 Hi. Sorry for the French accent. I hope everyone will understand. So, what is being a system being when you have to deal with Docker, with Node.js, with all systems? First, I'm a system administrator. I work in French public services. And it's a research institute. So I have users very, very, very, once very new stuff. That includes being the IT people, the security people. It's mainly telling them, no, you can't download with BitTorrent at work. I'm not a dev. I'm not a developer. I never learn how to develop properly. That was not my information, all DevOps. And I package for Fedora and 8Bel since almost a year now. I will speak mainly about open source because if you ever touch something proprietary for Linux, you will have nightmare. What is great? So GitHub is great. See, it's easy. You can download very easily your software. You can access the documentation because it's all in one. You can report to birds. Docker is great. It's very easy to install. You install Docker. Well, there is a little bit of configuration after that. You will have tons of software. Tons. Every server thing now, you can find it on Docker. Almost. You don't have to bother to find all the dependency, compile if it's not available. The version is not good. You can run the same instance on your laptop and on your server somewhere in the room. You can create your own image if you want. If you have some customization, offer your software, your project. And you don't mess up with your space system. You use it every day to read your mail, respond to your boss. And you have to explicitly declare the port you want to use in the Docker container. And as a security people, I think it's a good thing because it makes users realize you cannot open everything on the Internet every time. So there is also something great. It's the language library repository. Things like cpan, pipi, for Ruby, it's a gem. You have one per language. You have tons of library. And it will work everywhere if it's done properly. Even for something with OS, it's like Windows or Muppet. Not for everything. So when is the trouble beginning? All of you have seen this somewhere? Too many questions. It's just Docker. It's the way you install Docker. You really want to launch this on your laptop? On your personal laptop with all the data? Your parents have taught you well. Always be careful. A real world example, yes, there's the Docker documentation, the rest of that. I'm Susan Mina. I work with Dell hardware. OpenManage, it's to download OpenManage. It's a tool to manage the hardware, supervisor, everything. And it's the official documentation, certified. Yes, we all have seen this on the installation. I work a lot with private network. Not a lot of the server managed don't have access to the internet. It's a choice. We don't want them to access to the internet. Only websites or some services are facing. What do I do when I see npm install and I launch it on the folks who don't have internet? Well, it fails. Very good. So what can I do? I can have an internal mirror for every language existing? You need time and place. Install the network who has access to the internet and move it on the final. For every update, I will need to shut down the services, move the server, changing the IP update and remove. I can play with the proxies and the firewall to allow the downloading but not suit according. That's what we do. All of this is very time-consuming and very resource-consuming. And that's always a problem for CCL. While Docker has a lot of advantages. A lot of images for software including not only the software but also all the services of the dev laptop. Generally, the developer is making the images from his own laptop and pushing it on the Docker. Well, why it is an issue? First, it's not optimized. It will use more space. And it's generally not the one you are using. A lot of developers are using Ubuntu. We are running Fedora. We're not running Fedora. There is a recent study that shows that more than 30% of the official images are not outdated. They have a major security issue. They say, well, ugly. It was last year ugly. And yet, now we can still find images. And there is another issue with Ubuntu. It's the Ubuntu license. And more specifically, the stuff about the trademark who is questioning it because when you read it carefully you can understand that you need to have an authorization of CanonEqual to use Ubuntu for your product, your setting. Or you need to recompile everything. All the distribution, not just the packaging. So, I don't know, but I don't find it very clear. On the other side, Fedora, Red Hat and CentOS have a very clear way to do it. There's only a few packages with the trademark. And you can easily remove them or change them to your own. It's what CentOS is doing. But you have your stuff, you have tested it, find it good, you want to deploy it on your company network or for your friend. Well, why not make your app payment with Visa? What can go wrong? Any idea? You can do it in copper, you can do it in the main Fedora tree but it's a bit longer because of the main Fedora tree. You have a sick white chromium, is it not in Fedora? No, chromium, there is also some licensing issues. I want to package this fun library for my users. It's a bit of a spy-tency, for scientific calculation. And I find myself, I have to package five or six other libraries in order to package the one my user wants. It can be a bit extensive. And fencing, especially with, I don't know why, but it's often with Ruby. We have stuff, we need an older version, then the version in the distribution and no one wants to update it. Update it? Yeah? Reasons? Ruby is notoriously bad at preserving and breaking DBI's Yes, Ruby is very bad for that, it's breaking a DBI rule. I repeat for the camera. And you have the licensing issue, where there is a library, we don't have a clear license, or even a license at all, or something forbid the distribution, but oh yeah, we just put it inside. The old world example, I know that Adook will probably be retired from Fedora because it became impossible to package. That's sad. I don't know if anyone has ever played with Adook. It's written mainly in Java. Yeah. And it's to do a calculation on why the... It's cluster stuff. And another issue is the release. A lot of projects, often the small project, seems to forget to do release on a regular basis. They do a release, call it 0.1, and after you want to package it, you see there is bug, and they say, oh, but it's on the main tree. No, no, we don't make a release. It's on the main tree. I want a clear version. And there is sometimes another stuff with missing, it's the documentation, especially the upgrade documentation for software. When you have a change of the database schema, configuration change, and you don't have any warning, it's just, oh yeah, upgrade. Oh yeah, we have changed. Configuration has changed. We don't use MongoDB. We switch to another thing. A lot of documentation now. It's the program and configure. Yeah. Where is the config file? In which language you have the option? Yeah. And you need to find the