From nobody Fri Apr 14 22:12:18 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PyrKL5Ykcz44vD1 for ; Fri, 14 Apr 2023 22:12:22 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PyrKK5k32z3GYY for ; Fri, 14 Apr 2023 22:12:21 +0000 (UTC) (envelope-from infoomatic@gmx.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.at header.s=s31663417 header.b=eHBA78Zp; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.15.18 as permitted sender) smtp.mailfrom=infoomatic@gmx.at; dmarc=pass (policy=none) header.from=gmx.at DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.at; s=s31663417; t=1681510339; i=infoomatic@gmx.at; bh=A3tPMVVzM7/unvlRu1ngsoIWTAEZ8Fb3hES2zQrjO2o=; h=X-UI-Sender-Class:Date:From:Subject:To:References:In-Reply-To; b=eHBA78ZpoE0TykiU7DfNeUKZickcat+/8eHSNb/EhVJn1IDYh+ifBdXAZSvRtMcwg 7jg6ULCk12VsZl10mECsgUp58jNSmBDRl6xBgtQ5PIuKQDISDxkRYxQTTIDkl2bx3/ XbsdbK8WLbBYzUD4wEE1uHkxt7ULc/xksQIaKI5IqTXbubfxv2+GSiAmplCQtXJEqM SYH981eNZmaSU8YN4SqWH/T747gpSL9IIqQ6i6AN0E+AxD0o0NoD71LwHgAROjXVXI 4XmAdE/6/ihJECtU/Acx9bJgprDiNrKEyi4o3oLcKh6qBiP/TjBSEuDjEh5LyoVHTn VziAsZbpAOb6Q== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [10.0.1.209] ([178.114.232.84]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MVN6j-1pxZrA1yIZ-00SPa4 for ; Sat, 15 Apr 2023 00:12:19 +0200 Message-ID: Date: Sat, 15 Apr 2023 00:12:18 +0200 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 From: infoomatic Subject: Re: Docker To: questions@freebsd.org References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <1535315680.2770963.1681309684072@mail.yahoo.com> <543289768.3317542.1681394425362@mail.yahoo.com> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:3PYyNmjWntQBDWN669xJT2y1Qg4bWsAorBfXPZwN57HGakGO7pO WHtGsUPBQjvQSVFJAb7hqKp4vVAv611Mm+/GnDveaRYxncSratG903lSkgW0I0/Z2a79pdH CKJXfIKBFLZ7vWLklL2DOJC/nLmtf6SDY1YC4HS7LGq5Vx6CREzDBU29wV56ZMcnK0aKi9M DlaeT1YSYHYd3M4PQ7foQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:YoIzGr27jy4=;VRix15v7nuCPctsjlOZ4q2Wh9Uo yOrhZR4BBQ8d95HTOnz9YTSE21AtBscuVnoEOS7YF2lHoMZpDqOT/ZHzdGO9P3dkQ0L4X+Nv+ +2zmcnm87tKN4VPINvbyoPQYirqYpBPQd6yh/aHver7DkPpWc4eTPS05aYhlQcSjvYBBOWrKt 5zJAi82nkeH5PbKqb8s+EwX04DCSr0JApgtkNertK0ovqrxX4Giu5TX5Jwa6Kd5ZKdfYSqNvD gRdYNpAcgrzhAZYUCUl/F5eDYxbcEr19FwypPJyb6+FNvZK1Alk1Y9KOP7nulLDjxfxm6EH64 99fOm5GFcKjpk6Mo0JvLA13uXHlW+XPs55DrrUV3Q5LP8q0v0DZaPxOLAMi3ZkyNC4PoxOe7r RC28Uzxp1e/06XijuKlMVvV8XAeRgteTGzUyfmO3rN6aGAEvUY5mq+T5vsB7nCKk0ZSXjC1IH 3jWmJ7NYdGYn99nYep6QfBvKB+ikYbNMtyL2OtzG6niTLZL2gJY1DXP5U3WBVwwRFyk9EyrtX myrlLVOyvD+JG1hMNYlNoH6OJhWTvjDmWtNZX51BfbfWsnT+ltU1bE8zl7EwUBgN7ZwXepIrd iO+b/R9F/CQ1EZLMTbqF2nbFynF4AceiEYYUZGPKQOrVONNsfdK4ZZrj5jq6a5T9mgN/8Ex4B lD4ApnSQWCInNcGvv+DJakRzJ1qGCpsKZWtyRHqQ5O5FK+rgTI41sk2+zxgfPoRRs5hq2x0hY TBYBYI7Sv5l4SkDvK7g4n6mGkn3dJrzq2/emu3ClxqgcnRPvQUoUniIJUEO4pGW50PFEGJhjG gXF2FROQQiHmompfUcgLQd+duPiknly0uBx3s63a3WBgSmj4/s4AbSlp1hDdMVHEKMe9iUtcw cXume/hge6J1oFKhjkrzsmJGinuJCkvDyXzihkPKKHoaFDY7XvhfZTXWWUul8pSiP9fHyjyEa T0CaAw== X-Spamd-Result: default: False [-4.10 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; R_DKIM_ALLOW(-0.20)[gmx.at:s=s31663417]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[gmx.at:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4PyrKK5k32z3GYY X-Spamd-Bar: ---- X-ThisMailContainsUnwantedMimeParts: N I think docker is a good example of how to NOT do things. There is a reason why it is dying, lots of bad things have happened in docker land. However, let me post my opinion. We can distinguish between two different types of containerizations: system level containers and applications level containers. Linux LXC and FreeBSD jails fall into the former category. OCI containers fall into the application level container category and are moving away from the awkward Docker stack to sane solutions: podman, containerd, cri-o etc. The basic idea is: I have a repository which provides signed images for the users to pull and use as a running container. For software vendors, I can create an image which is basically a tar with the files and layered filesystems that can be pushed to the repository. Just like a jail, all the needed software, libraries are contained in one image, but easier accessible for users. The container consists of filesystem layers identified by a hash, which can be referenced to by other containers (e.g. a Debian Linux container in its minimal edition might be the base for the Kali Linux penetration testing container). Files that should persist are mounted via mount_nullfs into the container. The cool thing about that is: the images are created using a declarative manner, a yaml file. FreeBSD already provides lots of the technology necessary to build that (I am not talking about running Linux containers, but FreeBSD application level containers), however, it just lacks some glue like a system for defining a config file from which such a container is built, a repo, and I have no idea about how stable/performant unionfs is. Unfortunately I have not yet had time to look at the proposed projects of this thread. A few use cases come to mind (well, actually much more since I have worked with OCI/"Docker" since the beginning): "I want to host a simple public jitsi server, do not want to go through all the config. Someone made such a setup already and pushed that container to some repo, oh nice, let's just pull it and run it", or maybe: "oh, I do want to use keepass as password manager, but do not want it to be able to make network connections. Fine, just download the container and forbid network access." I am a lazy guy, I prefer spending my time on creating stuff and pushing it to a repository instead of fumbling around with ansible scripts to deploy that stuff when pushing and pulling an upgrade is so much easier via providing self-contained images. So, yes, I would absolutely love to see application level containers, or such a slick framework built around the great jail solution we already have. Passing around containers as a single binary package for FreeBSD - one may dream ;-) Regards, Robert On 13.04.23 17:43, Mario Marietto wrote: > For sure not everything,but something that is very requested and that it > has given a solid proof to be a valid and robust tool. I think Docker > has all these requisites. >