Fedora Flock 2015 - Sysadmin in Age of Docker / Node.js

What is being a sysadmin in the age of Docker and Node.js?

The speaker is a French system administrator and is part of IT security. Not in devops or is a developer. Opens up saying that the talk will not go into proprietary software on Linux (and rightfully so, as it's scary). It's mainly about FOSS.

Docker makes life easier because it's easy to run and there's a lot of software in public repositories. Dependencies and compilation isn't an issue and you can run it on a Cloud instance and on a laptop with the same configuration. You can create your own images and the software is isolated from the base OS, even if it isn't perfect. Explicit port redirection is a security bonus.

The languages repository works well for multiple languages, there's one package per lanfuages, and lots of lots of libraries. They will generally work with any OS.

So where do the classic problems begin? Looking at a private network, it isn't simple to install software. Would you want an internal mirror for every external repo? Install on a network with external, then move the server? Playing with proxies or NAT or firewalls to allow downloading? All are possible, but you need time and resources. It's not smart.

What are the issues with Docker? Official images for software include a base OS and not only the application. This uses a lot of space, and the OS may not be the one you're using. A recent study showed that more than 30% of the official images are out of date and have major security issues, like Shellshock or Heartbleed.

Ubuntu licensing is also an issue. A lot of projects are using Ubuntu as a base OS. But the Ubuntu license is not clear and may impose to remove the Ubuntu trademarks everywhere. On the other side, Red Hat / Fedora are very clear about trademark usage and make it clear what is allowed and what isn't.

So, why not not package the software in COPR or the main Fedora tree versus Docker or Node.js? Dependency hell. Bundling with other software that has issues, missing dependencies, deprecated versions of libraries, and then just licensing issues between incompatible licenses or other software which may present an issue farther down the road.

A real world example: have you tried to build Hadoop on Fedora?

Also, sometimes the project forgets to do a clean release and/or to provide upgrade documentation.

Which is another part where Docker comes into play. Now, typical documentation is becoming `docker run` and running the software. Documentation is sometimes a various set of blof articles, more or less useful… and of course, you can always find a `chmod 777 /var/www/` guide somewhere…

It's where Docker, Atomic, or even classic virtualization are better than bare metal, because snapshots allow an easy rollback if everything goes wrong.

In the era of systemd, it's easy to create service files, even when projects don't have one. Everything will be started in the right order. Bonus is that logs are redirected in journald.

Ansible and Puppet can easily manage a Docker container, systemd services, getenforce 0 (lol), and deploying your custom SELinux configuration.