From nobody Fri Apr 14 23:20:19 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pysqr5x9Zz4522v for ; Fri, 14 Apr 2023 23:20:24 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) Received: from sonic316-21.consmr.mail.ne1.yahoo.com (sonic316-21.consmr.mail.ne1.yahoo.com [66.163.187.147]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pysqr3G9Wz4GMm for ; Fri, 14 Apr 2023 23:20:24 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1681514422; bh=kNN8cbe7naD0aiIg9XIPHvkRfCmQYlYnEV9dAuOCiEQ=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=D3+5N3xT1Cqu0yHTW9R+0HiyJFF1bZHSnavl7Luuus+nMS1u8MEpnWQpIckEjkTkG2quaK/65IFm1RtdY9rSuwpSH4ENgSp7mSdIDiclx6/53+aMjPHEkLTz25q2BteqBPgXQAQrQ0aS9G4EDeA+8OXMAgrjUoSUyZhsT6Z+hF/EhD35X6uOqzcv4vx27FMvwslqTVGMW6eL+mRnOJbTpocY+ysM9o/uJTf4Gsw95kyBCL1Ht49EnWR648PLG3f+Tsw2bx0IswvXWDkE4XyRwlm5F71Rtn6EOy/uuGixmOr8LzZOcRIVCLRxPqI5iZHOz8lbRfgRoi87x3jzRac65g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1681514422; bh=bleyLmduG4V/U4E9z13qQth+Btha5+cSNCl5FXHw00R=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=Iz5EO2cQd7ElFtsV7+5A9mynQbnXnwLB1Ll3AGWjWZr5BWZpB8VhKTrgh+2fSKLMjSG/zM98GPvP4LgN/hSHeU85Ryle6Dc1KmZ1+UYqe6/7hsFIQR1FamCZXmlSDgf8CeJ+epc2ds5glORgm2QpmV79NuccFUh2vZnKkglY40CW95MLKwpHVwgTz9Fr11KV1nsMlWO1SgN83CNgXObaDadTptvY7B5l4QgQEysTjkfex0FgUAaoYZUXkKh1lxvlSn2JhVooAVKZ20DjeTWpDSzP3bArs23c3XIlIyBkNFW0R7Gf9nEMAuUM0VfZyHiyRGjznd398wrVxXaGiv3Prw== X-YMail-OSG: 3QMWSzwVM1nhQwX3JDNtvzJsoMewEjJfSqJePbdHpqC8BqC5bQnESo476EX8m08 3EsZwgmQKF5Qbja_ZSceZraf8ZPUYeqyI_MAFV7smLqoAhGN1TxQkESCUQae1Cve6zmFaX0mfITX NSvnq_Zj6GKtzg2tHkyMmuouzq3_g7V3112sqgQTviP9ypuycdg0gEJyN2Cvty9F59w9W80.wnz4 EtM3fCdnby0alvUtRgHgrqJhlJqj20t70s3B2gIQuOutK4dywt7VBEOXI6.PvVNaTwsI2kxC_U_W ssNaSdXweO40qhueDM61zAaUsumzPC6eKjTg4wJkOb3oUOqosIPbIMIznaFxWkZVcnS2U8VseeDO c17mxWpE_ZSOk0J9iLRshAxSFMN3OMuHxyA3A.yd9mEXHMrxz4DSzrJhageaiDFa3OWC9s2xlY4M JWxCqbPJNb3yO8owXZ7f0cOMhk4mbaCL9oDTi5dR.xhasj6URnRrooIN0UKEEU5FHgw.Bm1vr04C c5qJdFudRbmpV6h_P5LWPLIki8_9s6TY5uTLums070pn9qwg23Me.jIUW64Ii5TOsQ9PiinLUpm1 A7q2ka7ImAYU2JXwZTzvpcW9yB31KfV8nxwS6YfX7o0S2U00e3Qmgce_9ilNKtAkg6peVeXxKi4G IO1_vbL43cm0p0CtPYZJXrGnNjPHGt6n.OJA1egx4dPX_p3yzojLfLZ6x2T3jk3hsB3PAmDnwCEg Ycq4l14S9SBpfV1x5eWVsHskPLtFoe8mFDYT3Ydfouy7i1001wPipgJsiuCD4um.sV5awc9QxbOj NsO.NoSq9rFSbMs.Q4.nwwS._aB8pSlNEog2EabhPVXP0fHOUEI2zn3lo9eeh53TGBKkuMdQHKUj h_sHpcNB5689eor2SLGMMaVgC03iR3Ux5zQ2aWxSzUeBSOKDovtXEKkioX0TYvhJX2SKI2Thz0lb _zAXKCFqRAY0KmVSC2C26lnnCAv_YyX12Pgrua_e.GqfwKG2_5RQIuOp02xH5GbfdDtLUMmR5pkx g9n794BsbI2AHoOsnWb.KlZRtVGUJ5wRWqoYKrgfsxyHs0mdA7xTcI4Jao0tr54Qix8nzcHtNduw RJnUbFhEwmjbpt1vqrCtC0z1xoxmsEFOsIsv9.rt0_tTfzKtSEf_tKjE8vZQgnqG2WBQJBJKpQBG 2ONJhMgFAMLj20zMKAEpaWWv7jOIf0RRH3dnlkncU7xDLITSqgXnChu4Te.sxXDfF7xzkorExUA_ c2rvC4gDlFojC2D7DzwjiaCjDmeuUvOpPmM07ltMLCVucrnMSLqX_bZ1mw3l1zVy4R0mWBy9jqch hcYwoQ1KsccLEtVsXFM4nWip41j_gPkRpAx6fk5sbl5.PVZ6qY49VFlCY3PRqmTP0C78kejuS_dV Ts03H1AdkqYPX_FgErzpBijCTeq700SC8uUe6Ug4lnyvSeT_.zIaTy6QWXEOYMtLOqM_1zojL6g6 3Vub.nFojE75ntiF2uTisue6TDbHdRmlfj._VnU_Tl5N4KSP5j3ft9UlA3GB41asE72CtvZeNA.E r5StkuTXfW_wc5cCxxB9yAYRnf3cuWThWY6bIuvIoCM8PKLXObCDGEh6CtM6JivLzFxOjq1VnkuZ T7Vf31xu5yD7X4_YAyLHpn1TXIiteP.vUqVcCdHZruhmoNP6JMgF._D.TaGEYoALoQTjcSMauqqk 8ghiQ5qEO5UA59KScsw2.yPIYSmXZ9mEbSSMDH1U86ZLWfSWeBnHy_MXaWPNc9lcaw0kP6Wtfsyh 7DSBmplzMd4ivg2FSEJEpSgPZ_GDK6ngccMYFXd_I5k8m0oiCl.nazCmpub9cosETHwBc1ARkrly wIfQDiYMYYaMBRd8dJsx7uTGB4ztMeexPqcAJ5wSrauDWhhPncUvHqQ__Oi8UTGPcLwh3ec_KvQn rSXeAxbr7iP9xrW80zD6z0bx8v9l9q6uYGZqW5crR3haPxYhdO.GAfph5VyHpFWZm6GsJhH4K3_S Bn3_iDGnFQLiTtoQjECs2fneUHdC_osEvJ9vCJaz4YE3LWrcaX4i4chm3nnr_8H9G7ZVYEGv1maA 