These companies all have very clear terms of service, where they reserve the right to remove you for any reason. Using their service is a privilege, not a right.
If everyone is “censoring” you, then there must be a good reason why they prefer to distance themselves.
Of all those listed, you must be an especially toxic brand to be kicked from GoDaddy.
Twitter is a private sector business in the US with terms that include reserving the right to remove any content for any reason. They have every right to.
If you don’t agree with it, for moral reasons or otherwise, you’re free to provide your own service.
CAP_NET_BIND_SERVICE is a root privilege, a distinct one provided by kernel capabilities, granted to a process. In order to use it the container must be permitted to allow its processes to elevate their privileges.
If the container is running as root permitting it is redundant, since the kernel doesn’t filter root for kernel capabilities anyways.
If a privileged user sets CAP_NET_BIND_SERVICE on an executable binary using setpcap to allow a non-root user the ability in a container to bind to a privileged port, elevated privileges are still required for execve to create a process that is permitted to use the kernel capability. Think sudo but for processes.
The argument with containers is that binding to a privileged port isn’t necessary, so you shouldn’t do it. And by not doing it you improve your security posture.
Nginx and the like are starting to provide non-privileged versions of their container images.
Running as root is lazy and equals container escape, especially when running on anything other than scratch and read only file system.
The only reason Nginx and Traefik run as root is to bind to privileged ports (80,443). There is no reason to do that inside of a container, since you can remap exposed ports outside of the container.
Containers are not VMs and must be handled differently. You are always one RCE away from having your entire container platform compromised.
They were not more secure, just more isolated. The challenges are different.
Containers are just namespaced processes that share the same kernel as the host. A host has access to all container processes, uids, gids, file systems, and networks. Cgroups are used to limit resource access.
To run containers securely you need to understand how to protect running processes. You need to use unprivileged users where possible, drop all kernel capabilities not required, run Linux Security Modules (AppArmor, SELinux) to prevent processes from doing things they shouldn’t; and, run containers based on the smallest image possible, since a container should only have files that are absolutely required to run a process, and nothing more.
Even when you do it all right, in a multi tenant environment, it’s not safe to run all containers on the same hosts.
Infrastructure should be defined in an easily digestible, human-readable format.
Your manifests serve two purposes: define infrastructure and self document.
While you can achieve the same infrastructure automation with shell scripts, they’re rarely written well enough to easily understand, introducing operational risk when handed off to other people or teams.
The reason is because object storage is slow and not meant for high performance, which is usually important for large databases.
For your S3 example and ignoring IOPS, you are comparing 13ms of latency on local spinning disk versus 10s-100s of ms latency from S3. SSD is faster with only 1ms of latency or less on average.
Adding IOPS to the equation, you’re likely going to slam your object store if you have a high volume of traffic, where your block storage likely wouldn’t even break a sweat.
A container is not a VM and should ONLY contain the exact files needed to run your app to run securely. Any additional packages increase the security footprint.
Every container is one RCE vulnerability away from being compromised and escaped. if your images are distribution based, even slim ones, you’re giving the attacker a broad set of tooling out of the box.
Container runtime defaults in Docker and Kubernetes are insecure and grant attackers a lot of privilege — running as UID 0, no user namespace separation, and potentially dangerous kernel capabilities added to the container’s parent process.
If everyone is “censoring” you, then there must be a good reason why they prefer to distance themselves.
Of all those listed, you must be an especially toxic brand to be kicked from GoDaddy.