Student activities in Sitka are getting a boost from the marijuana industry. During their meeting last week, the Assembly approved depositing all money generated from state marijuana licensing fees into a specific fund for student travel sponsored by the school district.Listen Now Assemblyman Steven Eisenbeisz believes this could generate $8000 to $10,000, depending on how the burgeoning pot industry takes off. So far, state has awarded licenses to three cultivation facilities and one retail shop. Each state fee costs $5000 and local communities receive half of that.As for student activities in Sitka, the local contribution has been fairly stable – $132,000 this year – and teams and clubs fundraise to make up the rest. With but more students flying to competitions around Southeast, the need is greater. Superintendent Mary Wegner says she appreciates the Assembly’s creativity.“Activities and athletics are a great antidote to smoking marijuana,” Wegner said. “When you’re involved with activities you don’t want to. So it is a very interesting and novel approach, but I appreciate the [Assembly’s] creativity in keeping the students first and foremost in their minds and in their actions.”The idea wasn’t embraced by everyone, though. Aaron Bean, owner of the grow and retail operation Green Leaf Inc., objected to the ordinance, stressing the importance of keeping marijuana out of young hands.“If we’re funding school programs and the kids that are traveling know where these funds come through, I would hate to encourage…it’s not direct advertising, but I feel like it’s priming if that makes sense. in these programs know…I wouldn’t be in favor of that as a business owner,” Bean said.Mim McConnell, who completed her final meeting as Sitka’s Mayor Tuesday night, said that while she understand where Bean was coming from, there is precedent.“To me, it’s kind of like the tobacco tax going to the hospital,” McConnell said. “We don’t give it to the hospital and people thinking, ‘Money going to the hospital? Let’s smoke more.’ So hopefully that’s not what people thing.”The ordinance then passed unanimously, on second and final reading.
Are there any challenges developers should be aware of when using namespaces? The main challenge is that you don’t have the full isolation that you get with true virtualization, and that does have some security implications. For example, although the container can only see its own running processes, the host machine has a view of everything that is running inside all containers, and – as I’ll show in my talk – all their environment variables. If you’re using environment variables to pass secrets (like, say, database passwords) into your containers, they’ll be accessible from the host machine. That may not be an issue for all users, but it is a serious concern for some. Fortunately there are solutions, including Aqua Security, to prevent secrets being leaked to the host through the environment like this. What are the some types of namespaces, and how are they used? There are currently namespaces for the hostname, process IDs, user and group IDs, mounts, networking and inter-process communications. Some of these are absolutely essential to containerization, whereas others are only needed in certain circumstances. For example, Docker has supported user and group ID mapping since 1.10 leveraging the user / group namespace, but I think it would be fair to say that it’s only used by a minority as it’s not needed in a lot of use cases. Most people can simply use containers without worrying about the nuts and bolts of how they are put together, but if you’re interested in what’s going on under the covers there are some interesting challenges around the way namespaces interact with each other and with the host.What do you hope developers will take away from your talk?As well as namespaces, I’ll be talking about cgroups. If a namespace limits what a container can see, a cgroup limits the resources it can use, like memory or CPU. I’ll be demonstrating all of this by writing my own container in Go, and then I’m going to subject it to a security exploit to test whether I have really isolated my container from the rest of the machine. If you like live coding and demos, and you want to really understand what’s going on when you run code in a container, you should definitely come along. Everyone is talking about containers these days, but what do containers actually mean for software development? There are many different pieces involved to put a successful containerized application together. SD Times caught up with Liz Rice, technology evangelist for container security specialist Aqua Security, to talk about a very important piece: Namespaces. Rice will be speaking at this week’s DockerCon about namespaces, and what they can do for containers. RELATED CONTENT: Controlling software through containers and microservicesSD Times: What are namespaces, and why are they necessary for containers?Rice: Namespaces are one of the key building blocks that are used to create containers. When you start a process on Linux, you can ask the kernel to give the process its own namespaces, and that means it has a restricted view of what’s going on. So for example when you look at the list of running processes within a container, you only see the ones inside that container and none of the processes running elsewhere on the machine. It’s namespacing that gives the container this constrained view. I’ll be demonstrating exactly how it works in my talk at DockerCon. What are the benefits to using namespaces?Namespaces are an incredibly lightweight way to isolate containers from each other. From inside the container, it looks a lot like being inside a virtual machine, but there’s none of the overhead of a hypervisor. Starting a virtual machine can take minutes, whereas starting a container is almost instantaneous.