Date: Fri, 14 Apr 2023 22:36:15 +0000 (UTC) From: Paul Pathiakis <pathiaki2@yahoo.com> To: "questions@freebsd.org" <questions@freebsd.org>, infoomatic <infoomatic@gmx.at> Subject: Re: Docker Message-ID: <887947753.4080046.1681511775374@mail.yahoo.com> In-Reply-To: <f59385ad-a467-5e24-3c17-72c17d3b5aca@gmx.at> References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <CA%2B1FSihVrJ8cZ4ZU6mMr0sKJsZ98V4fh2vpDLugw7MGj-%2BEBPg@mail.gmail.com> <CA%2B1FSijL50mQ-HveBA4HZeNkSoaORv=aty-15nNLzn9amzY_nw@mail.gmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <CA%2B1FSigV_pPwVW%2BDd8WZYGcNQVt7%2BYOcsnJFoRhS6jL5A636pg@mail.gmail.com> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <CA%2B1FSihVPCQ6tp8u=aqnLyyOPpCMrnhYGcC8bCUgRbFHTdY5sA@mail.gmail.com> <1535315680.2770963.1681309684072@mail.yahoo.com> <CAHieY7RFe0P85twcs1NiiAvTTr4oGPJEtXEkufsXswQt3ECGvg@mail.gmail.com> <CA%2B1FSiiCG-iugAbSoNC2r5WXCJvgi6pj3jG74jCwukhNtb_XGA@mail.gmail.com> <CADGo8CXsCYCOi%2Bwk2ED7zpJdFQDhynzD0u1qFDUFS3RveS8wOg@mail.gmail.com> <CA%2B1FSij3VXqsGs5ZTUv%2B9Q2wJ18yCqVqgHAyGfCWc0C%2Bxi=KXw@mail.gmail.com> <543289768.3317542.1681394425362@mail.yahoo.com> <CA%2B1FSiicxR1hbd=LO8%2BPMyv7=OmXZGa3Uco1p-rRP3pe1Yf6hA@mail.gmail.com> <f59385ad-a467-5e24-3c17-72c17d3b5aca@gmx.at>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_4080045_349025968.1681511775371
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hi,
Personally, I think jails are brilliant and their evolution has also been b=
rilliant.
Gee, a complete operating system contained as a process running under the p=
arent process that behaves just like the parent OS.You can upgrade the OS, =
the pkgs, etc.
I really don't think it would be hard to create a 'library' of jails.
Here's a postfix jailHere's a DNS jailHere's a PostGreSQL jail
You can run your jails via the "Master Jailer"You can create your/library o=
f jails via "Jailer Key"You could put them in the "Jail Cell" of repositori=
es
I actually created this on my server when I was running my now defunct comp=
any.
Literally, 40-50 jails that were running on my server that was a couple of =
Opteron chips on a SuperMicro system.=C2=A0 It never so much had a load on =
it of 2-3 and it was doing so much.
It was so easy to upgrade the OS versions on the jails and the ports (had t=
o run ports for bug fixes)=C2=A0=C2=A0
I had some serious 'white hat' friends that offered to do pen testing....=
=C2=A0 (I was running PF with redirects to the ports in the jails and nothi=
ng else was open on them)... I got so many beers when they gave up. :)
Truly, believe podman and containerd are going to be a serious improvement/=
change.=C2=A0 However, at home, on my machines, FreeBSD 13.1 and 13.2 will =
be this weekend.
My gf and her 85 y.o mom are running GhostBSD right now.=C2=A0 THEY HAVE LO=
VED IT for the last 5 years.
Paul
On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic <infoomatic@gm=
x.at> wrote: =20
=20
I think docker is a good example of how to NOT do things. There is a
reason why it is dying, lots of bad things have happened in docker land.
However, let me post my opinion. We can distinguish between two
different types of containerizations: system level containers and
applications level containers. Linux LXC and FreeBSD jails fall into the
former category.
OCI containers fall into the application level container category and
are moving away from the awkward Docker stack to sane solutions: podman,
containerd, cri-o etc.
The basic idea is: I have a repository which provides signed images for
the users to pull and use as a running container. For software vendors,
I can create an image which is basically a tar with the files and
layered filesystems that can be pushed to the repository. Just like a
jail, all the needed software, libraries are contained in one image, but
easier accessible for users. The container consists of filesystem layers
identified by a hash, which can be referenced to by other containers
(e.g. a Debian Linux container in its minimal edition might be the base
for the Kali Linux penetration testing container). Files that should
persist are mounted via mount_nullfs into the container. The cool thing
about that is: the images are created using a declarative manner, a yaml
file.
