Date: Sat, 15 Apr 2023 00:45:12 +0200 From: Mario Marietto <marietto2008@gmail.com> To: Paul Pathiakis <pathiaki2@yahoo.com> Cc: "questions@freebsd.org" <questions@freebsd.org>, infoomatic <infoomatic@gmx.at> Subject: Re: Docker Message-ID: <CA%2B1FSijAYbWDktOEbcAuAF8P-fTK5k_bDd0_isEKTUEAD-%2B2Ug@mail.gmail.com> In-Reply-To: <887947753.4080046.1681511775374@mail.yahoo.com> References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <CA%2B1FSihVrJ8cZ4ZU6mMr0sKJsZ98V4fh2vpDLugw7MGj-%2BEBPg@mail.gmail.com> <CA%2B1FSijL50mQ-HveBA4HZeNkSoaORv=aty-15nNLzn9amzY_nw@mail.gmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <CA%2B1FSigV_pPwVW%2BDd8WZYGcNQVt7%2BYOcsnJFoRhS6jL5A636pg@mail.gmail.com> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <CA%2B1FSihVPCQ6tp8u=aqnLyyOPpCMrnhYGcC8bCUgRbFHTdY5sA@mail.gmail.com> <1535315680.2770963.1681309684072@mail.yahoo.com> <CAHieY7RFe0P85twcs1NiiAvTTr4oGPJEtXEkufsXswQt3ECGvg@mail.gmail.com> <CA%2B1FSiiCG-iugAbSoNC2r5WXCJvgi6pj3jG74jCwukhNtb_XGA@mail.gmail.com> <CADGo8CXsCYCOi%2Bwk2ED7zpJdFQDhynzD0u1qFDUFS3RveS8wOg@mail.gmail.com> <CA%2B1FSij3VXqsGs5ZTUv%2B9Q2wJ18yCqVqgHAyGfCWc0C%2Bxi=KXw@mail.gmail.com> <543289768.3317542.1681394425362@mail.yahoo.com> <CA%2B1FSiicxR1hbd=LO8%2BPMyv7=OmXZGa3Uco1p-rRP3pe1Yf6hA@mail.gmail.com> <f59385ad-a467-5e24-3c17-72c17d3b5aca@gmx.at> <887947753.4080046.1681511775374@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
So,let me understand : docker images aren't compatible with FreeBSD.
Imagine that the FreeBSD jails will be not compatible with Linux. Wow,this
is true interoperability.
On Sat, Apr 15, 2023 at 12:36 AM Paul Pathiakis <pathiaki2@yahoo.com> wrote:
> Hi,
>
> Personally, I think jails are brilliant and their evolution has also been
> brilliant.
>
> Gee, a complete operating system contained as a process running under the
> parent process that behaves just like the parent OS.
> You can upgrade the OS, the pkgs, etc.
>
> I really don't think it would be hard to create a 'library' of jails.
>
> Here's a postfix jail
> Here's a DNS jail
> Here's a PostGreSQL jail
>
> You can run your jails via the "Master Jailer"
> You can create your/library of jails via "Jailer Key"
> You could put them in the "Jail Cell" of repositories
>
> I actually created this on my server when I was running my now defunct
> company.
>
> Literally, 40-50 jails that were running on my server that was a couple of
> Opteron chips on a SuperMicro system. It never so much had a load on it of
> 2-3 and it was doing so much.
>
> It was so easy to upgrade the OS versions on the jails and the ports (had
> to run ports for bug fixes)
>
> I had some serious 'white hat' friends that offered to do pen testing....
> (I was running PF with redirects to the ports in the jails and nothing else
> was open on them)... I got so many beers when they gave up. :)
>
> Truly, believe podman and containerd are going to be a serious
> improvement/change. However, at home, on my machines, FreeBSD 13.1 and
> 13.2 will be this weekend.
>
> My gf and her 85 y.o mom are running GhostBSD right now. THEY HAVE LOVED
> IT for the last 5 years.
>
> Paul
>
> On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic <
> infoomatic@gmx.at> wrote:
>
>
> I think docker is a good example of how to NOT do things. There is a
> reason why it is dying, lots of bad things have happened in docker land.
>
> However, let me post my opinion. We can distinguish between two
> different types of containerizations: system level containers and
> applications level containers. Linux LXC and FreeBSD jails fall into the
> former category.
>
> OCI containers fall into the application level container category and
> are moving away from the awkward Docker stack to sane solutions: podman,
> containerd, cri-o etc.