3uO746hVjdq4hNYUeBaMe7wRLGTrWMzhlppcDWzNxbmHyXCOwbhXwpdmXGA1AHl92gf13OaV9jlq 9YsEOgfeFA9NYBNdx9tFAUFYr9Tp130WgeyDRUcLLyOWtLGIRlj4q30onBtXj.TVhRr3x4TcOjph XjLignmbkmEGBgS1iNOY502GprXU7pnch8k8wieEWXfbsDXROMIYlHXdztPw- X-Sonic-MF: X-Sonic-ID: 0a7f1c22-c5ae-421c-8b26-ae59cdaabb02 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 14 Apr 2023 23:20:22 +0000 Date: Fri, 14 Apr 2023 23:20:19 +0000 (UTC) From: Paul Pathiakis To: Mario Marietto Cc: "questions@freebsd.org" , infoomatic Message-ID: <1390653293.4101184.1681514419818@mail.yahoo.com> In-Reply-To: References: <20230329053443.6ADA6B6AFED5@dhcp-8e64.meeting.ietf.org> <34b4b76e-1c41-4cfb-9e86-856f01e8abc9@app.fastmail.com> <6002f636-310b-a9fd-b82f-346618976983@timpreston.net> <20230412150350.12f97eb2c9dd566b8c8702d2@sohara.org> <1535315680.2770963.1681309684072@mail.yahoo.com> <543289768.3317542.1681394425362@mail.yahoo.com> <887947753.4080046.1681511775374@mail.yahoo.com> Subject: Re: Docker List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4101183_520072997.1681514419814" X-Mailer: WebService/1.1.21365 YMailNorrin X-Rspamd-Queue-Id: 4Pysqr3G9Wz4GMm X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36646, ipnet:66.163.184.0/21, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N ------=_Part_4101183_520072997.1681514419814 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Simply put, Linux could have done the same thing as jails but opted to not= go in a standardized direction. Instead, they went into a direction proprietary kernel hooks.=C2=A0 The peo= ple in the BSD world are always doing project review before even thinking o= f writing code. Look at how jails are designed.=C2=A0 There are no proprietary hooks in my = mind.=C2=A0 They just create a process that is nothing more than a process = in the kernel's process table.=C2=A0 Simple.=C2=A0 Straightforward. IF Linux had adopted a 'jail-like' design, there would be interoperability = to some degree.=C2=A0 Imagine that Linux had a real packaging system and po= rts system that didn't land the user in dependency hell on a constant basis= .=C2=A0 It could do a lot of things that jails do.=C2=A0 Linux community co= uld choose to do something like docker/podman but instead, have everything = that would make calls to package repos, OS versions, etc. I can run 4 different versions of PostgreSQL on 4 different versions of Fre= eBSD in 4 jails....=C2=A0 I could choose to upgrade any of the 4 versions o= f the operating system to something more recent (I tend to stay with -RELEA= SEs) and I could choose to stay with the OS versions and upgrade the versio= ns of PostGreSQL... mix, match, it all works FreeBSD does research, design and they take their time.=C2=A0 I have no pro= blems running on anything when it first releases.=C2=A0 I have actually see= n Linux kernels go through security and operation patches of as many as 20-= 30 in the first 3 months of release.=C2=A0 That's not proper design.=C2=A0 = That's not proper engineering. Again, someone stated before that the Linux community thinks 'containers' a= re the latest thing.... BSD people see them as mature 20 y.o. code.=C2=A0 *= shrug* Creating their hypervisor, BHYVE, I watched this community discuss it almos= t ad infinitum before starting the work. These are some of the prevalent differences between the philosophies of the= two communities.=C2=A0 The are more and maybe my interpretations are 100% = good/accurate. Also, remember, the BSD license is WIDE OPEN.... the Linux community could = have, at any time, borrowed the jails code and started a jails project... 