The sad state of the sysadmin in the era of containers
System administration is now in a sad state. It is in chaos.
I'm not talking about old school admins, they know how to manage systems and monitor updates.
The problem is in containers, ready-made virtual machines (prebuilt VMs), and also in the incredible chaos they create, because their concept lacks “trust” and “updates”.
')
Let's take a look at Hadoop. Apparently, no one knows how to build Hadoop from scratch ; it's just a huge pile of dependencies, required build versions and utilities.
None of the "great" utilities is built by the traditional make command. Each utility comes with its own non-portable and incompatible c “day method” for assembly.
And since no one knows how to collect things from scratch, everyone simply downloads binaries from random websites , often without even verifying a digital signature .
Paradise for viruses and NSA. No longer need to exploit security vulnerabilities ; just make an “application”, “virtual machine” or “image for Docker” and allow people to download this infected code to their network.
A typical example would be a Hadoop debikin . Essentially, people abandoned their attempts to build Hadoop from scratch for the debian and offer quality packages back in 2010.
Apache Bigtop seems to need puppet3 installed first. Let him download magic data from the Internet and try running sudo puppet to turn on the backdoors from the NSA (for example, he will download and install the outdated JDK, because he thinks you are too stupid to install Java). Well, and then hope that the gradle will not spit out 200 lines of useless errors.
I'm not kidding, he will try to run such commands as:
Note that it does not even install the package correctly, but only unpacks it into your root directory. No signatures or even SSL certificates are checked during the download (source: Bigtop puppet manifests )
Even if the build runs fine, it will still use unsigned binaries downloaded from Maven.
Today, instead of a pure modular architecture, there is a huge pile of blocked dependencies everywhere (interlocked dependencies). The last time I saw the Hadoop classpath, it already consisted of over 100 jar files. I bet that there are 150 of them there now, even without using HBaseGiraphFlumeCrunchPigHiveMahoutSolrSparkElasticsearch or similar Apache.
Stack is a new term meaning "I have no idea what I actually use."
Maven , ivy and sbt are utilities for downloading unsigned code and running it on your computer.
With containers, this chaos is even worse.
Ever tried making a security update for a container?
Essentially, Docker’s approach is to download unsigned binaries, run them, and hope they don’t contain backdoors for your company network.
It reminds me of shareware for Windows from the nineties.
When will the first Docker image containing the Ask toolbar appear? The first Internet worm spreading through Docker?
All these years, Linux distributions have been trying to provide you with reliable operating systems, with signed packages compiled from the web of trust. Some even work on reproducible builds.
And then, everything became winded. “Applications” have become insane, which you download and launch without even thinking about security or ways to upgrade. Because "we live only once."
Update : I was corrected that it started before Docker: “Docker is a new 'curl | sudo bash '. This is true, but now it has become especially popular to download and run untrusted software in its “data center”. And it's very bad.
In the past, admins made every effort to prevent security vulnerabilities; and now they call themselves "devops" and enter these holes into their network on their own!
I'm not talking about old school admins, they know how to manage systems and monitor updates.
The problem is in containers, ready-made virtual machines (prebuilt VMs), and also in the incredible chaos they create, because their concept lacks “trust” and “updates”.
')
Let's take a look at Hadoop. Apparently, no one knows how to build Hadoop from scratch ; it's just a huge pile of dependencies, required build versions and utilities.
None of the "great" utilities is built by the traditional make command. Each utility comes with its own non-portable and incompatible c “day method” for assembly.
And since no one knows how to collect things from scratch, everyone simply downloads binaries from random websites , often without even verifying a digital signature .
Paradise for viruses and NSA. No longer need to exploit security vulnerabilities ; just make an “application”, “virtual machine” or “image for Docker” and allow people to download this infected code to their network.
A typical example would be a Hadoop debikin . Essentially, people abandoned their attempts to build Hadoop from scratch for the debian and offer quality packages back in 2010.
Apache Bigtop seems to need puppet3 installed first. Let him download magic data from the Internet and try running sudo puppet to turn on the backdoors from the NSA (for example, he will download and install the outdated JDK, because he thinks you are too stupid to install Java). Well, and then hope that the gradle will not spit out 200 lines of useless errors.
I'm not kidding, he will try to run such commands as:
/bin/bash -c "wget http://www.scala-lang.org/files/archive/scala-2.10.3.deb ; dpkg -x ./scala-2.10.3.deb /" Note that it does not even install the package correctly, but only unpacks it into your root directory. No signatures or even SSL certificates are checked during the download (source: Bigtop puppet manifests )
Even if the build runs fine, it will still use unsigned binaries downloaded from Maven.
Today, instead of a pure modular architecture, there is a huge pile of blocked dependencies everywhere (interlocked dependencies). The last time I saw the Hadoop classpath, it already consisted of over 100 jar files. I bet that there are 150 of them there now, even without using HBaseGiraphFlumeCrunchPigHiveMahoutSolrSparkElasticsearch or similar Apache.
Stack is a new term meaning "I have no idea what I actually use."
Maven , ivy and sbt are utilities for downloading unsigned code and running it on your computer.
With containers, this chaos is even worse.
Ever tried making a security update for a container?
Essentially, Docker’s approach is to download unsigned binaries, run them, and hope they don’t contain backdoors for your company network.
It reminds me of shareware for Windows from the nineties.
When will the first Docker image containing the Ask toolbar appear? The first Internet worm spreading through Docker?
All these years, Linux distributions have been trying to provide you with reliable operating systems, with signed packages compiled from the web of trust. Some even work on reproducible builds.
And then, everything became winded. “Applications” have become insane, which you download and launch without even thinking about security or ways to upgrade. Because "we live only once."
Update : I was corrected that it started before Docker: “Docker is a new 'curl | sudo bash '. This is true, but now it has become especially popular to download and run untrusted software in its “data center”. And it's very bad.
In the past, admins made every effort to prevent security vulnerabilities; and now they call themselves "devops" and enter these holes into their network on their own!
Source: https://habr.com/ru/post/258595/
All Articles