FreeBSD already provides lots of the technology necessary to build that
(I am not talking about running Linux containers, but FreeBSD
application level containers), however, it just lacks some glue like a
system for defining a config file from which such a container is built,
a repo, and I have no idea about how stable/performant unionfs is.
Unfortunately I have not yet had time to look at the proposed projects
of this thread.
A few use cases come to mind (well, actually much more since I have
worked with OCI/"Docker" since the beginning): "I want to host a simple
public jitsi server, do not want to go through all the config. Someone
made such a setup already and pushed that container to some repo, oh
nice, let's just pull it and run it", or maybe: "oh, I do want to use
keepass as password manager, but do not want it to be able to make
network connections. Fine, just download the container and forbid
network access." I am a lazy guy, I prefer spending my time on creating
stuff and pushing it to a repository instead of fumbling around with
ansible scripts to deploy that stuff when pushing and pulling an upgrade
is so much easier via providing self-contained images.
So, yes, I would absolutely love to see application level containers, or
such a slick framework built around the great jail solution we already
have. Passing around containers as a single binary package for FreeBSD -
one may dream ;-)
Regards,
Robert
On 13.04.23 17:43, Mario Marietto wrote:
> For sure not everything,but something that is very requested and that it
> has given a solid proof to be a valid and robust tool. I think Docker
> has all these requisites.
>
=20
------=_Part_4080045_349025968.1681511775371
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<html><head></head><body><div class=3D"ydpc3a80215yahoo-style-wrap" style=
=3D"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px=
;"><div></div>
<div dir=3D"ltr" data-setdir=3D"false">Hi,</div><div dir=3D"ltr" da=
ta-setdir=3D"false"><br></div><div dir=3D"ltr" data-setdir=3D"false">Person=
ally, I think jails are brilliant and their evolution has also been brillia=
nt.</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"ltr" =
data-setdir=3D"false">Gee, a complete operating system contained as a proce=
ss running under the parent process that behaves just like the parent OS.</=
div><div dir=3D"ltr" data-setdir=3D"false">You can upgrade the OS, the pkgs=
, etc.</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"lt=
r" data-setdir=3D"false">I really don't think it would be hard to create a =
'library' of jails.</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><=
div dir=3D"ltr" data-setdir=3D"false">Here's a postfix jail</div><div dir=
=3D"ltr" data-setdir=3D"false">Here's a DNS jail</div><div dir=3D"ltr" data=
-setdir=3D"false">Here's a PostGreSQL jail</div><div dir=3D"ltr" data-setdi=
r=3D"false"><br></div><div dir=3D"ltr" data-setdir=3D"false">You can run yo=
ur jails via the "Master Jailer"</div><div dir=3D"ltr" data-setdir=3D"false=
">You can create your/library of jails via "Jailer Key"</div><div dir=3D"lt=
r" data-setdir=3D"false">You could put them in the "Jail Cell" of repositor=
ies</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"ltr" =
data-setdir=3D"false">I actually created this on my server when I was runni=
ng my now defunct company.</div><div dir=3D"ltr" data-setdir=3D"false"><br>=
</div><div dir=3D"ltr" data-setdir=3D"false">Literally, 40-50 jails that we=
re running on my server that was a couple of Opteron chips on a SuperMicro =
system. It never so much had a load on it of 2-3 and it was doing so =
much.</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"ltr=
" data-setdir=3D"false">It was so easy to upgrade the OS versions on the ja=
ils and the ports (had to run ports for bug fixes) </div><div di=
r=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"ltr" data-setdir=3D"f=
alse">I had some serious 'white hat' friends that offered to do pen testing=
.... (I was running PF with redirects to the ports in the jails and n=
othing else was open on them)... I got so many beers when they gave up. :)<=
/div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"ltr" data=
-setdir=3D"false">Truly, believe podman and containerd are going to be a se=
rious improvement/change. However, at home, on my machines, FreeBSD 1=
3.1 and 13.2 will be this weekend.</div><div dir=3D"ltr" data-setdir=3D"fal=
se"><br></div><div dir=3D"ltr" data-setdir=3D"false">My gf and her 85 y.o m=
om are running GhostBSD right now. THEY HAVE LOVED IT for the last 5 =
years.</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"lt=
r" data-setdir=3D"false">Paul</div><div><br></div>
=20
</div><div id=3D"ydp4a8f7ba4yahoo_quoted_2201716185" class=3D"ydp4a=
8f7ba4yahoo_quoted">
<div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s=
ans-serif;font-size:13px;color:#26282a;">
=20
<div>
