Date: Fri, 24 Jul 2020 12:00:16 -0400 From: Paul Mather <paul@gromit.dlib.vt.edu> To: freebsd-questions@freebsd.org Cc: Steve O'Hara-Smith <steve@sohara.org> Subject: Re: Technological advantages over Linux Message-ID: <20E68F58-D924-4EE5-8919-93E27FDF94C4@gromit.dlib.vt.edu> In-Reply-To: <mailman.73.1595592001.51665.freebsd-questions@freebsd.org> References: <mailman.73.1595592001.51665.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 24 Jul 2020 12:21:27 +0100, Steve O'Hara-Smith = <steve@sohara.org> wrote: > Message: 2 > Date: Fri, 24 Jul 2020 12:21:27 +0100 > From: Steve O'Hara-Smith <steve@sohara.org> > To: Victor Sudakov <vas@sibptus.ru> > Cc: freebsd-questions@freebsd.org > Subject: Re: Technological advantages over Linux > Message-ID: <20200724122127.08ea76b6881fd483dc212287@sohara.org> > Content-Type: text/plain; charset=3DUS-ASCII >=20 > On Fri, 24 Jul 2020 10:28:40 +0700 > Victor Sudakov <vas@sibptus.ru> wrote: >=20 >> Victor Sudakov wrote: >=20 >> 3. FreeBSD lacks a native docker (what prevents from fixing >=20 > Isn't the whole point of docker to package applications in > containers so that (among other simplifications) there was no need to > support multiple versions of services in the same environment. >=20 > One service, one container works just as well in jails as in > docker, granted it's not as easy as writing a yaml file and watching a > poorly understood swarm of thousands of containers spring to life and > provide a load-balanced service, but it isn't hard especially with = iocage > templates. >=20 > Personally I always run services in single service jails and = have > done for a lot longer than docker has existed. =46rom what I can see = docker > offers very little advantage if what you need is one-off servers and = you > want complete control over what's on them and what they do. It offers = huge > advantages if you want to administer large load-balanced swarms of > standardised components. Whenever Docker comes up, it seems to me that in the FreeBSD world the = cry that goes up is "they're just like jails." In my experience, = though, FreeBSD jails are more heavyweight than Docker containers. = Jails in FreeBSD are more analogous to using LXD in Linux---lightweight = OS virtualisation. Tools like iocage (which I use), Bastille, Pot, etc. reinforce this = notion because they base their jails on FreeBSD releases. So, you get a = lot of heavyweight cruft installed (or available) that your application = probably doesn't need (like compilers, mailers, etc.) as well as = services running you might not need (like cron, syslogd, etc.). I tried = some years ago to create a very pared-down FreeBSD jail via = /etc/src.conf settings (if nothing else but to reduce the internal = attack surface of the jail), and found it quite tricky. (There are = several hidden dependencies that are not well documented or tested when = it comes to removing them from the system.) That's not to say you can't = make a heavyweight Docker container, but there are a lot of *very* = lightweight ones you can use as your starting point. :-) The basic Docker paradigm is you execute one process in a container and = when that process ends the container exits. Where I work, it's common = for people to use the Docker container version of the "aws" [i.e., = FreeBSD devel/awscli] command (with its gazillion build dependencies) = rather than install the software natively. (Their "aws" command is = basically an alias that invokes "docker run" on the "aws" Docker = container.) Also, at DockerCon 2020, there was a presentation by the = CURL developers about their making and maintaining the official CURL = Docker container (https://github.com/curl/curl-docker) so you could run = "curl" similarly. This makes it very easy to get access to any version = of CURL you need (so long as you can run Docker), as befits a "Swiss = Army knife"-like tool such as CURL. I have not seen FreeBSD jails used in as lightweight a fashion as that = (i.e., running as application binaries). Usually they are used to run = long-running services. I doubt that is a technological limitation of = jails, but is probably a tooling issue. And that, to me, is the main = advantage of Docker: its ecosystem and mindshare. My experience of = FreeBSD jails is that it is a great technology that has been let down = somewhat by poor tools and fragmented communities (ezjail vs. iocage vs. = cbsd vs. etc.). It's surprising to me that although jails were = introduced in FreeBSD 4.0 it took until FreeBSD 9.1 for jail.conf to = appear! The great success of Docker, in my mind, is that it forged a = community and a standardisation around use of containers. Who knows, = given better tools, maybe FreeBSD jails (and Solaris Zones, etc.) could = have been just as big? I think the other aspect of Docker containers you perhaps overlook is = that they are based on immutable images. That makes it very good for = application deployment. The "if what you need is one-off servers and = you want complete control over what's on them and what they do" that you = mention is rarely a use case for Docker containers in my experience. = (What you say sounds like LXD OS containers to me.) What people want = from Docker containers is a known application build that they can roll = forward to or roll back to. Even today, there is no standard image = format for FreeBSD jails, and the tools for migration/rollback of jails = is not standardised across the many different tools that let you work = with jails. Again, that's probably not the fault of jails but of the = tooling ecosystem around them. (It's not a technological limitation of = jails.) > Regardless what is with the idea that one OS must be "better" = than > another - a Stilson is not better than a ring spanner, they are simply > suited to different (but similar) tasks. I agree entirely with this. That's why I have been loathe to contribute = to this sort of thread until today. But, I think with jails there's a = conceit in the FreeBSD community that there's an element of "we had = Docker containers years ago but we call them jails." I don't think the = comparison is 100% accurate. I like jails, but I believe the tooling = and ecosystem around them falls short of that around Docker. That's a = problem of support, not technology, IMHO. Cheers, Paul.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20E68F58-D924-4EE5-8919-93E27FDF94C4>