From nobody Fri Apr 14 22:36:15 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pyrry36Qxz44xJY for ; Fri, 14 Apr 2023 22:36:18 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) Received: from sonic316-21.consmr.mail.ne1.yahoo.com (sonic316-21.consmr.mail.ne1.yahoo.com [66.163.187.147]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pyrry12Fhz4HrG for ; Fri, 14 Apr 2023 22:36:18 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1681511776; bh=zEwGuCReZyYYPVegRn83ko5ympvOHlKokJhZgFY8Gs8=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=DkC2RlsdHolusg3ZeMBRyfu//+9TAhDnKejhrHYlHsT5WmL9qC/3+VprVB6Cu554gGuf2URKRmG3xYARwO5sdNZUrNQMk5fFZC2d4vk/Ejub1jXsURw59ug5F2zvWNGNxkxTbQ8oyzJ8e2V5NwHI7Fr9KA7wNc32WE9McSM7Q9iCw8d/H4GbOMaNWNd762PJofDl/7YRIKc51rDs9rCXIpyyEr3cftDU4dLzYPY3KOs02m5b69SBaxQ8hIk9P6dJt8AKuTGXZN/+zXM/k8+kFhvypp0UvG0r0IEYzWZX/+gZBZ08zCtt7M0th+moN1mhE5AR2mr80x7/M5l9U4ylXQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1681511776; bh=UZLDu6m2TsbOODYYQTaThitnmq/SUP71jevCvkuO+vj=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=VyInExQPD2WM8xMAwd5NVx6IxahZRc7UAMnVDGsummtnUYKZ3qAUapxXbFyTFk2lSpJGekwVZva/D8qqRiXAtV6CfsrO7DTSVYWfaDjjhxnPe1ET2h2XZf9Fa/gb1qX421lh/TapgBJbjiH/ORIDBWNhiUHWNh03yV/nPonuTKkvxmXzTkPiCnobguRxG13ckWVdGOls+92qacouhuqeU8GMSBsBgEAd98OOS7QdwVG3zIHp8aMPvMWcQ3mcsY1HE7/gvUlmgCkhlodOmdpoExYLsz7TGlj4ys/JqVwsUqlQlRv1awqCx6+c0xj4BHaofoV/dVmNNXL+K1LadRT7lg== X-YMail-OSG: o2HUVrAVM1nPwCDVXY_A8EPYibtMc69PG5ZxM0ZkUrEV7cKsbuatMOTPVITbF1F yivIPJhc5q_UCypeCyQrzJKkekSe3jdc.B3egZHc4Uq1mtDbPelaB95koPeC6j5S696P9wjTTEE9 JkKTC6f.2T7rV_XcJinf4B.x4M1mhamH26fkT5vNa8.s_HvCyZyWto9A62OKROQK9ZZ6ACXN4gwS JIDK93pVXJ6SsmKOURiOgHejn5SuOYshRewJBxNCFJcNE1pl_JoHJmfuzdw5_h5pnYNrc2LT.O8c ruCpYTT6S981BBaStcWZWGkARwMfZiMWsRBcOHg1lCCsI8UV6r_kbuNsZ1LPicmRQHgr0qdE9qNc U3D_.ORXtvHWm.jiHdWlMR.lmzNjvprdOi8DPcfxTMgNOhGZbXmWC5.h7zJmrrt05pN9YOxKPHfW XIoBlTJLnVyG9kJ1szeChXbJNsTiCnScYFhwaxTL0yRCJhbKscqglfY7MZhfMUyG1_YCB82YSFhQ W6yZ5pEI9z2JaME6g0v96G8N6YJq7LYTSM_ilLPiH65lqP8JJxOxYLtJ64FgaucpjRbyXjooEc6i ARR5BDND391IlNgNl9qfm7ZZBG683AFgc4yyUnC7yUo8iEPUwotn6JLSp1ioB9kU590Xy9oazmb9 UzLyaaMZAtnHKKdo2AoA1SVNN9bhoNgn732VkLUQ9A16YmzRj1nDplzPWz6fwfbsuUo80bq7v3rL UGHMteebGGyE4GOxgtXaeUp3d0Pai5ANRJJhx8QSDp0oobuNPESq_mEElOop2iYKC8HHfy0z7al0 EiQTd0BI2aHUpf_nThxthauBz72Vr3A3Nue1Hx_vpqA_bo2x258NiGiHCHvP93450I19obI8Tl4P kXTNCybiJpIbn5dNsLLcNp21FdtV_38rDyhCLJZfcXWv8xWbJCKXe6we6zW96TU02Hh3Bbrqrf1T Z4VCrfso0ryvpCgau36vQQRSQU6rq.7y9Bjv1V5wajIPnr2xa46CyuZdYtVlyKZ9B4_EjeMaxJtX A46Hy5HNBBU1BPhdo36eO.rJ7sZvvmtD79qjKrLmGTda6PWrzRh6G2e8VadX8IvTnqDGaAUPCCSJ B1brc1iO3y6iObgrDkL9mYZ54RSa.72X0jpSmtULbnk3NdQRbbyJDy2cct0MrKecxoJ0DIz_ibMe tLlH0nnQpB_46d2Fbm1Lh7juzxBXXkh00F1gBOSFMPkP3DKxpv4GJHZc8Z6XpKNMdrSSuMpl6djQ 9bKeoKfzUy_rhgmiWR8QVSKakcggY3P_mQExjvoBoOAnRCTjroWQqdn_PY7CPXS2FOqwIzMUlsJ1 FwHtRpHBwdGqcJC0TFiuIb4jXF92ydPtnwVpT2Fyz4mP4yDMh1pKa7cQ1VuBr4zFxij9q6TadQQM Gw9ymBkj8_MfiehM7G7u3FhCM8joseZkrTCzZUKEu7MTIuPzdexokNAnIEoMNnOpT5dkkG5mBNU8 SE.t.QrSD.FnGOu8hNwaKIPpiOd_73d2ygQV0xjzCUYbgMvxx0UTMuB5Nl81kNi2.3DQlx69SgVx GfGC6yksJRm7YtYoqYLPnAU.74zeK84tuikI5PG.cS1O251aO8xqT5CBDWeSS2DSzvwinwjiXtHJ ky1QF5PUx3CiYZb6yznrsFTDUcgcqO.aFe75AYoS1F5YiM8VJCxurkyQwtc4meXtzntLb_efFB5m JZn4nwl6GDGBRH9OXV_k7GPxv4yDUutiNEknwD8BNN76f90roKm.c2sCZ6XAPhKXZLKNpErNWe4E 87tGAMKyWnk8xwRkv7jKSdrMOd2UAN1WxRYN5LwqTFLB3bH7kmdW9CyvtQolOmjySsQ0NZfMSaRq hxb.skIcsspQGtnqL4.Y1GfiPQyOHteloOOULTsjYwkChnfjYllNRxd1vBtIWK4PfsdQQqDMrAlV 94cSfPIrEE9p6ooncHmTgDq3ZkWBJLXLBwwJXEfiAGu.6g2lDPTf.EWPv3rDtnw2EEo0mR5sdRhp 0xDbHY6zCN9OfulozPijRJNDZU.qRGYokJLYVOeqHoBorgwNbpkPcXPoHNbSjBYEz5HnD.akFpfC HTogPG5hNLrpfNjQoFc8f8WdH1K7zX_IWHRb9I74mLd9PrlFOYj.tBwCulayc.ttshJDAsMsXShL .Yjt8FhZYYG6f9vNX9x7CaZjAbZh9v15LBEOtg2WwK06UhPEeXik1tkMEEwu6wmt6dNOCzAj9FGn nW0iMFuy.3AxoHmRpTA9mnagvvSObzbLsHsN4lNXIKC_BitmVXpQ- X-Sonic-MF: X-Sonic-ID: 519f7759-b601-4437-b702-769156462524 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 14 Apr 2023 22:36:16 +0000 Date: Fri, 14 Apr 2023 22:36:15 +0000 (UTC) From: Paul Pathiakis To: "questions@freebsd.org" , infoomatic Message-ID: <887947753.4080046.1681511775374@mail.yahoo.com> In-Reply-To: References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <1535315680.2770963.1681309684072@mail.yahoo.com> <543289768.3317542.1681394425362@mail.yahoo.com> Subject: Re: Docker List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4080045_349025968.1681511775371" X-Mailer: WebService/1.1.21365 YMailNorrin X-Rspamd-Queue-Id: 4Pyrry12Fhz4HrG X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36646, ipnet:66.163.184.0/21, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N ------=_Part_4080045_349025968.1681511775371 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, Personally, I think jails are brilliant and their evolution has also been b= rilliant. Gee, a complete operating system contained as a process running under the p= arent process that behaves just like the parent OS.You can upgrade the OS, = the pkgs, etc. I really don't think it would be hard to create a 'library' of jails. Here's a postfix jailHere's a DNS jailHere's a PostGreSQL jail You can run your jails via the "Master Jailer"You can create your/library o= f jails via "Jailer Key"You could put them in the "Jail Cell" of repositori= es I actually created this on my server when I was running my now defunct comp= any. Literally, 40-50 jails that were running on my server that was a couple of = Opteron chips on a SuperMicro system.=C2=A0 It never so much had a load on = it of 2-3 and it was doing so much. It was so easy to upgrade the OS versions on the jails and the ports (had t= o run ports for bug fixes)=C2=A0=C2=A0 I had some serious 'white hat' friends that offered to do pen testing....= =C2=A0 (I was running PF with redirects to the ports in the jails and nothi= ng else was open on them)... I got so many beers when they gave up. :) Truly, believe podman and containerd are going to be a serious improvement/= change.=C2=A0 However, at home, on my machines, FreeBSD 13.1 and 13.2 will = be this weekend. My gf and her 85 y.o mom are running GhostBSD right now.