On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomati=
c <infoomatic@gmx.at> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir=3D"ltr">I think docker is a good example of h=
ow to NOT do things. There is a<br></div><div dir=3D"ltr">reason why it is =
dying, lots of bad things have happened in docker land.<br></div><div dir=
=3D"ltr"><br></div><div dir=3D"ltr">However, let me post my opinion. We can=
distinguish between two<br></div><div dir=3D"ltr">different types of conta=
inerizations: system level containers and<br></div><div dir=3D"ltr">applica=
tions level containers. Linux LXC and FreeBSD jails fall into the<br></div>=
<div dir=3D"ltr">former category.<br></div><div dir=3D"ltr"><br></div><div =
dir=3D"ltr">OCI containers fall into the application level container catego=
ry and<br></div><div dir=3D"ltr">are moving away from the awkward Docker st=
ack to sane solutions: podman,<br></div><div dir=3D"ltr">containerd, cri-o =
etc.<br></div><div dir=3D"ltr">The basic idea is: I have a repository which=
provides signed images for<br></div><div dir=3D"ltr">the users to pull and=
use as a running container. For software vendors,<br></div><div dir=3D"ltr=
">I can create an image which is basically a tar with the files and<br></di=
v><div dir=3D"ltr">layered filesystems that can be pushed to the repository=
. Just like a<br></div><div dir=3D"ltr">jail, all the needed software, libr=
aries are contained in one image, but<br></div><div dir=3D"ltr">easier acce=
ssible for users. The container consists of filesystem layers<br></div><div=
dir=3D"ltr">identified by a hash, which can be referenced to by other cont=
ainers<br></div><div dir=3D"ltr">(e.g. a Debian Linux container in its mini=
mal edition might be the base<br></div><div dir=3D"ltr">for the Kali Linux =
penetration testing container). Files that should<br></div><div dir=3D"ltr"=
>persist are mounted via mount_nullfs into the container. The cool thing<br=
></div><div dir=3D"ltr">about that is: the images are created using a decla=
rative manner, a yaml<br></div><div dir=3D"ltr">file.<br></div><div dir=3D"=
ltr"><br></div><div dir=3D"ltr">FreeBSD already provides lots of the techno=
logy necessary to build that<br></div><div dir=3D"ltr">(I am not talking ab=
out running Linux containers, but FreeBSD<br></div><div dir=3D"ltr">applica=
tion level containers), however, it just lacks some glue like a<br></div><d=
iv dir=3D"ltr">system for defining a config file from which such a containe=
r is built,<br></div><div dir=3D"ltr">a repo, and I have no idea about how =
stable/performant unionfs is.<br></div><div dir=3D"ltr">Unfortunately I hav=
e not yet had time to look at the proposed projects<br></div><div dir=3D"lt=
r">of this thread.<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">A f=
ew use cases come to mind (well, actually much more since I have<br></div><=
div dir=3D"ltr">worked with OCI/"Docker" since the beginning): "I want to h=
ost a simple<br></div><div dir=3D"ltr">public jitsi server, do not want to =
go through all the config. Someone<br></div><div dir=3D"ltr">made such a se=
tup already and pushed that container to some repo, oh<br></div><div dir=3D=
"ltr">nice, let's just pull it and run it", or maybe: "oh, I do want to use=
<br></div><div dir=3D"ltr">keepass as password manager, but do not want it =
to be able to make<br></div><div dir=3D"ltr">network connections. Fine, jus=
t download the container and forbid<br></div><div dir=3D"ltr">network acces=
s." I am a lazy guy, I prefer spending my time on creating<br></div><div di=
r=3D"ltr">stuff and pushing it to a repository instead of fumbling around w=
ith<br></div><div dir=3D"ltr">ansible scripts to deploy that stuff when pus=
hing and pulling an upgrade<br></div><div dir=3D"ltr">is so much easier via=
providing self-contained images.<br></div><div dir=3D"ltr"><br></div><div =
dir=3D"ltr">So, yes, I would absolutely love to see application level conta=
iners, or<br></div><div dir=3D"ltr">such a slick framework built around the=
great jail solution we already<br></div><div dir=3D"ltr">have. Passing aro=
und containers as a single binary package for FreeBSD -<br></div><div dir=
=3D"ltr">one may dream ;-)<br></div><div dir=3D"ltr"><br></div><div dir=3D"=
ltr">Regards,<br></div><div dir=3D"ltr">Robert<br></div><div dir=3D"ltr"><b=
r></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">On 13.04.23 17:43, Mari=
o Marietto wrote:<br></div><div dir=3D"ltr">> For sure not everything,bu=
t something that is very requested and that it<br></div><div dir=3D"ltr">&g=
t; has given a solid proof to be a valid and robust tool. I think Docker<br=
></div><div dir=3D"ltr">> has all these requisites.<br></div><div dir=3D=
"ltr">><br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr"><br></div><=
/div>
</div>
</div></body></html>
------=_Part_4080045_349025968.1681511775371--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?887947753.4080046.1681511775374>