config file and you read it extensively on your small terminal, because everything is in the comments when it's up to date. Or it's sometimes a blob article, more or less useful, more or less complete. You need to find a piece here, another piece here, and guess what adaptation you have to make because the documentation is about the 2.2 and you are on the 2.4. You can always find it. And people are following this instruction. I see there is this admin there. And it's there online. Oh yeah. As I said, not very difficult. There's really some great stuff. But it's where the care to make or even virtualization with VMware exam are better than installing on the... Yeah. For all reasons. I see there is... You can do snapshots. You make your snapshots. You upgrade. Everything is fine. Okay. Everything goes wrong. I can still delete and go back on my snapshot. And work on it later. It's not a Friday. It's very faster than I think. Finally, there are some good news. You can... When you are lucky, a lot of software are providing help here. I was... Not always packaging with a very... Very good packaging. Sometimes it's no PT, slash OPT. It's not always respecting the federal guidelines, but they are not working for federal or whatever. Or whatever. When you are not too lucky, you get an archive that with clear installation instruction or SVN or GitHub or only to working. Now with system day, it's very easy to create a system service file way better, way easier than with... With Init, with system 5. While some projects even begin to provide one because you need to... Devian will switch to system day soon. Or us always... Always switch. So it's beginning to... Come out. And the bonus with system day is you can redirect very easily your log in journal day and have everything managed on the same. And, well, everyone has heard of Ansible, Puppet or others. And now they all manage the Docker containers, they all manage system day services. They all do they... No. They deploy it. And for supervision, it was never an issue. You just have to use natural thinking or what you are using. But sometimes it's user supervision. The mail at 4... At 6 o'clock Friday. It's not working. You already know? Okay. I was very faster than I think I will be. So I would like to thank the people on the federal very fair channel for the profiting. If there is some autographic error as they are mine, of mine only. I want to thank Air France and Boeing for almost making me missing my talk. I was supposed to arrive yesterday. I arrived at noon. And everyone here to listen to me. I hope you have questions. I will repeat first. So the question is how to solve when a developer is using NPM or other stuff. I don't have the magic one. I explain him why it's not a good idea for a selling point of view but I cannot forbid it. I don't have the TISP power. They understand generally when there is an old people. They don't talk to developers. When they don't we generally finish with a server in what we call experimental DMZ where the developer installs on OS and manages it. And we cut it when there is a server is compromised we cut it from the network and we explain it. But he has to be his own salesman. We are a bit more... I work with researchers. So they need to have stuff very experimental. So we don't have the same rule for production on experimental. Experimental is very, very... They can use NPM. We don't love it. Because the server needs to be with new stuff. One of the big challenges with Docker is how much traditional IT administration and the operation you can do or want to do because many of these dynamic languages and Docker takes this to extreme ends up deploying a black box as far as the operation is concerned. From the developer's point of view that's a feature they get to have it everything together and just deploy as a non-quantity attested unit. But from the assessment of the operation's point of view you have something that's running in no context. No manifest. No workflow around it. If you do have an image that has heartbeat in there you can't even tell. It's like bringing the wrappers to reverse engineer. What was in this? So what kind of approach do you take? Do you simply give the developer that responsibility? Let them be in charge of security or do you try to add some level of guarantees about Docker that the production side? The question was about Docker in a production environment and how we deal with it to not end with black boxes on our network. The answer is it's a research center. The few researchers who are using Docker because some of them are still using Fortran. The researchers in Docker are generally the people we can talk with. They are following the news there and they understand the way they have a forge it's not Github because we can't use Github for quite a long time but we have a forge and they are plotting their code on a Github instance. When the development is done properly with some standard and a forge Github you already you deploy your software on Github we have also continuous integration so it's not very black box we know what's running inside and it's many as it's a research center it's many from calculations so it's not based on the intent. You don't have long running instances that have you cleaned up the cloud or installed 12 months ago that nobody remembers it's more a researcher setting up his environment and sharing it with the students to do calculation with a specific environment it's research is a very specific environment it's not an industry or no we don't have a specific part there is for internal development there is specific but it's not my part I work with a researcher I don't manage the financial I don't manage the financial applications that sort of thing no the researchers are very free because they are doing research in IT or in computer science so they need to be free we offer them for the new newcomers the students we try to offer them information about the best practice in development how to use Docker how to use gate or SVM but for the language it really depends on the thematic of the team so we can't impose something we can force them to use something some teams are forcing themselves we have a team we don't want to use C they use Python they could do things in C so issues that are serious is a few students know how to develop in C properly a lot of students know Python so it's easier to have a large a code well maintained to use Python that's probably the only leverage we have to explain them that it's easier sometimes to use a language because everyone knows it well for an example here you know what can be easy ok one person it's an imperative language it's functional language developed in France so very popular in France but only in France I don't mind in Edinburgh and the original ML in Edinburgh I find any exposure yeah any more questions we have a few applications where you can learn in inside and we have switched to Python because it was unmented maybe only two people or one or two people can work on it so thank you I hope it was interesting for you let's move for someone for the next conference