically vertualization and therefore if you have even a shred of functioning neuron pathways you should be able to realize that† top dog :pedomustdie: likes this. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:47:43 JST
mk
the argument is that docker/containers in general don't have to run within a virtual machine.
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 10:51:42 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius
>complex in what sense
In every sense? its a another layer of shit that will fail on you causing more issuses. It has no real benefits either that a real vm or bare metal have. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:51:44 JST
mk
is your argument that docker is too complex?
complex in what sense?
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 10:55:49 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius Neither since both will result in you being infected, vm's don't have this issues but as i always say never install anything and you will be fine. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 10:55:50 JST
mk
"It has no real benefits"
please answer the question:
"if you've got bad software, would you rather run in inside or outside a container?"
-
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 10:56:12 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @dcc @bonifartius
>"if you've got bad software, would you rather run in inside or outside a container?"
id rather not run it at all† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 10:56:18 JST
† top dog :pedomustdie:
@theorytoe @mk @bonifartius Exactly -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:00:58 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius >stop pivotting.
You keep moving goal post though.... And my post has the answer (run it in a vm) -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:00:59 JST
mk
in this senacrio you have to, because your customer is forcing you to do it. stop pivotting.
-
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 11:01:26 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @dcc @bonifartius
if a customer is forcing you to make a poor decision thats on you for not telling them that its a bad move
not like that is much of an argument anyway† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:01:27 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius And i can also make a script that can do that on bare metal so what? -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:01:28 JST
mk
is your argument that docker is too complex? -> "In every sense?"
installing software is part of too complex in "every sense", correct?
ok..here's a 10min video that enables noobs to install a bitcoin lightning network daemon that reachable from the internet without the need of:
- a static ip
- a public ip
- a domain name
- a ssl certificate
- portforwarding in the router
- firewall rule in the routerhttps://mastodon.satoshishop.de/@mk/111819231243916351
docker makes it god damn easy.
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:06:46 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius Question, what came first. The software or the container? -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:06:47 JST
mk
i don't believe you.
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:09:52 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius >your customer doesn't want to run 16 VMs, because it's too expensive.
So they don't run anything and the company fails
> 16vm's
YOU DON'T EVEN UNDERSTAND HOW VM's WORK, YOU ARE A FUCKING SHIPPING CONTAINER. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:09:53 JST
mk
your customer doesn't want to run 16 VMs, because it's too expensive.
https://mastodon.satoshishop.de/@mk/111843926971242212
https://mastodon.satoshishop.de/@mk/111844044661439465
we already went through this argument. it's a ressource (and management btw) nightmare.
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:10:32 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius Ansible :columbo_smug: -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:10:34 JST
mk
counter question.
what's got more adoption?
installing shit via docker or bash-scripts?
-
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 11:11:06 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@dcc @mk @bonifartius
or just run 16 processes on the host machine and time, money, and resources 🤡† top dog :pedomustdie: likes this. -
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 11:17:49 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @dcc @bonifartius
anyway I dont think its worth arguing with a wet sock because this is basically you changing the argument to "support" you without giving concrete refutations of evidence against you so...
have fun being a dockerized fosscuck elsewhere† top dog :pedomustdie: likes this. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:17:50 JST
mk
customer: please run these webapps
- nextcloud
- peertube 1
- peertube 2
- mastodon
- hedgedoc
- gogs
- excalidraw
- elk_cluster
- searx
- lightning network daemon (testnet)
- lightning network daemon (mainnet)
- bitcoin fullnode
- bitcoin mempool stats
- wordpress
- mailcow emailserverplease run these services for me.
you: we'll run 16 operating systems and you gotta pay me for pushing software updates to every one of those.
customer: too expensive
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:18:05 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius You understand THAT A VM HOSTS MORE THAN ONE SERVICE. You can't even make real arguments anymore. Again also YOU DON'T NEED TO RUN VM's OR SHIPPING CONTAINERS. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:33:09 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius So WE HAVE TWO. You seems to want to prove my point more :mel_laugh: -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:33:10 JST
mk
"You understand THAT A VM HOSTS MORE THAN ONE SERVICE."
and if you don't isolate them, one hacked webapp is going take over EVERYTHING !
