Serverless computing the biggest threat to containers?

For discussions about programming, programming questions/advice, and projects that don't really have anything to do with Puppy.
Post Reply
Message
Author
User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

Serverless computing the biggest threat to containers?

#1 Post by Flash »

Why serverless computing is one of the biggest threats to containers
Containers are booming, but still require developers to bother with servers. This is paving the way for more enterprise adoption of serverless.

By Matt Asay | May 3, 2018

Even as KubeCon Europe got off to a rollicking start with over 4,000 attendees, Brian Leroux, founder of Begin and erstwhile PhoneGap developer, was quietly coding at home in San Francisco, happy to not have to be bothered with containers at all.

"Things I won't be doing today," he wrote on Twitter, "Provision[ing] an instance, spawn[ing] additional instances, us[ing] ssh to investigate an instance, [or] roll[ing] upgrades to a fleet of instances."

His secret? Serverless.

Today, the furor over Kubernetes (and containers, generally) is loud, and rightly so: Containers mark a demonstrably better way to build applications, with Kubernetes the runaway leader for making it easy to manage those containers at scale. And yet, as Cloud Native Computing Foundation (CNCF) data suggests, Kubernetes, despite making containers easier, is still too hard for some, with plenty of enterprises jumping straight to serverless to get all the benefits of containers without having to think about containers...
I have no idea what containers are or why anyone would get excited about them, but Barry seems to be interested in them.

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

#2 Post by nosystemdthanks »

theyre a security feature in bsd forever, and lately theyve gotten huge in the gnu/linux server market and thus all the hype. note that gnu/linux containers are inferior (more vulnerable) than the bsd ones at least in theory.

full disclaimer: i dont presently use bsd, ive never really used it except possibly in routers and once briefly on a laptop, but credit where credit is due. i use gnu/linux (it suits my needs better, but its containers are not as secure as the bsd ones.)

there are different levels of "container" and chroot is included, so youre probably familiar with that. but thats only partial filesystem isolation.

youre probably familiar with the term "sandbox" which is at least conceptually similar, though the thing about technical terms is that if you compare them to try to help someone out, people will jump in and say "NO, THOSE ARE DIFFERENT and heres how" fine, but whatever.

someone who dislikes pdf readers (i make a lot of interesting friends) suggests i only open pdfs from a firejail, which is a common container utility in many distros (probably already a pet package.) at a guess, barry wants to create something that has more of this by default (android does that.) ive looked at his design plans/blog about it.

so i figure (still guessing) that barrys design would be like using firejail on more things, except you dont have to be as explicit/manual/tedious about it.

and thats great, since everyone runs as root and this will probably help mitigate the problems with that a bit. i dont pretend to know what hes thinking, or exactly what he said, im just commenting on possible advantages of it.

i would note that firejail is proposed by pale moon fans (i used pale moon until recently) as a way to isolate browsing/scripts from the rest of the computer.

i think thats a fine idea, but its not a replacement for noscript (which is what its being treated as.)

noscript prevents a lot of bad scripts from running, while firejail helps isolate the damage they can do. some of the threats noscript protects you from are cross-site vulnerabilities, which firejail wont help with as theyre between sites and/or tabs.

noscript also makes the browser a lot more efficient because the cpu/resources otherwise used by those scripts are not used; so firejail wont really help with that either.

as a technology its cool, but as a noscript "replacement" (which it wasnt designed as) it only has a portion of the utility that noscript does. its almost completely unrelated to noscript otherwise.

cloud technology is full of corporate hype though im sure if youre in the server business this is really great stuff that makes it easier to do business-- sometimes.

on a server you can isolate pieces of infrastructure (server programs, website scripts, databases) better with containers, for barry this is about locally-running software on a single-user machine, the main difference really is scale.

one of the primary jobs of an operating system is to manage processes. containers isolate processes, which presumably makes them more manageable-- like filling an open space office floorplan with cubicles, except for software.

maybe the most exciting thing though is cpu quotas, which i believe are just as optional as disk quotas. regardless of barrys plans, i could very possibly take whatever he does and make the simple tweak (unless he decides to create this feature himself) to make it so that no process ever uses more than 50% or 75% of the cpu.

even if i just ran the browser with that setup, its a huge cpu hog sometimes and it would not be able to suddently take over the rest of the machine due to a runaway script or 1080p/4k hd video. it would ask the os for the resources and the os would say "yeah, no-- im busy. you can have half of that." so that at least is sort of exciting. i really hate web browsers. some very cool ideas, increasingly awful implementations.

nour

Re: Serverless computing the biggest threat to containers?

#3 Post by nour »

Flash wrote:Why serverless computing is one of the biggest threats to containers
Containers are booming, but still require developers to bother with servers. This is paving the way for more enterprise adoption of serverless.

By Matt Asay | May 3, 2018

Even as KubeCon Europe got off to a rollicking start with over 4,000 attendees, Brian Leroux, founder of Begin and erstwhile PhoneGap developer, was quietly coding at home in San Francisco, happy to not have to be bothered with containers at all.

