Re: [PATCH RFC 0/4] net: add bpfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi David,

On Mon, Feb 19, 2018 at 10:31:39AM -0500, David Miller wrote:
> > Why is it practical to replace your kernel but not practical to replace
> > a small userspace tool running on top of it?
> 
> The container is just userspace components.  Those are really baked in
> and are never changing.

never until you have to apply a bug fix for any of the many components you bake
into it.  I am doing this on an (at least) weekly basis for my Docker containers.
That's no different from a classic Linux distribution where you update your apt/rpm
packages all the time.

A container that is static and cannot continuously updated with new versions
for security (and other) fixes is broken by design.  If some people are doing
this, they IMHO have no sense of IT security, and such usage pattersn are not
what kernel development should cite as primary use case (again IMHO).

> This is how cloud hosting environments work.

Yes, *one* particular use case.  By far not every use case of Linux, or
Linux packet filtering.

-- 
- Harald Welte <laforge@xxxxxxxxxxxx>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux