Bitnami just killed off their free Docker images and I'm scrambling
Posted by vitaminZaman@reddit | linux | View on Reddit | 188 comments
I've been using Bitnami images for years in my homelab setup, mostly for stuff like PostgreSQL and Redis because they were straightforward and kept up with security patches without much hassle. Now Broadcom decides to pull the plug on the free tier and shove everything behind a paywall? It's frustrating as hell, especially since a lot of my deployments rely on these pulls not failing out of nowhere. I've got a couple of weeks to fix this before things start breaking. Anyone got solid alternatives for these? I'm looking at official images but worried about the CVE counts spiking. What's everyone switching to?
blackcain@reddit
Broadcom is a equity firm masquerading as a tech company.
laapsaap@reddit
Yeah when docker hub started rate limiting, I switched to bitnami. Now they can all go fuck themselves.
Btw google is a company i started to hate and have put them in the same category with broadcom and oracle.
Youtube premium family 27eu a month... I dont want any of the premium features, just no ads.
phobug@reddit
Look into chainguard.
Tobi-Random@reddit
Why? If you want to pay, you can stay on bitnami as well.
phobug@reddit
A) Its better images, with a lot of focus on remediation of vulnerabilities B) Its free C) Open source so if you need to tweak anything - you can
Timely_Volume_8760@reddit
It's not free and it's not "Open Source". It's indeed, more expensive.
phobug@reddit
Fair point, not sure why I thought it was open source.
Tobi-Random@reddit
Sorry I confused the threads so the reply wasn't meant dir you. I deleted them
Tobi-Random@reddit
Ok so you don't know what you are talking about.
phobug@reddit
Haha ok, do enlighten me, but please don’t mention charts, as OP clearly said images.
For alternative to the bitnami charts just open artefact hub.
Tobi-Random@reddit
Lxc or incus uses the same base as docker or Containerd uses: user groups. It's used for isolation in the Linux Kernel. Because of that the isolation can be equally secure in either technologies.
Now you say your incus containers are "more secure" but you install not only postgres in it, but also sshd and what not. Systemd is probably also included besides many many executables. This makes it per Definition less secure then just putting what's needed inside a container and isolate it properly.
In my case one process is isolated. Escaping from it shouldn't be very harmful cause there is nothing else in the container.
In your case everything inside the container is only isolated from the host (like in my case) but nothing is isolated within the container. Escaping from the ssh process can be beneficial, because one can try to attack your postgres process or others which are running next to each other.
To conclude: putting more stuff than needed in an isolated container is LESS secure then putting less in a container. That's common sense. There is nothing to argue about. What's more secure than maintaining 10 separate servers/ 10 separate os'es? Maintaining less than 10. The more moving parts the higher the risk.
phobug@reddit
I never mentioned incus, chainguard is a minimal docker image with a focus on hardening and fast remediation of CVEs.
Tobi-Random@reddit
Oh sorry, you are right. I have confused two threads I have commented 🙈
Cyber-Axe@reddit
I use linuxserver.io images where available
xelab04@reddit
I know you got a ton of replies but I personally use the SUSE or openSUSE images since they also try their best to be secure and all the other nice things. Admittedly, I've never used Bitnami images or charts.
MiracleWhipSux@reddit
Let me tell you a work story about VMWare that we affectionately call, "Broad-pocalypse." The amount of time we've had to spend replacing VMs. Lets just say I picked a terrible time to stop drinking.
sheeproomer@reddit
With what did you replace it?
TomKavees@reddit
Can't speak for them, but the most recommended alternatives on r/sysadmin are Proxmox and/or HyperV
General-Win-1824@reddit
Proxmox products are complete garbage, only supports select servers.
MiracleWhipSux@reddit
Yes, Proxmox.
HrBingR@reddit
Yeah. Company i work for was one of 3 that got to keep partnerships in place for VMWare. But we just got word that they're pulling out of the country so we have at most a year to migrate. And we have SO much infrastructure built around VMWare.
General-Win-1824@reddit
Why not just pay for them?
redcalcium@reddit
Why not use the official postgres and redis image?
kalzEOS@reddit
Capitalism. Corporations. Profits. Bullshit = never touch their shit. Never trust a single corporation, I don't care how "good" they are.
chibiace@reddit
i wonder if fedora and ubuntu users think about such things.
BaseballNRockAndRoll@reddit
Fedora is developed by a community much the same way OpenSUSE is. If Red Hat were to cut ties tomorrow it would certainly hurt the project, but it would not be the end of the community.
kettal@reddit
What did the C in CentOS stand for before red hat pulled the plug?
carlwgeorge@reddit
Red Hat didn't pull the plug on CentOS, it fixed a dysfunctional project. It's more community now than ever before, with more investment from Red Hat than ever before.
kettal@reddit
Does the community decide what the support cycle will be for a release of CentOS, or does Red hat make that decision?
carlwgeorge@reddit
Did the community set the lifecycle for CentOS 6? No, it's always been dependent on Red Hat.
What I said was it's more community now than ever before, not that it's completely community run. In the old CentOS model the community had zero influence. They couldn't change the operating system, and they damn sure couldn't set the lifecycle. All they could do was file bugs that would get closed as "reproducible on RHEL". Now, bugs filed by the community go to maintainers who can actually fix the bugs, and the community can ever contribute the fix directly. It finally functions like a real open source project, not a cloning science experiment.
BaseballNRockAndRoll@reddit
Rocky Linux and Alma Linux are both still around and doing great.
kalzEOS@reddit
Maybe they do, but they like it, their choice. That's why I don't use these distros anymore. They're not our friends. Redhat uses Fedora users as alpha testers. They fucked people who were using centos, it is now basically a beta version of RHEL (I might get jumped saying this lol). They put their source code behind a paywall to make it harder for some downstream distros like alma and rocky to have a bug for bug compatibility. Ubuntu.... Need I say anything? Whenever a distro goes corporate, they're down the drain.
coderguyagb@reddit
I recommend forking the github repos asap.
Tobi-Random@reddit
Indeed, good point!
elatllat@reddit
This is why we say FOSS or GTFO.
DarthPneumono@reddit
Y'know or just... running the software normally. Not everything needs to be (or should be) a container.
DrunkOnRamen@reddit
or use incus, it is a container but you can SSH into it like an actual OS.
DarthPneumono@reddit
Why?
DrunkOnRamen@reddit
Greater security. You can maintain databases completely separate in their own instances. Incus provides better security rather than docker itself because the ability to perform a container break out is significantly higher.
ptoki@reddit
Docker was never about security.
Yes it helps somewhat but its also a source of new vectors if you dont build the image yourself.
psych0ticmonk@reddit
Why are there people commenting on this topic when they have no idea what containers are?
Containers were made for a particular purpose, that purpose meant that applications had to be contained and secured to a degree. You didn't want an application to rather easily breakout and traverse the entire bare metal system.
So no, you're dead wrong, containers do provide security. Even browsers running bare metal machines at times offer up a "sandbox" environment which is essentially that. The browsers run a small container and run the website within it.
This entire discussion is about running something directly on bare metal vs a container and the responses that claim that it is even less secure are either incredibly stupid to the point that they lack common sense. Anyone claiming that it doesn't add any security layer then have no understanding of containers.
I swear it seems like teenagers who are clueless are in this sub.
ptoki@reddit
No, not really.
And you are dead wrong. The fact that pliers have mass and can work like a hammer does not mean you should whack things with them.
Containers werent a security solution ever. They help with that but they arent providing total isolation. They newer did and will never do.
What I said is not what you imply in here:
You built yourself a strwaman and there you go, You won. But the battle was somewhere else.
Read my posts again and use thinking.
Again: Docker was not about security. It is not about security. Its purpose is not to make systems safer. NOBODY should make system containerized for the security.
And if anyone does then they should build the containers from scratch amd not use any prebuilt ones.
I am not hoping you will understand, but maybe...
psych0ticmonk@reddit
Good lord, what is it you’re arguing here? Semantics?
Container technology was originally built on namespaces, by their own design they were made to do a few things one them having being increased security.
Is it 100% super secure? No. Never said it was. Is it added security? Yes. You’re going to argue it isn’t?
Tobi-Random@reddit
I feel you. I also gave up facing that amount of ignorance. Probably just a troll.
I'd rather have all my databases and applications all in their own namespaces separated from each other with as little additional stuff inside those namespaces as possible rather than what he came up with in his posts.
Tobi-Random@reddit
Wow now that I read all your comments I understand that you indeed are lacking reading comprehension while telling me I cannot comprehend. Just to be clear: my discussion branch wasn't about baremetal vs containers. It's out of the question that containers do add security.
I have discussed with the other guy whether running lxc is more secure then application containers. My point was that within the lxc containers the applications are not isolated. Putting many applications inside it lessens the overall security compared to isolating every application separately.
I've basically repeated myself now once again. If you still can't follow then I give up explaining. Have a nice day
Tobi-Random@reddit
Lol adding more moving parts into the mix lowers the attack surface? What next? Let me guess, you found the Perpetuum mobile 🫡
DrunkOnRamen@reddit
If I had to guess your knowledge of container technology and security is pretty limited, given your "attack surface" comment. In a nutshell, there is a lot more to how things work than simple vectors to attack through. No one is going to hack you through the calculator program.
I'd offer some links to read up but you strike as a snob who isn't interested in learning anything.
ptoki@reddit
This is not correct.
Yes, docker isolates apps in a way but it was never designed as complete and secure isolation environment. The "security" is a byproduct, a side effect and is not reliable.
There is a bunch of ways the container can spread malware on the host. Most of it is pretty simple and easy to contain but docker will not help.
Dont think about docker as a security layer. It is not.
psych0ticmonk@reddit
the original comment questioned why bother even using containers in the first place and not just run everything on bare metal and the responding comment said that containers to provide additional security.
your comment saying he is wrong but confirming that containerization technology does provide additional security is contradictory. it doesn't make sense, especially when the original comment suggested everything should just run bare metal.
sure there is container breakout possibilities moreso with docker than LXC simply because of how they run but nonetheless there is security benefits from both. because the thing isn't 100% foolproof doesn't mean it should be disregarded, that is wildly bad advice.
in short containers provide a layer of security but it is a tool on your toolbelt and shouldn't be the only thing for security neither.
ptoki@reddit
So lets dissect the initial exchange of comments.
The properly configured app on a bare metal is safer than the dockerized one.
Why? Because you need additional components to make it work with docker. Because you may end up with multiple versions of the same library or package among the containers you run and so on.
Yes, dockers are easier to update and maintain (to some degree) so theoretically you are safer IF you do the updates. If you dont then bare metal is safer (because of less attack surface).
And to achieve that you need to have multiple instances to get the benefit of docker deployment vs work effort. Bare metal is simpler, you just install update and call it a day. With docker the process is more complex. AND usually you dont run multiple systems on one OS, you have VM for that so they are already isolated.
If you run one postgress vs multiple (in docker) but the same version you gain nothing. If the vulnerability exists it will be exploited on all of the docker instances one by one. If it is a config issue and one user has too wide permissions it is as easy to say the same config mistake will be repeated in other containers. Docker does not change that fundamentally. Just shifts things around in a "security by obscurity" manner.
That was the gist of the initial exchange.
So knowing this, its obvious that docker is not a security solution.
It helps. But nobody uses docker because it is more secure. Usually its not. And should not be picked because of that.
Not to mention you now need to secure another layer of IT because you have docker...
psych0ticmonk@reddit
Improper server configuration can lead to exploitable issues. News at 11.
Multiple instances of the same software can be exploited. Wow, mind blown. 🤯
Bad configuration is bad configuration. Luckily developers nowadays better understand the need to develop software that is more user friendly especially security software so that they can be used properly.
The second one I genuinely don’t know what to tell you other than its actual common sense?
But here’s the part you miss. Is that the attacker upon exploiting would be stock in the container and needs to break out using another exploit.
Tobi-Random@reddit
So lxc is based on user namespaces, so are container runtimes like conternerd.
Tell me what you can do with lxc what you can't with Containerd. And please don't base your argumentation on default settings.
ptoki@reddit
I never argued between both. The other posts I just wrote cover the main gist of my opinion. In short: Docker or any other container solution is not a security solution. It helps but you dont use docker to make things secure.
You want security then make a dedicated VM for the solution or set of components.
I have seen many systems where docker was implemented but folks did not know how it works and how it should be set up to provide the same level of security as the same apps set on a VM. They either garbled network exposing interfaces they should not or created multi component containers where database runs together with php frontend or similar stuff.
That is why thinking about docker as security solution is wrong. It helps but it is like a set of pliers being used as hammer. Yes you can but you do it wrong.
Tobi-Random@reddit
Haven't you said lxc containers are more secure than docker containers in general?
psych0ticmonk@reddit
containerd is a runtime and lxd/incus is orchestration.
Tobi-Random@reddit
Yes you are right, even though I wrote lxc not lxd. Anything relevant to add?
psych0ticmonk@reddit
LXC is a step lower than LXD but a step above Containerd. Think of it as layers, people will interact with LXD directly which then utilizes LXC which uses containerd depending on the needed.
Tobi-Random@reddit
Ok I thought you tried to counter argue but now I understand that you are just confirming mine. Got it.
psych0ticmonk@reddit
Not really. You should improve your reading comprehension.
Tobi-Random@reddit
Dude, stop it. I wrote that lxc and containerd are based on the same Kernel features when it comes to isolation. I asked what one can do with lxc what one can not do with Containerd. Then you came along with useless nitpicking.
Tobi-Random@reddit
Dude, you said it yourself: it's a container, but you put ssh next to postgres and probably other apps inside it. What exactly makes it more secure then just running postgres inside an unprivileged container?
psych0ticmonk@reddit
You do realize security researchers rely heavily on virtual machines when examining malware right? Modern browsers utilize container technology when placing websites in a "sandbox" to help increase security.
Attack surface comments are just lazy, they don't understand, acknowledge or respond to the reality that making a successful attack is a lot more difficult and at times Even timing can be a major factor.
Just because you install some applications doesn't necessarily mean you are more exposed, it depends on what you run.
no one is going to hack a system via sed
your argument that it is more secure to run on bare metal than containers lacks common sense.
the bare metal or let's call it host is the target of an attacker. if the host is running Wordpress directly, the attacker utilizes a vulnerability to gain unauthorized access to the host. If the the Wordpress instance is in a container and this breach occurs then the attacker is still in the container, they need to breakout which means they need to figure out another vulnerability to get out of the container and onto the host.
If you want to think about it in an offline example then think of someone wanting to break into a house that has a high fence, while the attacker can jump the fence, they can't jump over the door.
Tobi-Random@reddit
🤨 Where was that my argument? That's the opposite of my argument.
psych0ticmonk@reddit
You should you read the things you write.
Tobi-Random@reddit
Have you read mine? The last post with the Perpetuum mobile was sarcasm. Perpetuum Mobiles do not exist my friend.
pezezin@reddit
Incus is based on LXC, right? I have been using LXC on ProxMox for years and it works great 👍
DrunkOnRamen@reddit
LXD and Incus is the same thing. I would recommend switching to Incus simply because Canonical had taken an aggressive move to take over LXD.
nicman24@reddit
Lxd is just namespace ? What canonical even want
God_Hand_9764@reddit
Could be on a NAS where docker is the preferred method of running software (it is so easy). VM could be a second best choice if all else fails.
ipaqmaster@reddit
Yes pulling random container images without inspection and running them certainly is easier than doing any work at all.
God_Hand_9764@reddit
Lmao, yeah anyone using docker images that they haven't built themselves is an idiot, right?
A lot of people have a life outside of the computer and don't want to spend literally all of their free time on Earth dicking around with this stuff. It's pretty ok to want something easy that works, in my opinion.
DarthPneumono@reddit
Would be one good use case.
AnonEMouse@reddit
Don't know why you're being downvoted. Containers have their uses, but most people do not use them properly nor do most people not need them either.
ptoki@reddit
Small but important aspect: You need to trust the image packager.
Thats another entity you must trust to be somewhat safe.
People here seem to think the images are safe to use always.
p0358@reddit
Or just using the upstream official containers
DarthPneumono@reddit
Sure, if you have to use a container or it's better for your workflow. But again, containers don't really do anything special and have lots of drawbacks (one of which is on display here).
p0358@reddit
It really depends on the circumstances which way is better. Convenience (of installation and peaceful upgrading, especially for something that isn't one install command from repos away) and improved security of containers cannot be understated.
But relying on random third party to package random software somehow better than official distribution? I truly never saw a point in Bitnami, didn't see a glimpse of advantage with all the cons and risks. Maybe it's actually for the better that they are shutting that thing down. Now only Fedora Flatpaks remain to be axed hehe
mralanorth@reddit
Yep, for such well established software as PostgreSQL, the official images are a much better choice.
niomosy@reddit
Management. If something goes wrong and they have no one to yell at, it becomes a problem. It's why we've told our devs, if it's not an official vendor image with support, it's not happening unless you accept all risk. No dev team's management have been willing to do that beyond a single dev pod running. Even with that, we warned them so we'll see what happens.
NordschleifeLover@reddit
There is nothing wrong with that, but we build on top of each other's work to save time and energy for the actual job at hands.
tux-lpi@reddit
The real pain is not so much the images (there's usually official ones that are fine for local development), it's the Helm charts.
Packaging a bloated tarpit of overengineered like Kafka to run on k8s is no small feat. ElasticSearch is also a fun one to make production ready.
SeraphBlade2010@reddit
helm charts are really the thing that can break a homelab ... mine for example ... i had to redeploy multiple postgres databases and migrate all the data between the pv's ... god damn broadcom
God_Hand_9764@reddit
And what's wrong with reverse engineering their database technologies from the ground up?
My guess is probably that the answer to these questions is that he's trying to make his life easier rather than harder, and would prefer not to waste half of his time on this Earth tinkering with software needlessly when he could have a more easy and reliable system. Seems like that's what he's seeking out.
dread_deimos@reddit
Maintaining them is a hassle.
ipaqmaster@reddit
Just... install postgres and redis...
They're not hard. Most distros run them as underprivileged users for you already and you can jail them further if you want.
Hell, you can even install them in a container of your own and maintain your own images. You could even become the individual that starts replacing these bitnami images if you really want.
It's not that special.
AttentiveUser@reddit
You’re overlooking how easy docker images make your life. Asking everyone to reinvent the wheel is terrible
Expensive_Finger_973@reddit
If it gets touched by Broadcom or Oracle then move to something else. That is something I live by with the tech I use.
Some companies like Microsoft, Google, etc can be sketchy at times. But no one is a "this WILL turn to shit" levels of sure thing like stuff that get tied to Broadcom or Oracle.
Smooth_Signal_3423@reddit
Ugh. My god Oracle has ruined so many things.
gaijoan@reddit
Just ask the Swedish region that gave Oracle a ton of money to get a new "healthcare information system", which, when it was to be implemented, resulted in massive protests by the healthcare staff due to it being so shitty it would jeopardize patienth health due to it being an unusable piece of excrement, and they had to pause the implementation revert back...unclear what will happen now as they're trying to salvage what they can. Money down the drain....don't know how much they wasted, but the budget was about $500M, which is pretty massive for just a region of a country with a population of 10M.
AtlanticPortal@reddit
Well, MySQL was done to cripple a potential competitor on the entry level market for SMBs. They did it on purpose, not to extract value from the company owning it.
Well, they did that for the other products made by Sun, but that’s a whole another story.
Royale_AJS@reddit
Hello? Yes, this is ZFS, I’d like to join the conversation.
BallingAndDrinking@reddit
Hey, at least ZFS has some absolutely insane(ly good) people that decided they weren't done.
You have Oracle ZFS, which is the Oracle-touched ZFS.
And OpenZFS, which was forked when Oracle got their fingers on ZFS.
AFAIK, Oracle can't claim anything about OpenZFS, nor can they change the license. It's CDDL so you'd need all the people that were in the project to change the license, and a few of them passed away, so it may get very hard to do that.
Considering the state of OpenZFS (ZFS on Linux was merged a few years back into it), it's great to know we don't have to fear Oracle.
Royale_AJS@reddit
Sun Microsystems parting gift to us all was opening up MySQL, ZFS, Solaris, and more. RIP Sun.
well-litdoorstep112@reddit
As much as I hate to say it, Microsoft buying github and npm hasn't turned them to shit (yet). Same with Facebook buying Oculus.
bshea@reddit
I still use VirtualBox on a home machine and admin some older vmwares for work.
But, that's it - never buying anything from either one again (or recommending). Everrrrr.
FortuneIIIPick@reddit
> If it gets touched by Broadcom or Oracle then move to something else. That is something I live by with the tech I use.
I don't use Broadcom for anything. I do use Oracle Cloud and I've used Oracle Database a lot. What is it about Oracle that you would include it as if it was related to Broadcom or the OP's dilemma?
Expensive_Finger_973@reddit
My personal distaste for them came about from seeing how they handle the licensing of the extension pack for Virtualbox.
Put the binary out there as a public download with a disclaimer on the page that says it is a license violation to use it for commercial purposes, but otherwise lets you download it.
They record the IPs that do the downloads and their lawyers go through those IPs to see if they are owned by a commercial entity, then they start sending a bill for usage retroactively. So even if you remove the installs when it is brought to your attention, it is to late. The mere fact someone clicked the button on the site to try and download the binary is enough.
Slimy business practice
psyblade42@reddit
they do the same thing for java
mralanorth@reddit
Anaconda does this too. They tried to shake us down big time last year.
NGRhodes@reddit
We haven’t faced a compliance audit yet, but a few other unis in our group have. I was tasked with looking into the Anaconda licensing issue and coordinating with management and legal. Legal flagged the T&Cs as too vague around “commercial use”. On that basis we now advise researchers to use mamba/miniforge instead of Anaconda.
lebean@reddit
Also crappy that the VirtualBox extension pack can be purchased for $50/seat, but they require a minimum of 100 seats on their store when you can purchase licensing.
Left VirtualBox behind ages ago for vanilla virsh/libvirt VMs for testing and whatnot on my workstation, they're perfectly fine and I don't miss VBox at all.
CryptographerNo8497@reddit
Are you serious?
Expensive_Finger_973@reddit
Yep. User doesn't even have to install it. If they just download it and never install it you can still get a nasty gram from Oracles legal team demanding you pay for a years license because someone in your multi thousand headcount company downloaded that binary while on the corporate network 8-12 months ago.
TassieTiger@reddit
Oh yea, we had 2...... 2 of us using VBox and they wouldn't sell us anything less than 1000 seats at $20 each.
melanantic@reddit
How often can this work though? Could I just tuck a contractual agreement of my choosing in my pocket and start offering help around the house, managing the dishwasher, cleaning floors, scrubbing tiles etc before sending a bill to the house mates? I mean they had the chance to read the TOS? They took my clear offer of “you can have this” after all
Expensive_Finger_973@reddit
When it comes to BS corporate contracts it has been working for them for years at this point.
melanantic@reddit
Astonishing. I mean I’m sure it’s regularly a case of “we are already tied in as their customer so we can’t afford too be litigious“ but damn. I could only imagine laughing at the person over the phone for as long as they would stay on the line. I wonder how the same would pan out if you used a commercial VPN to download virtual box 🤔 Whose thing just seems too thin to not be restricted to America
Expensive_Finger_973@reddit
The 2 times my company has gotten hit with it it was about $5k for less than 10 unique downloads.
At those prices in the corporate world, I imagine most companies just pay it to it will go away. Fighting it would cost more.
So it is a nice little scam they have going.
TassieTiger@reddit
I've been on the receiving end of one of the lawyer letters. It's not a fun time.
Those who downloaded the extension packs from their website years ago should go there and look at it now, it is VERY clear that it's not for commercial use, whereas before it was a hidden well deep in the EULA.
FortuneIIIPick@reddit
> Put the binary out there as a public download with a disclaimer on the page that says it is a license violation to use it for commercial purposes, but otherwise lets you download it.
A lot of companies do that. But OK.
jameson71@reddit
How about the sudden jre licensing costs?
ChrisTX4@reddit
Did you forget about the whole Sun acquisition? Java, MySQL, Solaris, Open Office?
FortuneIIIPick@reddit
I've coded in Java since 1995, I still do. I've used MySQL as long as I can remember, going back before the acquisition, I still do. No one uses Open Office much because it didn't keep up with LibreOffice, I wish it had, I preferred it since it was written in Java. Can't say I used Solaris much. I don't get the point though?
LvS@reddit
That sentence is very much not correct.
LibreOffice is a fork of OpenOffice, which means at one point both were the exact same code. So both of them are written in the same language. And that language is C++.
Before the fork, Sun tried to write a part in Java: The MS Access replacement. But that never went anywhere. (Plus, this whole idea of a database management software got less and less important.)
mishrashutosh@reddit
i am curious why libreoffice has a section to "use java runtime environment" in its settings?
LvS@reddit
Scripting and plugins.
FortuneIIIPick@reddit
OK I seemed to recall it requiring Java to be installed but a quick Google shows you're correct and it was mainly written in C++.
ChrisTX4@reddit
So, for Java, immediately after the acquisition, Oracle started slapping an absolutely draconian EULA on their binaries, a license called BCL. It was pretty much an attempt at license entrapment against companies. That's not to mention the whole lawsuit against Google they had over Java APIs. Or making the Apache foundation resign from the Java Executive Commitee over denying them access to the TCK.
For MySQL, Oracle keeps basic performance functionality gate kept to the paid for, non-open source, enterprise edition. As of such, MariaDB is significantly faster than MySQL open-source edition.
As for Solaris, Sun had open-sourced Solaris in 2008, and immediately after the acquisition went through, Oracle decided to just rug pull the whole thing and close source it again. The result nowadays is that Solaris sees virtually no development on Oracle's end, especially after Oracle laid off almost the entire Solaris team in September 2017.
Finally, for Open Office: Oracle decided it wasn't profitable and dropped it after a short while, donating it to the Apache foundation. The reason LibreOffice came to be in the first place is because of the withdrawal of developers, and all of the above.
Read this Wikipedia article for more details.
mishrashutosh@reddit
Also the Apache Foundation is insane to not sunset OpenOffice and direct everyone to LibreOffice. OpenOffice has had no development for years - the only activity is someone literally adding and removing whitespaces and shit from the code. It's probably a swiss cheese of security holes at this point.
FortuneIIIPick@reddit
> It was pretty much an attempt at license entrapment against companies.
It's called licensing. Either way, Sun open sourced Java before they sold Sun.
> That's not to mention the whole lawsuit against Google they had over Java APIs.
I feel they were right in their lawsuit, Microsoft tried to steal Java from Sun and fortunately didn't get away with it. Google tried it and so far, has successfully gotten away with it.
Ok, I'm tired, there are no good corporations only good people. Do business with whom you want. I don't have issues with Oracle, you seem to, OK.
_paag@reddit
You see, when Broadcom touches anything, it turns to shit.
At least that is what I learned these last few years.
unkn0wncvm1@reddit
fuck Broadcom and MediaTek. i hope they go bankrupt
timrosu@reddit
What's with mediatek?
Alaknar@reddit
Ah, yes, the Mierdas Touch!
UffTaTa123@reddit
It even has a iown name: That's "enshittification".
aurei94@reddit
Me gusta that pun
wootybooty@reddit
Me gusta me gusta me guuustaaaa 🤖
ResisterImpedant@reddit
Holy shit is this true. We were switching to VMC at my last job just as Broadcom bought VMware and it was a complete clusterfuck.
Charwinger21@reddit
Cordyceps.
