Date: Sat, 15 Apr 2023 00:12:18 +0200 From: infoomatic <infoomatic@gmx.at> To: questions@freebsd.org Subject: Re: Docker Message-ID: <f59385ad-a467-5e24-3c17-72c17d3b5aca@gmx.at> In-Reply-To: <CA%2B1FSiicxR1hbd=LO8%2BPMyv7=OmXZGa3Uco1p-rRP3pe1Yf6hA@mail.gmail.com> References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <CA%2B1FSihVrJ8cZ4ZU6mMr0sKJsZ98V4fh2vpDLugw7MGj-%2BEBPg@mail.gmail.com> <CA%2B1FSijL50mQ-HveBA4HZeNkSoaORv=aty-15nNLzn9amzY_nw@mail.gmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <CA%2B1FSigV_pPwVW%2BDd8WZYGcNQVt7%2BYOcsnJFoRhS6jL5A636pg@mail.gmail.com> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <CA%2B1FSihVPCQ6tp8u=aqnLyyOPpCMrnhYGcC8bCUgRbFHTdY5sA@mail.gmail.com> <1535315680.2770963.1681309684072@mail.yahoo.com> <CAHieY7RFe0P85twcs1NiiAvTTr4oGPJEtXEkufsXswQt3ECGvg@mail.gmail.com> <CA%2B1FSiiCG-iugAbSoNC2r5WXCJvgi6pj3jG74jCwukhNtb_XGA@mail.gmail.com> <CADGo8CXsCYCOi%2Bwk2ED7zpJdFQDhynzD0u1qFDUFS3RveS8wOg@mail.gmail.com> <CA%2B1FSij3VXqsGs5ZTUv%2B9Q2wJ18yCqVqgHAyGfCWc0C%2Bxi=KXw@mail.gmail.com> <543289768.3317542.1681394425362@mail.yahoo.com> <CA%2B1FSiicxR1hbd=LO8%2BPMyv7=OmXZGa3Uco1p-rRP3pe1Yf6hA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think docker is a good example of how to NOT do things. There is a reason why it is dying, lots of bad things have happened in docker land. However, let me post my opinion. We can distinguish between two different types of containerizations: system level containers and applications level containers. Linux LXC and FreeBSD jails fall into the former category. OCI containers fall into the application level container category and are moving away from the awkward Docker stack to sane solutions: podman, containerd, cri-o etc. The basic idea is: I have a repository which provides signed images for the users to pull and use as a running container. For software vendors, I can create an image which is basically a tar with the files and layered filesystems that can be pushed to the repository. Just like a jail, all the needed software, libraries are contained in one image, but easier accessible for users. The container consists of filesystem layers identified by a hash, which can be referenced to by other containers (e.g. a Debian Linux container in its minimal edition might be the base for the Kali Linux penetration testing container). Files that should persist are mounted via mount_nullfs into the container. The cool thing about that is: the images are created using a declarative manner, a yaml file. FreeBSD already provides lots of the technology necessary to build that (I am not talking about running Linux containers, but FreeBSD application level containers), however, it just lacks some glue like a system for defining a config file from which such a container is built, a repo, and I have no idea about how stable/performant unionfs is. Unfortunately I have not yet had time to look at the proposed projects of this thread. A few use cases come to mind (well, actually much more since I have worked with OCI/"Docker" since the beginning): "I want to host a simple public jitsi server, do not want to go through all the config. Someone made such a setup already and pushed that container to some repo, oh nice, let's just pull it and run it", or maybe: "oh, I do want to use keepass as password manager, but do not want it to be able to make network connections. Fine, just download the container and forbid network access." I am a lazy guy, I prefer spending my time on creating stuff and pushing it to a repository instead of fumbling around with ansible scripts to deploy that stuff when pushing and pulling an upgrade is so much easier via providing self-contained images. So, yes, I would absolutely love to see application level containers, or such a slick framework built around the great jail solution we already have. Passing around containers as a single binary package for FreeBSD - one may dream ;-) Regards, Robert On 13.04.23 17:43, Mario Marietto wrote: > For sure not everything,but something that is very requested and that it > has given a solid proof to be a valid and robust tool. I think Docker > has all these requisites. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f59385ad-a467-5e24-3c17-72c17d3b5aca>