From nobody Fri Apr 14 22:45:12 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pys3y5lFyz44y4B for ; Fri, 14 Apr 2023 22:45:50 +0000 (UTC) (envelope-from marietto2008@gmail.com) Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pys3y4DlLz4Zp3 for ; Fri, 14 Apr 2023 22:45:50 +0000 (UTC) (envelope-from marietto2008@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-yb1-xb32.google.com with SMTP id m14so3035332ybk.4 for ; Fri, 14 Apr 2023 15:45:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681512348; x=1684104348; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r449KYnkXUYJgpKt3UeLI54fXrFdCyRhp5orKq2DZh0=; b=aIIztJ+PAFS7w7NM0jrA2qhq/wURCha5Ave9gEXRxYrVVbr2yC+jG2sD6+9iFJGjqA 6zvqrgyP6fsTFSTB5ncpzLDazjqBzf7As1nLmato22XIcKnrd6gcSh6ncvQ8IwKAeikR a5K3qVjdFovJeXXCSiijP9IO7roXYhLFr4SBU7J8By3QI7sM0QWvzGg35u5rMJu8Zeym VGdtoDGceps96jquMK/qTlcz+7iuaTmlO3D4vbMTGq+7KvP86F9lT0gCm+SHs8/KPJfv NHf2ynb+NgGPEWrogFKfC5ov5oZIupzJ2iSOBBMsPQcrla/vBxmBZ8D7E5d8bSKdb/3H i99w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681512348; x=1684104348; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=r449KYnkXUYJgpKt3UeLI54fXrFdCyRhp5orKq2DZh0=; b=hOAey1htzDBW/mpjm6H1AiXxApfEdIwfJwKCiQcVKKzSombOwHDZHa6WfIbHSdAnZT Xm1CUFyNzCCYC8/x1I+NYImzbE7QGjCc3uJxcKv38upwHhfisCb6F9U3PtGRktbs08vX HUkv+7bt6wH69tp8tzTWBLv/2HEtJcY3DgivUvQCUZ2zGdWtRJZ6pe7j3uAHFLUMa6YD A4HX0KyyLaaLsY9/zLSF5E7FBohZZ6rJWpwurB+hnTAskf0FUsOviUJG4B0CdE45ZPCm vz+6YzaQzVxWc2vAG56959NiJ7cor9Pm/r3pBLQT5NJSaxOxTg7Ms5mSiPUO3HbUkqqV 0CVw== X-Gm-Message-State: AAQBX9cCk3mWcT4uiwwZi8Bhl5xbbyKdcVIaiCoX8OWURNqJrNQq46/b c0uPqOMmrjLu5rHAMjWFgR35XNZ1iAOCkd3kDm4= X-Google-Smtp-Source: AKy350a7MnZfpJAz6z31dUH1/pAZanwRZUqYct11gjSx4CHWaczMleu6dCtrVrhhNR3TElb8D44otYpN5tU0IycESp8= X-Received: by 2002:a25:d28a:0:b0:b8f:359f:2a20 with SMTP id j132-20020a25d28a000000b00b8f359f2a20mr3870657ybg.10.1681512348396; Fri, 14 Apr 2023 15:45:48 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <1535315680.2770963.1681309684072@mail.yahoo.com> <543289768.3317542.1681394425362@mail.yahoo.com> <887947753.4080046.1681511775374@mail.yahoo.com> In-Reply-To: <887947753.4080046.1681511775374@mail.yahoo.com> From: Mario Marietto Date: Sat, 15 Apr 2023 00:45:12 +0200 Message-ID: Subject: Re: Docker To: Paul Pathiakis Cc: "questions@freebsd.org" , infoomatic Content-Type: multipart/alternative; boundary="00000000000036338805f9539aab" X-Rspamd-Queue-Id: 4Pys3y4DlLz4Zp3 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --00000000000036338805f9539aab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable So,let me understand : docker images aren't compatible with FreeBSD. Imagine that the FreeBSD jails will be not compatible with Linux. Wow,this is true interoperability. On Sat, Apr 15, 2023 at 12:36=E2=80=AFAM Paul Pathiakis wrote: > Hi, > > Personally, I think jails are brilliant and their evolution has also been > brilliant. > > Gee, a complete operating system contained as a process running under the > parent process that behaves just like the parent OS. > You can upgrade the OS, the pkgs, etc. > > I really don't think it would be hard to create a 'library' of jails. > > Here's a postfix jail > Here's a DNS jail > Here's a PostGreSQL jail > > You can run your jails via the "Master Jailer" > You can create your/library of jails via "Jailer Key" > You could put them in the "Jail Cell" of repositories > > I actually created this on my server when I was running my now defunct > company. > > Literally, 40-50 jails that were running on my server that was a couple o= f > Opteron chips on a SuperMicro system. It never so much had a load on it = of > 2-3 and it was doing so much. > > It was so easy to upgrade the OS versions on the jails and the ports (had > to run ports for bug fixes) > > I had some serious 'white hat' friends that offered to do pen testing.... > (I was running PF