From owner-freebsd-virtualization@freebsd.org Wed Jan 23 21:09:09 2019 Return-Path: Delivered-To: freebsd-virtualization@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FF9414B2C33 for ; Wed, 23 Jan 2019 21:09:09 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 091A78B5EF for ; Wed, 23 Jan 2019 21:09:07 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from crayon2.yoonka.com (crayon2.yoonka.com [10.70.7.20]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id x0NL8xYW070398 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 23 Jan 2019 21:08:59 GMT (envelope-from list1@gjunka.com) Subject: Re: The status of docker To: ss griffon , "Patrick M. Hausen" Cc: freebsd-virtualization@freebsd.org References: <089e330d-2761-2440-3b7f-dd22e9088af5@gjunka.com> <9A01020A-7CC6-4893-A425-11A7BF736F4E@ultra-secure.de> <42f59b63-fdc7-306f-d836-83533741a86c@FreeBSD.org> <5c926314-adce-dba1-f5ce-2fda35e1aeba@gjunka.com> <1548c51e-49ba-4113-5ade-5515b77a3a44@gjunka.com> <4643A871-4AD6-4C25-AEA7-7BA85B873A19@punkt.de> From: Grzegorz Junka Message-ID: <5e0f5b46-3508-c29c-2e05-d3e97154512f@gjunka.com> Date: Wed, 23 Jan 2019 21:08:59 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-Rspamd-Queue-Id: 091A78B5EF X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of list1@gjunka.com designates 88.98.225.149 as permitted sender) smtp.mailfrom=list1@gjunka.com X-Spamd-Result: default: False [-6.91 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:88.98.225.149]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gjunka.com]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[gjunka.com]; NEURAL_HAM_SHORT(-0.96)[-0.957,0]; IP_SCORE(-3.64)[ip: (-9.53), ipnet: 88.98.192.0/18(-4.77), asn: 56478(-3.81), country: GB(-0.09)]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:56478, ipnet:88.98.192.0/18, country:GB]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2019 21:09:09 -0000 On 23/01/2019 03:21, ss griffon wrote: > I'm a bit late to the game, but I wanted to add my 2 cents.  I don't > see the benefit of implementing "docker" in FreeBSD.  If you are just > implementing the linux system calls i.e. using the linuxulator, then > you lose any benefits of running on FreeBSD.  It seems like > implementing the docker interfaces, like a Dockerfile, registry > support and networking switches using FreeBSD specific implementations > would be extremely helpful.  Especially for the CI/CD workflow. > > For example: > #Dockerfile > > #Pull a image from registry and create a new dataset with snapshot. > #Registry could be http, ftp or any other transfer protocol. > FROM FreeBSD:RELEASE-11.2 > > #Copy app directory into the jailed directory.  Perhaps setting system > immutable flag. > COPY ./app /app > > #Use pf to route to port 80 from the host.  Or use vnet > EXPOSE 80 > > #Run a command in the jail to prepare the new image. > RUN env ASSUME_ALWAYS_YES=yes pkg install bash nginx uwsgi py36-flask > > #Mark the startup command > CMD /bin/sh /etc/rc > > > The above would be very familiar to docker users and can be used to > generate a standards compliant image (I believe there was a project > jetpack that did something like this). Creating a OCI compliant image > would probably be the first step to using kubernetes, but I haven't > really spent any time looking at kubernetes. > > We could also add extensions for using resource limits, capsicum, > devd, security levels etc.  The other cool thing is this could all be > run inside a jail using heirarchical jails. > Isn't implementing "docker" on FreeBSD the same as implementing OCI specification, i.e. runtime-spec? Seeing that OCI was founded by Docker I would have thought they align the docker implementation with the spec? Then to extend that question, wouldn't adding support for docker to FreeBSD mean to add OCI compliance layer to jails? I don't think the plan is to add support for Linux containers, or "containerization", to FreeBSD kernel? GrzegorzJ