From owner-freebsd-questions@freebsd.org Mon Feb 17 19:42:16 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC33B2445E5 for ; Mon, 17 Feb 2020 19:42:16 +0000 (UTC) (envelope-from ihor@antonovs.family) Received: from mail.antonovs.family (mail.antonovs.family [100.25.240.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48LvWn25S7z3JH6 for ; Mon, 17 Feb 2020 19:42:13 +0000 (UTC) (envelope-from ihor@antonovs.family) Received: from localhost (localhost [127.0.0.1]) by mail.antonovs.family (Postfix) with ESMTP id C6680138B96; Mon, 17 Feb 2020 19:42:10 +0000 (UTC) Received: from mail.antonovs.family ([127.0.0.1]) by localhost (mail.antonovs.family [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id oDuiAQUhgtrl; Mon, 17 Feb 2020 19:42:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.antonovs.family (Postfix) with ESMTP id 35EBC138BD6; Mon, 17 Feb 2020 19:42:10 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.antonovs.family 35EBC138BD6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=antonovs.family; s=D65AA412-CB7F-11E9-A561-802C9D403B77; t=1581968530; bh=gn3MUWicFUyjTdwuuTHcnspvvVVljGz8ZLs5ikYkO9w=; h=Date:From:To:Message-ID:MIME-Version; b=IIt4ogsMG1QU0WzlicUdFF8SFO666dSdUhyWdzIiai8vV1j1h85kX5urGlYoqhHyx vViYj25Cc7nuIqaDc2SLBPRxkYsIkZaW1jhrSOs8geQxKEs2TBFjEPDgRef++AwF46 8WjVO6aatHNi/2wIN5yCaSVZZVt8/gpe5/69kHzJriQ01usrWvYVdB4NiTBJDqNud/ 2Uo+K181KT6vAJFWkrVE+uDRDNpZWpwxj+d54afGGuBveLcU1S6T3pXIM+76rm0/0p 5DCTQop32iO8O/4YQwaJyMbBEMPpLP15PpCv5xdcJLvUSZJbqqDFikbEgunHJFJO1j nM77Xl4FhXXog== X-Virus-Scanned: amavisd-new at antonovs.family Received: from mail.antonovs.family ([127.0.0.1]) by localhost (mail.antonovs.family [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id DBJiiqN04fwT; Mon, 17 Feb 2020 19:42:10 +0000 (UTC) Received: from localhost (unknown [74.85.93.130]) by mail.antonovs.family (Postfix) with ESMTPSA id E4506138B96; Mon, 17 Feb 2020 19:42:09 +0000 (UTC) Date: Mon, 17 Feb 2020 11:42:07 -0800 From: Ihor Antonov To: Tim Preston Cc: freebsd-questions@freebsd.org Subject: Re: Technological advantages over Linux Message-ID: <20200217194207.rxmcomsn4jvmoc7c@sea-ll-10936> References: <8a9a33b3-4eb1-419c-a9e3-fca4db430619@www.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <8a9a33b3-4eb1-419c-a9e3-fca4db430619@www.fastmail.com> X-Rspamd-Queue-Id: 48LvWn25S7z3JH6 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=antonovs.family header.s=D65AA412-CB7F-11E9-A561-802C9D403B77 header.b=IIt4ogsM; dmarc=pass (policy=none) header.from=antonovs.family; spf=pass (mx1.freebsd.org: domain of ihor@antonovs.family designates 100.25.240.195 as permitted sender) smtp.mailfrom=ihor@antonovs.family X-Spamd-Result: default: False [-5.81 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[antonovs.family:s=D65AA412-CB7F-11E9-A561-802C9D403B77]; RCVD_COUNT_FIVE(0.00)[6]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-3.31)[ip: (-9.12), ipnet: 100.24.0.0/13(-4.36), asn: 14618(-3.00), country: US(-0.05)]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[antonovs.family:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[antonovs.family,none]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14618, ipnet:100.24.0.0/13, country:US]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 19:42:17 -0000 On 2020-02-17 09:47, Tim Preston wrote: > Thank you Ihor, this is a great summary. > > On thing I'd like to mention regarding Docker is the inherent > abstraction leakage around pre-built images as they tend to be tied to > the host they were built on. > For example, I've seen quite a few images in Docker Hub with a > hardcoded UID which causes file permissions issue when mounting a > volume from the host. Or often authors just assume you'll run the > container as root. Yes, this is a known problem. For reasons unknow to me (could be technical limitation back when docker started) docker daemon was not performing UID mapping, so that root UID inside container (0) was also same UID outside containers, which created all sorts of problems. Docker now allow to do that, but the feature is not default https://docs.docker.com/engine/security/userns-remap/ Newer tool - podman - offers rootless containers feature and perform this by default. Podman got rit of privileged daemon process, so that now entire container tooling runs in user namespace. And so it has to do UID/GID mapping between parent/child namespaces, This is a step in right direction since now joes don't need root privileges to work with container tooling. Can you create jails in FreeBSD as non-root user and have root inside jail? Initial design of docker has a flaw, that was necessary back then, but not anymore - it has a privileged daemon running, listening on a socket for commands from CLI tool. > Another is a mismatch of kernel versions or capabilities between image > build host and your host, for example, Redis usually needs Transparent > Huge Pages to be turned off in the kernel. While this is probably true, I never encountered this issue myslef. And if software requires specific kernel settings - does jail solve this problem better? (I don't know if there are per-jail sysctl configs..) > It's for these reasons (and the previously mentioned security risks) > I'd hope that an 'image' model isn't implemented for FreeBSD jails. > Recipes to build jails are a much better idea, as per iocage and > Bastille. Pre-build images can emerge as inevitable need to speed up build process. If your recepie(dockerfile) relies on another recipie and that one relies on another - it could take A LOT of time to build all the layers you rely on. Basically docker "image" is just collection of layers. When you work on the dockerfile and rebuild it regularly - you don't want to rebuild parts that have not changed. And so docker came up with the idea of image layers. Each command in Dockerfile creates a layer. And if you did not touch that specific line in dockerfile - layer will be re-used When you are finished - your "image" is just a resulting set of layers. (overly simplified, but the gist of it) And since linux folks did not have proper COW file system(ZFS) they had to invent things like overlayfs to quickly take snapshots of the image - because simply gziping the image every time somethig chages there was VERY SLOW. Dockerhub also stores all the layers, because it appers to be storage-efficient, since many images can have shared layers. So as much as I am with you on > hope that an 'image' model isn't implemented I see it as inevitable result of ecosystem development... unless a radically different approach is taken towards solving "long build times" problem. ------------ Ihor Antonov > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"