with redirects to the ports in the jails and nothing el= se > was open on them)... I got so many beers when they gave up. :) > > Truly, believe podman and containerd are going to be a serious > improvement/change. However, at home, on my machines, FreeBSD 13.1 and > 13.2 will be this weekend. > > My gf and her 85 y.o mom are running GhostBSD right now. THEY HAVE LOVED > IT for the last 5 years. > > Paul > > On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic < > infoomatic@gmx.at> wrote: > > > I think docker is a good example of how to NOT do things. There is a > reason why it is dying, lots of bad things have happened in docker land. > > However, let me post my opinion. We can distinguish between two > different types of containerizations: system level containers and > applications level containers. Linux LXC and FreeBSD jails fall into the > former category. > > OCI containers fall into the application level container category and > are moving away from the awkward Docker stack to sane solutions: podman, > containerd, cri-o etc. > The basic idea is: I have a repository which provides signed images for > the users to pull and use as a running container. For software vendors, > I can create an image which is basically a tar with the files and > layered filesystems that can be pushed to the repository. Just like a > jail, all the needed software, libraries are contained in one image, but > easier accessible for users. The container consists of filesystem layers > identified by a hash, which can be referenced to by other containers > (e.g. a Debian Linux container in its minimal edition might be the base > for the Kali Linux penetration testing container). Files that should > persist are mounted via mount_nullfs into the container. The cool thing > about that is: the images are created using a declarative manner, a yaml > file. > > FreeBSD already provides lots of the technology necessary to build that > (I am not talking about running Linux containers, but FreeBSD > application level containers), however, it just lacks some glue like a > system for defining a config file from which such a container is built, > a repo, and I have no idea about how stable/performant unionfs is. > Unfortunately I have not yet had time to look at the proposed projects > of this thread. > > A few use cases come to mind (well, actually much more since I have > worked with OCI/"Docker" since the beginning): "I want to host a simple > public jitsi server, do not want to go through all the config. Someone > made such a setup already and pushed that container to some repo, oh > nice, let's just pull it and run it", or maybe: "oh, I do want to use > keepass as password manager, but do not want it to be able to make > network connections. Fine, just download the container and forbid > network access." I am a lazy guy, I prefer spending my time on creating > stuff and pushing it to a repository instead of fumbling around with > ansible scripts to deploy that stuff when pushing and pulling an upgrade > is so much easier via providing self-contained images. > > So, yes, I would absolutely love to see application level containers, or > such a slick framework built around the great jail solution we already > have. Passing around containers as a single binary package for FreeBSD - > one may dream ;-) > > Regards, > Robert > > > On 13.04.23 17:43, Mario Marietto wrote: > > For sure not everything,but something that is very requested and that i= t > > has given a solid proof to be a valid and robust tool. I think Docker > > has all these requisites. > > > > > --=20 Mario. --00000000000036338805f9539aab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
So,let me understand : docker images aren't compatible= with FreeBSD. Imagine that the FreeBSD jails will be not compatible with L= inux. Wow,this is true interoperability.

