Re: Docker

From: Paul Pathiakis <pathiaki2_at_yahoo.com>
Date: Fri, 14 Apr 2023 22:36:15 UTC
 Hi,
Personally, I think jails are brilliant and their evolution has also been brilliant.
Gee, a complete operating system contained as a process running under the parent process that behaves just like the parent OS.You can upgrade the OS, the pkgs, etc.
I really don't think it would be hard to create a 'library' of jails.
Here's a postfix jailHere's a DNS jailHere's a PostGreSQL jail
You can run your jails via the "Master Jailer"You can create your/library of jails via "Jailer Key"You could put them in the "Jail Cell" of repositories
I actually created this on my server when I was running my now defunct company.
Literally, 40-50 jails that were running on my server that was a couple of Opteron chips on a SuperMicro system.  It never so much had a load on it of 2-3 and it was doing so much.
It was so easy to upgrade the OS versions on the jails and the ports (had to run ports for bug fixes)  
I had some serious 'white hat' friends that offered to do pen testing....  (I was running PF with redirects to the ports in the jails and nothing else was open on them)... I got so many beers when they gave up. :)
Truly, believe podman and containerd are going to be a serious improvement/change.  However, at home, on my machines, FreeBSD 13.1 and 13.2 will be this weekend.
My gf and her 85 y.o mom are running GhostBSD right now.  THEY HAVE LOVED IT for the last 5 years.
Paul
    On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic <infoomatic@gmx.at> wrote:  
 
 I think docker is a good example of how to NOT do things. There is a
reason why it is dying, lots of bad things have happened in docker land.

However, let me post my opinion. We can distinguish between two
different types of containerizations: system level containers and
applications level containers. Linux LXC and FreeBSD jails fall into the
former category.

OCI containers fall into the application level container category and
are moving away from the awkward Docker stack to sane solutions: podman,
containerd, cri-o etc.
The basic idea is: I have a repository which provides signed images for
the users to pull and use as a running container. For software vendors,
I can create an image which is basically a tar with the files and
layered filesystems that can be pushed to the repository. Just like a
jail, all the needed software, libraries are contained in one image, but
easier accessible for users. The container consists of filesystem layers
identified by a hash, which can be referenced to by other containers
(e.g. a Debian Linux container in its minimal edition might be the base
for the Kali Linux penetration testing container). Files that should
persist are mounted via mount_nullfs into the container. The cool thing
about that is: the images are created using a declarative manner, a yaml
file.

FreeBSD already provides lots of the technology necessary to build that
(I am not talking about running Linux containers, but FreeBSD
application level containers), however, it just lacks some glue like a
system for defining a config file from which such a container is built,
a repo, and I have no idea about how stable/performant unionfs is.
Unfortunately I have not yet had time to look at the proposed projects
of this thread.

A few use cases come to mind (well, actually much more since I have
worked with OCI/"Docker" since the beginning): "I want to host a simple
public jitsi server, do not want to go through all the config. Someone
made such a setup already and pushed that container to some repo, oh
nice, let's just pull it and run it", or maybe: "oh, I do want to use
keepass as password manager, but do not want it to be able to make
network connections. Fine, just download the container and forbid
network access." I am a lazy guy, I prefer spending my time on creating
stuff and pushing it to a repository instead of fumbling around with
ansible scripts to deploy that stuff when pushing and pulling an upgrade
is so much easier via providing self-contained images.

So, yes, I would absolutely love to see application level containers, or
such a slick framework built around the great jail solution we already
have. Passing around containers as a single binary package for FreeBSD -
one may dream ;-)

Regards,
Robert


On 13.04.23 17:43, Mario Marietto wrote:
> For sure not everything,but something that is very requested and that it
> has given a solid proof to be a valid and robust tool. I think Docker
> has all these requisites.
>