=C2=A0 THEY HAVE LO= VED IT for the last 5 years. Paul On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic wrote: =20 =20 I think docker is a good example of how to NOT do things. There is a reason why it is dying, lots of bad things have happened in docker land. However, let me post my opinion. We can distinguish between two different types of containerizations: system level containers and applications level containers. Linux LXC and FreeBSD jails fall into the former category. OCI containers fall into the application level container category and are moving away from the awkward Docker stack to sane solutions: podman, containerd, cri-o etc. The basic idea is: I have a repository which provides signed images for the users to pull and use as a running container. For software vendors, I can create an image which is basically a tar with the files and layered filesystems that can be pushed to the repository. Just like a jail, all the needed software, libraries are contained in one image, but easier accessible for users. The container consists of filesystem layers identified by a hash, which can be referenced to by other containers (e.g. a Debian Linux container in its minimal edition might be the base for the Kali Linux penetration testing container). Files that should persist are mounted via mount_nullfs into the container. The cool thing about that is: the images are created using a declarative manner, a yaml file. FreeBSD already provides lots of the technology necessary to build that (I am not talking about running Linux containers, but FreeBSD application level containers), however, it just lacks some glue like a system for defining a config file from which such a container is built, a repo, and I have no idea about how stable/performant unionfs is. Unfortunately I have not yet had time to look at the proposed projects of this thread. A few use cases come to mind (well, actually much more since I have worked with OCI/"Docker" since the beginning): "I want to host a simple public jitsi server, do not want to go through all the config. Someone made such a setup already and pushed that container to some repo, oh nice, let's just pull it and run it", or maybe: "oh, I do want to use keepass as password manager, but do not want it to be able to make network connections. Fine, just download the container and forbid network access." I am a lazy guy, I prefer spending my time on creating stuff and pushing it to a repository instead of fumbling around with ansible scripts to deploy that stuff when pushing and pulling an upgrade is so much easier via providing self-contained images. So, yes, I would absolutely love to see application level containers, or such a slick framework built around the great jail solution we already have. Passing around containers as a single binary package for FreeBSD - one may dream ;-) Regards, Robert On 13.04.23 17:43, Mario Marietto wrote: > For sure not everything,but something that is very requested and that it > has given a solid proof to be a valid and robust tool. I think Docker > has all these requisites. > =20 ------=_Part_4080045_349025968.1681511775371 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