=
On Sat, Ap= r 15, 2023 at 12:36=E2=80=AFAM Paul Pathiakis <pathiaki2@yahoo.com> wrote:
Hi,

Personally, I think jails are brilliant and their evolution has also bee= n brilliant.

Gee, a comple= te operating system contained as a process running under the parent process= that behaves just like the parent OS.
You can upgrad= e the OS, the pkgs, etc.

I= really don't think it would be hard to create a 'library' of j= ails.

Here's a postfix= jail
Here's a DNS jail
Her= e's a PostGreSQL jail

= You can run your jails via the "Master Jailer"
You can create your/library of jails via "Jailer Key"
You could put them in the "Jail Cell" of repositor= ies

I actually created thi= s on my server when I was running my now defunct company.

Literally, 40-50 jails that were running on= my server that was a couple of Opteron chips on a SuperMicro system.=C2=A0= It never so much had a load on it of 2-3 and it was doing so much.

It was so easy to upgrade the OS = versions on the jails and the ports (had to run ports for bug fixes)=C2=A0= =C2=A0

I had some serious = 'white hat' friends that offered to do pen testing....=C2=A0 (I was= running PF with redirects to the ports in the jails and nothing else was o= pen on them)... I got so many beers when they gave up. :)

Truly, believe podman and containerd are go= ing to be a serious improvement/change.=C2=A0 However, at home, on my machi= nes, FreeBSD 13.1 and 13.2 will be this weekend.

=
My gf and her 85 y.o mom are running GhostBSD right = now.=C2=A0 THEY HAVE LOVED IT for the last 5 years.
<= br>
Paul

=20
=20
On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomati= c <infoomatic@gmx= .at> wrote:


I think docker is a good example of h= ow to NOT do things. There is a
reason why it is = dying, lots of bad things have happened in docker land.

However, let me post my opinion. We can= distinguish between two
different types of conta= inerizations: system level containers and
applica= tions level containers. Linux LXC and FreeBSD jails fall into the
=
former category.

OCI containers fall into the application level container catego= ry and
are moving away from the awkward Docker st= ack to sane solutions: podman,
containerd, cri-o = etc.
The basic idea is: I have a repository which= provides signed images for
the users to pull and= use as a running container. For software vendors,
I can create an image which is basically a tar with the files and
layered filesystems that can be pushed to the repository= . Just like a
jail, all the needed software, libr= aries are contained in one image, but
easier acce= ssible for users. The container consists of filesystem layers
identified by a hash, which can be referenced to by other cont= ainers
(e.g. a Debian Linux container in its mini= mal edition might be the base
for the Kali Linux = penetration testing container). Files that should
persist are mounted via mount_nullfs into the container. The cool thing
about that is: the images are created using a decla= rative manner, a yaml
file.

FreeBSD already provides lots of the techno= logy necessary to build that
(I am not talking ab= out running Linux containers, but FreeBSD
applica= tion level containers), however, it just lacks some glue like a
system for defining a config file from which such a containe= r is built,
a repo, and I have no idea about how = stable/performant unionfs is.
Unfortunately I hav= e not yet had time to look at the proposed projects
of this thread.

A f= ew use cases come to mind (well, actually much more since I have
<= div dir=3D"ltr">worked with OCI/"Docker" since the beginning): &q= uot;I want to host a simple
public jitsi server, = do not want to go through all the config. Someone
made such a setup already and pushed that container to some repo, oh
nice, let's just pull it and run it", or mayb= e: "oh, I do want to use
keepass as password= manager, but do not want it to be able to make
n= etwork connections. Fine, just download the container and forbid
<= div dir=3D"ltr">network access." I am a lazy guy, I prefer spending my= time on creating
stuff and pushing it to a repos= itory instead of fumbling around with
ansible scr= ipts to deploy that stuff when pushing and pulling an upgrade
is so much easier via providing self-contained images.

So, yes, I would absolutely l= ove to see application level containers, or
such = a slick framework built around the great jail solution we already
=
have. Passing around containers as a single binary package= for FreeBSD -
one may dream ;-)

Regards,
Rob= ert


On 13.04.23 17:43, Mario Marietto wrote:
> For sure not everything,but something that is very requested and that= it
> has given a solid proof to be a valid an= d robust tool. I think Docker
> has all these = requisites.
>




--
Mario.
--00000000000036338805f9539aab--