Broadcom's shell is being controlled by Avago PE Cordyceps.
silenceimpaired@reddit
Midas’s useless stepbrother … Crapus Broadcom… everything he touches turns to… Black gold compost.
dread_deimos@reddit
Wasn't that Oracle?
tux-lpi@reddit
Oracle is the lawnmower.
Remember: "Never make the mistake of anthropomorphizing Larry Elison"
spider623@reddit
Hey, at least Elison understands the real uses of ai, Altman on the other hand keeps making believe that he is the most advance cyborg
Jean_Luc_Lesmouches@reddit
"When you ask a bank CEO what is the goal of their company, they say it's to help people inverst in their project. When you ask Larry Ellison what is the goal of Oracle, he sais it's to make money."
MyOtherCarIsACdr@reddit
Nah everything they touch turns into lawsuits.
silenceimpaired@reddit
That’s the soul stealer.
UffTaTa123@reddit
Also the VM-appliances. Yes, i lost a day because i had to migrate from bitnami to a self-build default installation.
aonbehamut@reddit
So the question is are there any alternative options not how bad we all agree broadcom and oracle are. And for the record.... Yea they suck something awful
pppjurac@reddit
Bub, there is your answer in straight letters.
vim_deezel@reddit
I always just use VM for that stuff these days, and do 2 or 3 services per VM. PC Memory isn't that expensive and if you don't run a desktop (put into CLI mode only) linux+VM layer is pretty cheap, can be even cheaper with something like zen. It's also very easy to back up the images every now and then. Docker is nice, but always seemed kind of brittle to me.
algorian@reddit
Ok, I get what's said about Oracle but Broadcom? Why people are so against the Broadcom? I believe I've been missing some giant dbag actions by Broadcom. Please enlighten me!
FryBoyter@reddit
Find out what Broadcom did after acquiring VMware. Small businesses had their contracts terminated, and other companies now have to pay many times more.
In addition, Broadcom's WiFi drivers on Linux have always been in need of improvement.
hitosama@reddit
So you have to pay for these "secure" Bitnami images now? From what I've read, they're moving to these "secure" images and they'll keep current ones in "legacy" repository.
Tobi-Random@reddit
Yeah but you have to switch to legacy namespace and they also said "not for long". So expect the legacy repo to go down soon
hitosama@reddit
So, secure images are paid now?
Tobi-Random@reddit
Yes.
hitosama@reddit
I see. Because I looked around a bit and it seems that they are in fact freely available (only "latest" tag though).
This is from Bitnami website:
So I assume you can set your image pull policy to "IfNotPresent" or "Never" and manage them manually if you're not ready to move specific image to new version.
yrro@reddit
Cloud Native PG
v3d@reddit
Hello enshittification nice to meat you, it's us, users, or shit to you.
Adorable-Fault-5116@reddit
I have never heard of Bitnami, and it would never occur to me to use a third party image when an official image exists. Why trust two organisations when you only need to trust one?
Tobi-Random@reddit
Uniformity of charts when you need many different databases. I think bitnami images were only used because of the success of their charts.
S_Nathan@reddit
Serious question: what’s wrong with the regular Postgres images?
tanaciousp@reddit
There was a period of time when the Bitnami images were published for older versions of Postgres built for different architectures, like arm64 which was incredibly useful on apple silicon.
NordschleifeLover@reddit
For older and existing versions you can use bitnamilegacy I think. There are security risks, but for local development (assuming you don't run production servers on apple silicon) it should be fine and give you more time to migrate to something else.
Tobi-Random@reddit
No they already said that legacy will be a) a frozen repo and also b) be shut down in the future. You shouldn't rely on it.
S_Nathan@reddit
Thanks, so there is a small benefit, but this doesn’t seem like a big deal then.
venom02@reddit
In my case it was uniformity of helm charts. We have a lot of different databases and having a common and predictable configuration pattern was really useful.
Icy-Contact-7784@reddit
Holy shit. My previous company is using a lot on production.
nlh101@reddit
I just read this announcement earlier today… and realized, oh shit, Broadcom owns Spring. Which is used extensively through the entire enterprise world. They’re spending lots of time making IT admin lives a living nightmare, why not do it for large groups of software engineers too?
I’m not looking forward to the impending world of Spring licensing fees that inevitably concoct.
NordschleifeLover@reddit
They what? Oh my god.
AlephNaN@reddit
With nix you can build images with a precise specification for any architecture that are reproducible down to the last bit. No base image needed, very unlikely to be enshittified as there's no corporation behind it.
