Comment by flatiron
3 years ago
If you have a large organization your containers are based off the orgs containers which has the CA in it. Same with VMs, Java, .Net, etc.
3 years ago
If you have a large organization your containers are based off the orgs containers which has the CA in it. Same with VMs, Java, .Net, etc.
Maintaining golden container/vm images with root cert customizations is a pretty complex task that needs constant maintenance and customizations for new runtimes. Also this does nothing for unofficial devices (byo laptops, byod smartphones, ceo's ipad, guest laptops).
Hard disagree on that one. For 99% of your software it’s stuck the cert in your distro’s trust store and use the result as your base VM / container templates. Adding to the Java trust store is a 10 line script and never needs to be touched again. It’s not that it’s completely trivial but it’s so much less complex than every other thing your infra team does.
Random BYO devices I can understand but in your cloud / datacenter it’s so easy just because you control everything.
> Maintaining golden container/vm images […]
I was under the impression that 'golden images' aren't generally encouraged as a Best Practice™ nowadays. The general momentum seems to me to be use a vendor-default install image (partitioning however you want), and then go in with a configuration management system once it's on the network.
Basically: you keep your config 'recipes' up-to-date, not your image(s).
at least at apple the dockerfile for their images were < 50 lines. Like super tweaks on the AL2 image. Every 60 days you need to pull it in. So you are right they just keep it up-to-date and keep it to the vendor images as well.