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:41:28 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius :mfw: 16 SHIPPING CONTAINERS WITH ONE THATS INFECTED ARE SO MUCH BETTER THAN 2 VM's.
You are insane -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:41:29 JST
mk
"You seems to want to prove my point more :mel_laugh:"
how?
-
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 11:50:25 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @dcc @bonifartius
yes
and?
if you want security you run all 16 under a vm or you audit your software (or better yet write secure software)† top dog :pedomustdie: likes this. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:50:26 JST
mk
"or just run 16 processes on the host machine"
without containerization?
-
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 11:53:14 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius We already established SHIPPING CONTAINERS dont help with security, and we were talking about having one rouge app (its already know) You really like to make very obvious misinterpretation, your worse than a bad actor you know your part in the script. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 11:53:16 JST
mk
I am team one basket with process isolation (containers)..from the start.
YOU seem to switch teams a lot...
"run it in a vm"
https://annihilation.social/objects/72331913-a20c-4303-ab62-12872b91608d"You understand THAT A VM HOSTS MORE THAN ONE SERVICE."
https://annihilation.social/objects/31ce2e17-11fb-4bb4-b0dd-82e48dde942a -
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 12:00:31 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @dcc @bonifartius
again, vim != container
plus if any customer is smart enough to know what docker is they probably should manage it themselves...† top dog :pedomustdie: likes this. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 12:00:32 JST
mk
"or just run 16 processes on the host machine"
without containerization?
your answer: yes
---
so you're team one basked (no process isolatin)
great !
-
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 12:05:15 JST
mk
"SHIPPING CONTAINERS dont help with security"
no. you guys just said it a lot..
---
i repeatetly asked for evidence and you didn't provide me anything.
"if it's so unsecure, why did none of you LINK me reallife-examples of hacked processes breaking out of docker containers?"
https://mastodon.satoshishop.de/@mk/111847966227810935"you guys are pretty good at talking and pretty shitty at linking to your sources."
https://mastodon.satoshishop.de/@mk/111844129068587581stop talking, start linking
https://mastodon.satoshishop.de/@mk/111844103725119686† top dog :pedomustdie: repeated this. -
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer) (theorytoe@ak.kyaruc.moe)'s status on Wednesday, 31-Jan-2024 12:05:28 JST
T man :sex: :puffgiga: :puffpowerroll: (epic music enjoyer)
@mk @dcc @bonifartius
>LINK me real-life examples
my retard in christ you have a full ass search engine where you can basically search "docker vulnerabilities" and get endless lists of docker hacks on prod systems.
if OpenBSD, the de-facto standard security, dislikes docker, then maybe you should backpedal and reconsider your midwit take† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Wednesday, 31-Jan-2024 12:07:00 JST
† top dog :pedomustdie:
@mk @theorytoe @bonifartius "if you've got bad software, would you rather run in inside or outside a container?"
You can't even keep a constant story, let alone not just outright lie. -
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 31-Jan-2024 12:07:02 JST
mk
"we were talking about having one rouge app"
nobody in this thread was talking about a "rouge-app". we talked about webapps/processes getting hacked in general. we didn't specify how it's getting hacked.
-
dotnet@loli.church's status on Wednesday, 31-Jan-2024 12:15:06 JST 
dotnet
@theorytoe@ak.kyaruc.moe @mk@mastodon.satoshishop.de @dcc@annihilation.social @bonifartius@qoto.org don't even need vulnerabilities to point to, docker is the sort of thing that sounds neat in theory, but in practice ends up being nothing more than a fuckton of complexity for complexity's sake.
It's the pinnacle of the worst kind of developer behavior. The kind so high on their farts, they think that other developers should have to put up with their bullshit simply because they're developers.
Which seems to be a pretty good description of the guy you're arguing with lol† top dog :pedomustdie: likes this.
-
All 076萌SNS content and data are available under the