FortuneIIIPick@reddit
For postgres I run it using docker compose mainly for SonarQube:
services:db:image: postgres:12restart: unless-stoppedenvironment:POSTGRES_USER: [redacted]POSTGRES_PASSWORD: [redacted]volumes:- postgresql:/var/lib/postgresql- postgresql_data:/var/lib/postgresql/dataextra_hosts:- "host.docker.internal:host-gateway"networks:default:name: build_networkexternal: truevolumes:postgresql:postgresql_data:I typed this into Google Search, "postgres docker compose" and the AI response at the top provided basically the same as the above with a ports option.
For Redis, their AI gave this:
I periodically do "docker compose down", the "docker pull postgres:12" then "docker compose up -d" to update it. Or if there are any upgrade steps I follow those.
mralanorth@reddit
I get your point, but I hope you don't have that PostgreSQL 12 running in production. It's out of support for a short while now, but is way behind in terms of current.
FortuneIIIPick@reddit
It's local only and good point, it's time I should upgrade it.
mralanorth@reddit
Great! Check out this article about space savings on indexes in PostgreSQL 13:
https://adamj.eu/tech/2021/04/13/reindexing-all-tables-after-upgrading-to-postgresql-13/
mishrashutosh@reddit
technically you don't have to use
docker compose down. just rundocker compose pullwhen in the same directory as the compose yaml and it will pull any updated image(s). and thendocker compose up -dto stop the current instance and launch a new instance with the updated image(s).burt_carpe@reddit
Setup your own images. Follow the CVEs and upgrade appropriately. Do not assume someone else is going to do it for you.
Iciciliser@reddit
Whatever you come up with, this is a good time to make sure you cache your upstream dependencies. Sucks that it's going away and won't receive security updates but you should always cache so that upstream decisions don't immediately break things.
juaquin@reddit
This. If it's a homelab, running a mirror is a great practice activity anyway.
fico86@reddit
Does cve count really matter? As long as you have the proper network safeguards in place, most of those vulnerabilities can only be exploited from inside your network no?
mishrashutosh@reddit
yeah, debian based images tend to have a lot of cves but that doesn't mean they are always insecure, as long as they are being properly maintained.
Shark_lifes_Dad@reddit
Freeloader complaining about shit not being free more news at 11.
night0x63@reddit
I'm switching to docker.io/library/rabbitmq
And some open source helm charts or roll my own
But I have a year or two because I just refresh the bitnami image with apt-get upgrade -y
I also have memcached but that is fine
memcached-Exporter can be replaced by prom exporter
nicksterling@reddit
I would recommend creating your own docker registry and mirror the existing images you are reliant on. Then if those images poof out of existence you have time to migrate them to another image.
V2UgYXJlIG5vdCBJ@reddit
Replace Docker with Podman while you're at it. I feel that eventually Docker will pull something similar.
annodomini@reddit
Official images, or just building my own from base Debian or Alpine images, depending on the software. Only used Bitnami for a few things, so it's less of a hassle for me.
igo95862@reddit
I think they are still on Amazon ECR Public Gallery including all the tags: https://gallery.ecr.aws/bitnami/
https://gallery.ecr.aws/bitnami/postgresql
https://gallery.ecr.aws/bitnami/redis
glotzerhotze@reddit
🍿
glotzerhotze@reddit
🍿
cltrmx@reddit
Thats a thought I had a few years back when I tested Bitnami images on a first basis: what if they want to charge for their work in the future? I’m glad I never actually deployed something with Bitnami images.
faramirza77@reddit
Are Bitnami Secure Images free? Developers can access a portion of Bitnami Secure Images for non-production use cases. Free images are only available in the latest tag. See our Dockerhub for a list of what’s free. For access to all the images/applications in the catalog, along with many other benefits, you can purchase Bitnami Secure Images. Bitnami Secure Images allows you to use open source software application components in mission-critical projects and production environments in a secure, sustainable and compliant manner. https://bitnami.com/
lukepatrick@reddit
Depending what/how you are pulling things, I have been a big fan of https://artifacthub.io/
rytio@reddit
That's what happens when you use anything that is not directly under your control. Every 3rd party dependency has this risk and you should always minimize dependencies and make sure there is a backup plan
Odd-Possession-4276@reddit
Homelabbing as a hobby is about messing around with underlying components and learning new things. Treat it as an educational opportunity. Container images are easy to rebuild from source and cache in a local registry anyway. If you run k8s and are deeply invested in thier Helm charts, than oops, should've started the migration as soon as announcement had been made (mid July).
Mental-Wrongdoer-263@reddit
has anyone tried the official redis image? i'm considering it but heard it might have more vulns, not sure if that’s just rumors. might also check out minimus io since it seems easy to set up for deployments
ThePierrezou@reddit
Broadcom :)
INITMalcanis@reddit
Yeah I was about to chime in and say if these are so useful and valuable, maybe... it's time to pay for them? Then I saw "Broadcom".
MarzipanEven7336@reddit
They were meh anyway.