Person= ally, I think jails are brilliant and their evolution has also been brillia= nt.

Gee, a complete operating system contained as a proce= ss running under the parent process that behaves just like the parent OS.
You can upgrade the OS, the pkgs= , etc.

I really don't think it would be hard to create a = 'library' of jails.

<= div dir=3D"ltr" data-setdir=3D"false">Here's a postfix jail
Here's a DNS jail
Here's a PostGreSQL jail

You can run yo= ur jails via the "Master Jailer"
You can create your/library of jails via "Jailer Key"
You could put them in the "Jail Cell" of repositor= ies

I actually created this on my server when I was runni= ng my now defunct company.

=
Literally, 40-50 jails that we= re running on my server that was a couple of Opteron chips on a SuperMicro = system.  It never so much had a load on it of 2-3 and it was doing so = much.

It was so easy to upgrade the OS versions on the ja= ils and the ports (had to run ports for bug fixes)  

I had some serious 'white hat' friends that offered to do pen testing= ....  (I was running PF with redirects to the ports in the jails and n= othing else was open on them)... I got so many beers when they gave up. :)<= /div>

Truly, believe podman and containerd are going to be a se= rious improvement/change.  However, at home, on my machines, FreeBSD 1= 3.1 and 13.2 will be this weekend.

My gf and her 85 y.o m= om are running GhostBSD right now.  THEY HAVE LOVED IT for the last 5 = years.

Paul

=20
=20
On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomati= c <infoomatic@gmx.at> wrote:


I think docker is a good example of h= ow to NOT do things. There is a
reason why it is = dying, lots of bad things have happened in docker land.

However, let me post my opinion. We can= distinguish between two
different types of conta= inerizations: system level containers and
applica= tions level containers. Linux LXC and FreeBSD jails fall into the
=
former category.

OCI containers fall into the application level container catego= ry and
are moving away from the awkward Docker st= ack to sane solutions: podman,
containerd, cri-o = etc.
The basic idea is: I have a repository which= provides signed images for
the users to pull and= use as a running container. For software vendors,
I can create an image which is basically a tar with the files and
layered filesystems that can be pushed to the repository= . Just like a
jail, all the needed software, libr= aries are contained in one image, but
easier acce= ssible for users. The container consists of filesystem layers
identified by a hash, which can be referenced to by other cont= ainers
(e.g. a Debian Linux container in its mini= mal edition might be the base
for the Kali Linux = penetration testing container). Files that should
persist are mounted via mount_nullfs into the container. The cool thing
about that is: the images are created using a decla= rative manner, a yaml
file.

FreeBSD already provides lots of the techno= logy necessary to build that
(I am not talking ab= out running Linux containers, but FreeBSD
applica= tion level containers), however, it just lacks some glue like a
system for defining a config file from which such a containe= r is built,
a repo, and I have no idea about how = stable/performant unionfs is.
Unfortunately I hav= e not yet had time to look at the proposed projects
of this thread.

A f= ew use cases come to mind (well, actually much more since I have
<= div dir=3D"ltr">worked with OCI/"Docker" since the beginning): "I want to h= ost a simple
public jitsi server, do not want to = go through all the config. Someone
made such a se= tup already and pushed that container to some repo, oh
nice, let's just pull it and run it", or maybe: "oh, I do want to use=
keepass as password manager, but do not want it = to be able to make
network connections. Fine, jus= t download the container and forbid
network acces= s." I am a lazy guy, I prefer spending my time on creating
stuff and pushing it to a repository instead of fumbling around w= ith
ansible scripts to deploy that stuff when pus= hing and pulling an upgrade
is so much easier via= providing self-contained images.

So, yes, I would absolutely love to see application level conta= iners, or
such a slick framework built around the= great jail solution we already
have. Passing aro= und containers as a single binary package for FreeBSD -
one may dream ;-)

Regards,
Robert

On 13.04.23 17:43, Mari= o Marietto wrote:
> For sure not everything,bu= t something that is very requested and that it
&g= t; has given a solid proof to be a valid and robust tool. I think Docker
> has all these requisites.
>


<= /div>
------=_Part_4080045_349025968.1681511775371--