> The basic idea is: I have a repository which provides signed images for
> the users to pull and use as a running container. For software vendors,
> I can create an image which is basically a tar with the files and
> layered filesystems that can be pushed to the repository. Just like a
> jail, all the needed software, libraries are contained in one image, but
> easier accessible for users. The container consists of filesystem layers
> identified by a hash, which can be referenced to by other containers
> (e.g. a Debian Linux container in its minimal edition might be the base
> for the Kali Linux penetration testing container). Files that should
> persist are mounted via mount_nullfs into the container. The cool thing
> about that is: the images are created using a declarative manner, a yaml
> file.
>
> FreeBSD already provides lots of the technology necessary to build that
> (I am not talking about running Linux containers, but FreeBSD
> application level containers), however, it just lacks some glue like a
> system for defining a config file from which such a container is built,
> a repo, and I have no idea about how stable/performant unionfs is.
> Unfortunately I have not yet had time to look at the proposed projects
> of this thread.
>
> A few use cases come to mind (well, actually much more since I have
> worked with OCI/"Docker" since the beginning): "I want to host a simple
> public jitsi server, do not want to go through all the config. Someone
> made such a setup already and pushed that container to some repo, oh
> nice, let's just pull it and run it", or maybe: "oh, I do want to use
> keepass as password manager, but do not want it to be able to make
> network connections. Fine, just download the container and forbid
> network access." I am a lazy guy, I prefer spending my time on creating
> stuff and pushing it to a repository instead of fumbling around with
> ansible scripts to deploy that stuff when pushing and pulling an upgrade
> is so much easier via providing self-contained images.
>
> So, yes, I would absolutely love to see application level containers, or
> such a slick framework built around the great jail solution we already
> have. Passing around containers as a single binary package for FreeBSD -
> one may dream ;-)
>
> Regards,
> Robert
>
>
> On 13.04.23 17:43, Mario Marietto wrote:
> > For sure not everything,but something that is very requested and that it
> > has given a solid proof to be a valid and robust tool. I think Docker
> > has all these requisites.
> >
>
>
>
--
Mario.
[-- Attachment #2 --]
<div dir="ltr">So,let me understand : docker images aren't compatible with FreeBSD. Imagine that the FreeBSD jails will be not compatible with Linux. Wow,t<span lang="en">his is true interoperability.</span></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 15, 2023 at 12:36 AM Paul Pathiakis <<a href="mailto:pathiaki2@yahoo.com" target="_blank">pathiaki2@yahoo.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:13px"><div></div>
<div dir="ltr">Hi,</div><div dir="ltr"><br></div><div dir="ltr">Personally, I think jails are brilliant and their evolution has also been brilliant.</div><div dir="ltr"><br></div><div dir="ltr">Gee, a complete operating system contained as a process running under the parent process that behaves just like the parent OS.</div><div dir="ltr">You can upgrade the OS, the pkgs, etc.</div><div dir="ltr"><br></div><div dir="ltr">I really don't think it would be hard to create a 'library' of jails.</div><div dir="ltr"><br></div><div dir="ltr">Here's a postfix jail</div><div dir="ltr">Here's a DNS jail</div><div dir="ltr">Here's a PostGreSQL jail</div><div dir="ltr"><br></div><div dir="ltr">You can run your jails via the "Master Jailer"</div><div dir="ltr">You can create your/library of jails via "Jailer Key"</div><div dir="ltr">You could put them in the "Jail Cell" of repositories</div><div dir="ltr"><br></div><div dir="ltr">I actually created this on my server when I was running my now defunct company.</div><div dir="ltr"><br></div><div dir="ltr">Literally, 40-50 jails that were running on my server that was a couple of Opteron chips on a SuperMicro system. It never so much had a load on it of 2-3 and it was doing so much.</div><div dir="ltr"><br></div><div dir="ltr">It was so easy to upgrade the OS versions on the jails and the ports (had to run ports for bug fixes) </div><div dir="ltr"><br></div><div dir="ltr">I had some serious 'white hat' friends that offered to do pen testing.... (I was running PF with redirects to the ports in the jails and nothing else was open on them)... I got so many beers when they gave up. :)</div><div dir="ltr"><br></div><div dir="ltr">Truly, believe podman and containerd are going to be a serious improvement/change. However, at home, on my machines, FreeBSD 13.1 and 13.2 will be this weekend.</div><div dir="ltr"><br></div><div dir="ltr">My gf and her 85 y.o mom are running GhostBSD right now. THEY HAVE LOVED IT for the last 5 years.</div><div dir="ltr"><br></div><div dir="ltr">Paul</div><div><br></div>
