search

dlundquist / sniproxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.
BSD 2-Clause "Simplified" License
2.57k stars 398 forks source link

Add Dockerfile #312

Closed omercnet closed 6 years ago

dlundquist commented 6 years ago

@omercnet Thank you for the proposed change, but I do not plan to include any Docker integration within the SNIproxy source repository.

omercnet commented 6 years ago

Why not?

dlundquist commented 6 years ago

@omercnet The practices the Docker software ecosystem has adopted present a security risk: since the tooling encourages downloading and deploying unknown artifacts and compartmentalizing all software dependencies within each container. This results in a duplication of common software libraries and can hide these dependencies allowing vulnerable versions of common libraries to remain deployed long after the vulnerabilities have been disclosed. Consider a response to OpenSSL's heartbeat vulnerability (CVE-2014-0160) in a Docker and non-Docker-ized environment for an example of how the Docker model complicates identifying affected software.

While I do think there is place for containers: Yahoo and Google's internal deployments very promising but in both cases they have the resources to own their entire stack. I find opaque appliance model promoted by Docker to be concerning.

I realize there are a plethora of technical merits to both approaches: I'm concerned with the model Docker promotes, I choose not to use it, I'm not in a position to support it, and so I choose not to include it.

omercnet commented 5 years ago

hi @dlundquist you're describing a very old concept of way handling containers as appliances it's very easy today to configure automatic updates based on underlying software changes, so if we link the docker image to ubuntu, every time there's a new ubuntu docker update which is every couple of weeks (https://hub.docker.com/r/library/ubuntu/tags/) the sniproxy image will be rebuilt and will be always up to date

if you could provide more insight to your concerns I'll try to address them in hopes for your consideration of creating an image here which I think would benefit the community.

huangsen365 commented 5 years ago

It is good discussion, docker will be a trend for the cloud century, let us try to keep talking and see how move things forward. Very appreciated.

huangsen365 commented 5 years ago

Opensource means open attitude, and open mind, You can find more and more official docker images for different types of software/OS/Applications such as the famous one: CentOS https://github.com/CentOS/CentOS-Dockerfiles/blob/master/httpd/centos7/Dockerfile