From owner-freebsd-hackers@freebsd.org Sun Jan 6 19:44:34 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 826501498906 for ; Sun, 6 Jan 2019 19:44:34 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EFC188C2F8; Sun, 6 Jan 2019 19:44:32 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id gELWgoO6GnBo4gELXgsBOK; Sun, 06 Jan 2019 12:44:31 -0700 X-Authority-Analysis: v=2.3 cv=J8fUEzvS c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=kj9zAlcOel0A:10 a=3JhidrIBZZsA:10 a=heTAvR70AAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=XAVDl5r07_o9Xhc2MtAA:9 a=CjuIK1q_8ugA:10 a=UJ0tAi3fqDAA:10 a=UrJ2pwYPfabwj1STkZPu:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id F2315341C; Sun, 6 Jan 2019 11:44:29 -0800 (PST) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id x06JiTWZ004883; Sun, 6 Jan 2019 11:44:29 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id x06JiTwK004880; Sun, 6 Jan 2019 11:44:29 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201901061944.x06JiTwK004880@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Wojciech Puchar cc: Alan Somers , Cy Schubert , Hackers freeBSD , Igor Mozolevsky , Enji Cooper Subject: Re: Strategic Thinking (was: Re: Speculative: Rust for base system components) In-Reply-To: Message from Wojciech Puchar of "Sun, 06 Jan 2019 20:09:54 +0100." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 06 Jan 2019 11:44:29 -0800 X-CMAE-Envelope: MS4wfHcNGSAGsf7SsebWqrbFfRhWkuEWcTTSC408tqohQgB7UTZyTajthC0Cyesi0R0zuQ25FUWA/XEymAJVcBLf+VhbdSpeaCr0EJFBDDn0YOH7QbDjQCFO u6i3IBDE2FIGxEEkevE0JaT/KuScYs0DbzwuyOUUnj3bkNMauIiN8aK74steMsKJxNxbVhJ5vcmz0acRABzBpWyrJz+kmaW/MpACAN0c724OiJnEryF0VG3V SLj7IQ/L6OuOrkFU+I6OElmI/DhTaYFbayQ2ofWYwg0y64UVCbBZW4xAS5HdVk8hIpWAE+yOAjaYbsqvgRcKIw== X-Rspamd-Queue-Id: EFC188C2F8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-4.32 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.zen.spamhaus.org : 127.0.0.11]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; RCPT_COUNT_FIVE(0.00)[6]; REPLYTO_EQ_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: spqr.komquats.com]; NEURAL_HAM_SHORT(-0.92)[-0.924,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(-1.69)[ip: (-4.01), ipnet: 64.59.128.0/20(-2.41), asn: 6327(-1.93), country: CA(-0.09)]; RCVD_IN_DNSWL_LOW(-0.10)[137.136.59.64.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2019 19:44:34 -0000 In message , Wojciech Puchar wr ites: > >> why this "microservices" - which are simply complete programs without > >> dependencies (or should be) - cannot be run simply as processes on > >> different user accounts? > > > > Several reasons: > > 1) Separate accounts don't provide as much security as separate > > containers. Capsicum does, but people aren't used to using Capsicum > > I use separate processes and don't feel the lack of security. I don't use > capsicum too. Really? Explain, please. > > Could you explain it more precisely why standard process and user/group > separation is insufficient? Why then did the industry move from mainframes to the client/server model? > > Simply access rights and setting > security.bsd.see_other_uids=0 > > is enough for me. This is nearsighted. > > If something could be added then it would be limiting what ports can each > user open. But it's not really a problem. The UNIX security model, even with ACLs, POSIX.1e, and capsicum, sucks. Again, we had that kind of model on the mainframe. Not quite TCP/IP ports but Google RACF and ACF2. > > > 2) Fragmentation. The Linux world is much more fragmented than the > > FreeBSD world. It's hard to write a program that will work correctly > > That's what i agree with you. > > Anyway if these microservices would be statically linked this argument > would be irrevelant. And from what i've read it's how microservices should > be made. They're self contained, linked against libraries in the container. > > > 3) Fashion. You may not care about the latest IT craze, but a lot of > > IT departments do. And you can't change their minds all by yourself. > > I don't even try to change their minds. I don't discuss with such people. > You can discuss and present arguments to people that don't think. When you do your own thing you become irrelevant. Lucky for me I'm close enough to retirement it doesn't matter however if I was younger I'd have to go with the times. Having said that, I choose to learn new technologies because I intend to continue to contract after retirement for the travel money. You have to realize that the choices made by the industry do make sense when you view them from the point of view of big capital. The idea is to reduce money spent on developers, sysadmins, computers and resources. Not that I say this is good but it is the world we live in. > > > If FreeBSD is to be used by people who deploy microservices, then it > > needs to do what they want. That means it needs Docker or something > > similar (IT admins won't want to learn ezjail if they're already > > comfortable with Docker), or we need to convince people to use > > CloudABI. CloudABI has the potential to outperform containers. It > > just hasn't gained traction yet. > > -Alan > > Docker is already in ports. If someone want to use it - what a problem? CloudABI is an attempt to offer an alternative. It didn't have the momentum that Docker and CR-IO (which will replace Docker) do. One day we will need to implement Linux namespaces and cgroups (which IMO are inferior to jails) but apps which intimately interface with those facilities should be able to port over to FreeBSD relatively easily. > > Anyway if they prefer linux let they use linux. And 95% of the UNIX-like world does. Should we give up and become a hobby O/S, like some other examples we can think of? Linuxisms suck but that's the world we live in. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.