During the RSA conference, I was talking about containers and it occurred to me we can think about them like a sandwich. Not so much that they're tasty, but rather where does your container come from. I was pleased that almost all of the security people I spoke with understand the current security nightmare containers are. The challenge of course is how do we explain what's going on to everyone else. Securtiy is hard and we're bad at talking about it. They also didn't know what Red Hat was doing, which is totally our own fault, but we'll talk about that somewhere else.
But containers are sandwiches. What does that mean? Let's think about them in this context. You can pick up a sandwich. You can look at it, you can tell basically what's going on inside. Are there tomatoes? Lettuce? Ham? Turkey? It's not that hard. There can be things hiding, but for the most part you can get the big details. This is just like a container. Fedora? Red Hat? Ubuntu? It has httpd, great. What about a shell? systemd? Cool. There can be scary bits hidden in there too. Someone decided to replace /bin/sh with a python script? That's just like hiding the olives under the lettuce. What sort of monster would do such a thing!
So now that we have the image of a sandwich in our minds, let's think about a few scenarios.
Find it on a bench
If you're walking through the park and you see a sandwich just laying on a bench what would you do? You might look around, wondering who left this tasty delight, but you're not going to eat it. Most people wouldn't even touch it, who put it there, where did it come from, how old is it, does it have onions? So many questions and you honestly can't get a decent answer. Even if someone could answer the questions, would you eat that sandwich? I certainly wouldn't.
Finding a sandwich on a bench is the public container registry. If this is all you know, you wouldn't think there's anything wrong with doing this, but like the public registry, you don't always know what you're getting. I wonder how many of those containers saw update for the glibc flaw from a few weeks ago? It's probably easier not knowing.
Get it from a scary shop with questionable ingredients
A long time ago I was walking around in New York and decided to hop into a sandwich shop for a quick bite. As I reached for the door, there was a notice from the health department. I decided to keep walking. Even if you can get your sandwich from a shop, if the shop is scary, you could find yourself in trouble.
There are loads of containers available out there you can download that aren't trusted sources. Don't download random containers from random places. It's no different than trying to buy a sandwich from a filthy shop that has to shoo the rats out of the kitchen with a broom.
Get it from a nice shop that uses old ingredients
We've all seen those places selling sandwiches that look nice. The sign is painted, the windows are clean. When you walk in the tables are clean enough to eat off of! But then you order and it's pretty clear everything is old and dried out. You might be able to sneak out the back door before the old man putting it together notices you're not there anymore.
This is currently a huge danger in the container space. Containers are super hip right now so there are plenty of people doing work in this space. Many of these groups don't even know they have a problem. The software in your containers is a lot like sandwich meat. After a few weeks it probably will start to smell, and after a month it's going to do some serious damage to anyone who consumes it.
Be sure to ask your container supplier what they're shipping, where it came from and how fresh it is. It would not be reasonable to ask "If this container was a sandwich would you eat it?"
Get it from a nice shop that uses nice ingredients
This is the dream. You walk into a nice shop. The nice person behind the counter takes your order and using the freshest ingredients possible constructs a sandwich shaped work of art. You take pictures and post them to all your friends explaining this sandwich is what your life was always missing and you didn't know it before now.
This is why you need a partner you can trust when it comes to container content. The closer to the source you can get the better. Ask questions abut the content. Where did it come from? Who is taking care of it? How can I prove any of this? Who is updating it? Containers are a big deal, they're new and exciting. They're also very misunderstood. Only use fresh containers. If the content it more than a few months old, you're eating a sandwich off a park bench. Don't each sandwiches off park benches. Ask hard questions. If your vendor can't answer them, you need to try the shop across the street. Part of the magic of containers is they are the result of truly commoditizing the operating system, you can get container content from a lot of sources, find a good one.
If we think about our infrastructure like we think about public health, you don't want to be responsible for making everyone sick. You need to know what you're using, where it came from, how fresh it is, who put it together, and what's in it. It's not enough to pretend everything is fine. Everything is not fine.