From owner-freebsd-questions@freebsd.org Fri Jul 24 16:00:19 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 325BC36AB04 for ; Fri, 24 Jul 2020 16:00:19 +0000 (UTC) (envelope-from paul@gromit.dlib.vt.edu) Received: from gromit.dlib.vt.edu (gromit.dlib.vt.edu [128.173.49.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "gromit.dlib.vt.edu", Issuer "Chumby Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BCv6p2flpz3T5s for ; Fri, 24 Jul 2020 16:00:18 +0000 (UTC) (envelope-from paul@gromit.dlib.vt.edu) Received: from mather.gromit23.net (c-98-244-101-97.hsd1.va.comcast.net [98.244.101.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gromit.dlib.vt.edu (Postfix) with ESMTPSA id BDBAD386; Fri, 24 Jul 2020 12:00:16 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\)) Subject: Re: Technological advantages over Linux From: Paul Mather In-Reply-To: Date: Fri, 24 Jul 2020 12:00:16 -0400 Cc: Steve O'Hara-Smith Content-Transfer-Encoding: quoted-printable Message-Id: <20E68F58-D924-4EE5-8919-93E27FDF94C4@gromit.dlib.vt.edu> References: To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.3445.104.15) X-Rspamd-Queue-Id: 4BCv6p2flpz3T5s X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=vt.edu (policy=none); spf=none (mx1.freebsd.org: domain of paul@gromit.dlib.vt.edu has no SPF policy when checking 128.173.49.70) smtp.mailfrom=paul@gromit.dlib.vt.edu X-Spamd-Result: default: False [-1.87 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-0.91)[-0.906]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_MEDIUM(-0.81)[-0.811]; RECEIVED_SPAMHAUS_PBL(0.00)[98.244.101.97:received]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.65)[-0.650]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1312, ipnet:128.173.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[vt.edu : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2020 16:00:19 -0000 On Fri, 24 Jul 2020 12:21:27 +0100, Steve O'Hara-Smith = wrote: > Message: 2 > Date: Fri, 24 Jul 2020 12:21:27 +0100 > From: Steve O'Hara-Smith > To: Victor Sudakov > Cc: freebsd-questions@freebsd.org > Subject: Re: Technological advantages over Linux > Message-ID: <20200724122127.08ea76b6881fd483dc212287@sohara.org> > Content-Type: text/plain; charset=3DUS-ASCII >=20 > On Fri, 24 Jul 2020 10:28:40 +0700 > Victor Sudakov wrote: >=20 >> Victor Sudakov wrote: >=20 >> 3. FreeBSD lacks a native docker (what prevents from fixing >=20 > Isn't the whole point of docker to package applications in > containers so that (among other simplifications) there was no need to > support multiple versions of services in the same environment. >=20 > One service, one container works just as well in jails as in > docker, granted it's not as easy as writing a yaml file and watching a > poorly understood swarm of thousands of containers spring to life and > provide a load-balanced service, but it isn't hard especially with = iocage > templates. >=20 > Personally I always run services in single service jails and = have > done for a lot longer than docker has existed. =46rom what I can see = docker > offers very little advantage if what you need is one-off servers and = you > want complete control over what's on them and what they do. It offers = huge > advantages if you want to administer large load-balanced swarms of > standardised components. Whenever Docker comes up, it seems to me that in the FreeBSD world the = cry that goes up is "they're just like jails." In my experience, = though, FreeBSD jails are more heavyweight than Docker containers. = Jails in FreeBSD are more analogous to using LXD in Linux---lightweight = OS virtualisation. Tools like iocage (which I use), Bastille, Pot, etc. reinforce this = notion because they base their jails on FreeBSD releases. So, you get a = lot of heavyweight cruft installed (or available) that your application = probably doesn't need (like compilers, mailers, etc.) as well as = services running you might not need (like cron, syslogd, etc.). I tried = some years ago to create a very pared-down FreeBSD jail via = /etc/src.conf settings (if nothing else but to reduce the internal = attack surface of the jail), and found it quite tricky. (There are = several hidden dependencies that are not well documented or tested when = it comes to removing them from the system.) That's not to say you can't = make a heavyweight Docker container, but there are a lot of *very* = lightweight ones you can use as your starting point. :-) The basic Docker paradigm is you execute one process in a container and = when that process ends the container exits. Where I work, it's common = for people to use the Docker container version of the "aws" [i.e., = FreeBSD devel/awscli] command (with its gazillion build dependencies) = rather than install the software natively. (Their "aws" command is = basically an alias that invokes "docker run" on the "aws" Docker = container.) Also, at DockerCon 2020, there was a presentation by the = CURL developers about their making and maintaining the official CURL = Docker container (https://github.com/curl/curl-docker) so you could run = "curl" similarly. This makes it very easy to get access to any version = of CURL you need (so long as you can run Docker), as befits a "Swiss = Army knife"-like tool such as CURL. I have not seen FreeBSD jails used in as lightweight a fashion as that = (i.e., running as application binaries). Usually they are used to run = long-running services. I doubt that is a technological limitation of = jails, but is probably a tooling issue. And that, to me, is the main = advantage of Docker: its ecosystem and mindshare. My experience of = FreeBSD jails is that it is a great technology that has been let down = somewhat by poor tools and fragmented communities (ezjail vs. iocage vs. = cbsd vs. etc.). It's surprising to me that although jails were = introduced in FreeBSD 4.0 it took until FreeBSD 9.1 for jail.conf to = appear! The great success of Docker, in my mind, is that it forged a = community and a standardisation around use of containers. Who knows, = given better tools, maybe FreeBSD jails (and Solaris Zones, etc.) could = have been just as big? I think the other aspect of Docker containers you perhaps overlook is = that they are based on immutable images. That makes it very good for = application deployment. The "if what you need is one-off servers and = you want complete control over what's on them and what they do" that you = mention is rarely a use case for Docker containers in my experience. = (What you say sounds like LXD OS containers to me.) What people want = from Docker containers is a known application build that they can roll = forward to or roll back to. Even today, there is no standard image = format for FreeBSD jails, and the tools for migration/rollback of jails = is not standardised across the many different tools that let you work = with jails. Again, that's probably not the fault of jails but of the = tooling ecosystem around them. (It's not a technological limitation of = jails.) > Regardless what is with the idea that one OS must be "better" = than > another - a Stilson is not better than a ring spanner, they are simply > suited to different (but similar) tasks. I agree entirely with this. That's why I have been loathe to contribute = to this sort of thread until today. But, I think with jails there's a = conceit in the FreeBSD community that there's an element of "we had = Docker containers years ago but we call them jails." I don't think the = comparison is 100% accurate. I like jails, but I believe the tooling = and ecosystem around them falls short of that around Docker. That's a = problem of support, not technology, IMHO. Cheers, Paul.