</div><div id="m_4589615827889197788m_-8417309789387283360ydp4a8f7ba4yahoo_quoted_2201716185">
<div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
<div>
On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic <<a href="mailto:infoomatic@gmx.at" target="_blank">infoomatic@gmx.at</a>> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">I think docker is a good example of how to NOT do things. There is a<br></div><div dir="ltr">reason why it is dying, lots of bad things have happened in docker land.<br></div><div dir="ltr"><br></div><div dir="ltr">However, let me post my opinion. We can distinguish between two<br></div><div dir="ltr">different types of containerizations: system level containers and<br></div><div dir="ltr">applications level containers. Linux LXC and FreeBSD jails fall into the<br></div><div dir="ltr">former category.<br></div><div dir="ltr"><br></div><div dir="ltr">OCI containers fall into the application level container category and<br></div><div dir="ltr">are moving away from the awkward Docker stack to sane solutions: podman,<br></div><div dir="ltr">containerd, cri-o etc.<br></div><div dir="ltr">The basic idea is: I have a repository which provides signed images for<br></div><div dir="ltr">the users to pull and use as a running container. For software vendors,<br></div><div dir="ltr">I can create an image which is basically a tar with the files and<br></div><div dir="ltr">layered filesystems that can be pushed to the repository. Just like a<br></div><div dir="ltr">jail, all the needed software, libraries are contained in one image, but<br></div><div dir="ltr">easier accessible for users. The container consists of filesystem layers<br></div><div dir="ltr">identified by a hash, which can be referenced to by other containers<br></div><div dir="ltr">(e.g. a Debian Linux container in its minimal edition might be the base<br></div><div dir="ltr">for the Kali Linux penetration testing container). Files that should<br></div><div dir="ltr">persist are mounted via mount_nullfs into the container. The cool thing<br></div><div dir="ltr">about that is: the images are created using a declarative manner, a yaml<br></div><div dir="ltr">file.<br></div><div dir="ltr"><br></div><div dir="ltr">FreeBSD already provides lots of the technology necessary to build that<br></div><div dir="ltr">(I am not talking about running Linux containers, but FreeBSD<br></div><div dir="ltr">application level containers), however, it just lacks some glue like a<br></div><div dir="ltr">system for defining a config file from which such a container is built,<br></div><div dir="ltr">a repo, and I have no idea about how stable/performant unionfs is.<br></div><div dir="ltr">Unfortunately I have not yet had time to look at the proposed projects<br></div><div dir="ltr">of this thread.<br></div><div dir="ltr"><br></div><div dir="ltr">A few use cases come to mind (well, actually much more since I have<br></div><div dir="ltr">worked with OCI/"Docker" since the beginning): "I want to host a simple<br></div><div dir="ltr">public jitsi server, do not want to go through all the config. Someone<br></div><div dir="ltr">made such a setup already and pushed that container to some repo, oh<br></div><div dir="ltr">nice, let's just pull it and run it", or maybe: "oh, I do want to use<br></div><div dir="ltr">keepass as password manager, but do not want it to be able to make<br></div><div dir="ltr">network connections. Fine, just download the container and forbid<br></div><div dir="ltr">network access." I am a lazy guy, I prefer spending my time on creating<br></div><div dir="ltr">stuff and pushing it to a repository instead of fumbling around with<br></div><div dir="ltr">ansible scripts to deploy that stuff when pushing and pulling an upgrade<br></div><div dir="ltr">is so much easier via providing self-contained images.<br></div><div dir="ltr"><br></div><div dir="ltr">So, yes, I would absolutely love to see application level containers, or<br></div><div dir="ltr">such a slick framework built around the great jail solution we already<br></div><div dir="ltr">have. Passing around containers as a single binary package for FreeBSD -<br></div><div dir="ltr">one may dream ;-)<br></div><div dir="ltr"><br></div><div dir="ltr">Regards,<br></div><div dir="ltr">Robert<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">On 13.04.23 17:43, Mario Marietto wrote:<br></div><div dir="ltr">> For sure not everything,but something that is very requested and that it<br></div><div dir="ltr">> has given a solid proof to be a valid and robust tool. I think Docker<br></div><div dir="ltr">> has all these requisites.<br></div><div dir="ltr">><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div></div>
</div>
</div></div></blockquote></div><br clear="all"><br><span>-- </span><br><div dir="ltr">Mario.<br></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B1FSijAYbWDktOEbcAuAF8P-fTK5k_bDd0_isEKTUEAD-%2B2Ug>