On Tue, Oct 30, 2018, 6:50 AM Paul Adams <paul.ad...@kde.org> wrote: > On Tue, 30 Oct 2018 at 11:42, Ben Cooksley <bcooks...@kde.org> wrote: > > If you're running 10,000+ microservice instances, then you can have > > the teams of people needed to maintain the necessary overhead > > This is true. Also not your original point: you claimed that Docker > containers were generally unsuitable for production > The overhead is generally not that huge: you build, sign and upload > your images to registry you run. This is no different than when you > build, sign and upload your custom-built distro packages. > > Yes, running something like Openstack cause some additional overhead. > > > We delegate management of sites to people who look after them (where > > it makes sense) as it helps people get things done. > > They are essentially the "admin" of that specific site/service, but > > won't have root on the actual server that runs it. > > Good approach. It is by no means incompatible with running services in > a container. > You can give specific system users membership of a docker group, > allowing them to start/stop/deploy etc. You then control which > containers the user is actually allowed to manipulate in registry > config. > > Perhaps I am missing something? >
Care would have to taken to insure such users can only use specific pre defined option sets. Otherwise the ability to run docker is equivalent to root access to the real file system via. --mount or --volumes. Probably other routes as well. Not hard to mitigate with the right setup. > > -- > Paul J. Adams > PhD MIEEE MBCS CITP > > GPG: 07DD 0812 Paul James Adams >