"Things I won't be doing today," he wrote on Twitter, "Provision[ing] an instance, spawn[ing] additional instances, us[ing] ssh to investigate an instance, [or] roll[ing] upgrades to a fleet of instances."

His secret? Serverless.

Today, the furor over Kubernetes (and containers, generally) is loud, and rightly so: Containers mark a demonstrably better way to build applications, with Kubernetes the runaway leader for making it easy to manage those containers at scale. And yet, as Cloud Native Computing Foundation (CNCF) data suggests, Kubernetes, despite making containers easier, is still too hard for some, with plenty of enterprises jumping straight to serverless to get all the benefits of containers without having to think about containers...
I have no idea what containers are or why anyone would get excited about them, but Barry seems to be interested in them.
Containers are a very great current technologie that allows you to host several OS on the same machine but in a more efficient way than classic virtual machines such as VirtualBox.
I don't think that Serverless is a conccurent for containers, in fact they work together very fine because they aim to different goals.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#4 Post by rufwoof »

As in the 'Cloud' where you can be locally data-less, storing it all on someone else's servers, so severless is similar, except for functions (apps). Pay per use, no need to buy and maintain your own servers, just fire off a function into the cloud and be allocated CPU/memory to perform the action and return the result. Presumably those cloud servers would have their own security measures installed, such as running functions within containers/jails/whatever.

Barry's container in effect creates a chroot. Normally for a chroot you need to populate that with a OS that will run inside that before firing it up (running (chroot into) it). For EasyOS however it just loads the main OS sfs (like puppy.sfs) within that, so very quick and takes up very little additional space (in effect just pointers). The container also has its own save area, separate from the main systems save area. Whilst you still run as root within the container (you can alternatively set it to run as a different userid), various security measures are applied, such as dropping capabilities, unsharing things, even running a separate X session (Xephyr) ... such that the root inside the container is very restricted in what it can do ... comparable to a (very) restricted userid. Run a flawed browser for instance within that and even if the flaw permits remote access to root ... that root userid is highly restricted in what it can do - in effect - contained.

With Barry's containers you can create snapshots, so for instance one container session will have the main OS sfs loaded and its save area. Create a sfs of that containers save area and you have a backup of that snapshot. Later you might roll back to that snapshot - in effect clear out the existing save area and restore the content of the prior snapshot sfs content as the save area. Barry has it set up so you can very easily roll back, forward ...etc. to whichever container snapshot(s) you desire (in a similar vein you can also create snapshots of the main (real) roots save area and restore those as/when desired/appropriate).

In Puppy for instance you might boot and use it, and then not save at the end. In EasyOS you'd instead boot, take a snapshot, use it, then at the end restore the snapshot ... to comparable effect as not having saved anything. Somewhat like a multisession CD pup, but easier to roll back/forward to any snapshot (save session).
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#5 Post by Flash »

Very intriguing. Thank you for that explanation.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#6 Post by rufwoof »

With EasyOS container snapshots you can roll back (or forward) without having to reboot. You just shut down the container, do the rollback, and then restart the container. For the main system, after any rollbacks you have to reboot the system.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#7 Post by rufwoof »

For a desktop setup, instead of using containers, that are relatively complex, add a whole set of additional code/configuration - where bugs may be apparent (security vulnerabilities are just bugs that potential permit security to be breached), you can instead isolate within the main session.

With a modern browser you can do many things with that, chromium for instance caters for watching videos, playing music, PDF viewing, and if you use online services that expands to being a office (google docs), calculator, text editor ... etc.

What I do in OpenBSD is more or less only run X in order to run chromium. X is set to run as a restricted userid (Xenodm is OBSD's version of X) and within that I run chromium, which has all sorts of container like controls within that (Pledge to restrict memory/system access, Unveil to restrict folder access ...etc.). As added security I also turn off all setuid scripts from 'others'. That environment is pretty secure, no different to how normal users are restricted from elevating privileges. For everything else I use cli (ctrl-alt-F4 or whatever and log in), using tmux for multiple windows, mc as the file manager and text editor, and a tput menu that I use to run common commands such as rebooting, power down ...etc.

In effect that is somewhat 'serverless' i.e. X and the browser are 'contained' and that combination is used to run other things such as office (word processor, spreadsheet), PDF viewing, music playing, video watching ...etc.) ... so they're all 'contained' as well. A benefit is that all runs very quickly (often virtualisation or containment impacts graphical speeds), and keeps potential bugs/security vulnerabilities to a minimum.

A issue however is that whilst that may be locally secure, you transfer containment/security onto a third party. googledocs for instance is great for collaboration etc. but using that as a office suite means you're entrusting/reliant upon their servers security and their practices. Personally I don't trust google so for sensitive documents what I tend to do is use a text editor to create/edit sensitive documents, and use the browser to highlight spelling mistakes, add some basic html to that to lay it out as desired, and then print the document to a PDF that is stored locally. i.e. I only create/store things in the Cloud that I care little if that content were seen by others, whilst sensitive documents are all stored locally.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

Post Reply