2= 0 YEARS AGO. How about databases?=C2=A0 There was mySQL and MariaDB and MongoDB and Couc= hDB... etc etc etc.....=C2=A0 And there is Oracle.... and Sybase... oh... I= mean MS-SQL....=C2=A0 25 years ago.... PostGreSQL...=C2=A0 Free!!!=C2=A0 O= PEN!!!! Still is!!!=C2=A0 Bigger, better, stronger and faster than all of t= hem.=C2=A0 People want to reinvent the wheel.=C2=A0 They should be applaude= d for that. However, after seeing round wheels, why in the heck would someone say "I wa= nt to start with my own SQUARE wheel" when there's someone giving away roun= d ones??=C2=A0 Well, I have yet to figure out if that's stupidity, arroganc= e or just plain lack of discipline and training and ego to not ask for help= . Paul On Friday, April 14, 2023 at 03:45:49 PM PDT, Mario Marietto wrote: =20 =20 So,let me understand : docker images aren't compatible with FreeBSD. Imagi= ne that the FreeBSD jails will be not compatible with Linux. Wow,this is tr= ue interoperability. On Sat, Apr 15, 2023 at 12:36=E2=80=AFAM Paul Pathiakis wrote: Hi, Personally, I think jails are brilliant and their evolution has also been b= rilliant. Gee, a complete operating system contained as a process running under the p= arent process that behaves just like the parent OS.You can upgrade the OS, = the pkgs, etc. I really don't think it would be hard to create a 'library' of jails. Here's a postfix jailHere's a DNS jailHere's a PostGreSQL jail You can run your jails via the "Master Jailer"You can create your/library o= f jails via "Jailer Key"You could put them in the "Jail Cell" of repositori= es I actually created this on my server when I was running my now defunct comp= any. Literally, 40-50 jails that were running on my server that was a couple of = Opteron chips on a SuperMicro system.=C2=A0 It never so much had a load on = it of 2-3 and it was doing so much. It was so easy to upgrade the OS versions on the jails and the ports (had t= o run ports for bug fixes)=C2=A0=C2=A0 I had some serious 'white hat' friends that offered to do pen testing....= =C2=A0 (I was running PF with redirects to the ports in the jails and nothi= ng else was open on them)... I got so many beers when they gave up. :) Truly, believe podman and containerd are going to be a serious improvement/= change.=C2=A0 However, at home, on my machines, FreeBSD 13.1 and 13.2 will = be this weekend. My gf and her 85 y.o mom are running GhostBSD right now.=C2=A0 THEY HAVE LO= VED IT for the last 5 years. Paul On Friday, April 14, 2023 at 03:12:56 PM PDT, infoomatic wrote: =20 =20 I think docker is a good example of how to NOT do things. There is a reason why it is dying, lots of bad things have happened in docker land. However, let me post my opinion. We can distinguish between two different types of containerizations: system level containers and applications level containers. Linux LXC and FreeBSD jails fall into the former category. OCI containers fall into the application level container category and are moving away from the awkward Docker stack to sane solutions: podman, containerd, cri-o etc. The basic idea is: I have a repository which provides signed images for the users to pull and use as a running container. For software vendors, I can create an image which is basically a tar with the files and layered filesystems that can be pushed to the repository. Just like a jail, all the needed software, libraries are contained in one image, but easier accessible for users. The container consists of filesystem layers identified by a hash, which can be referenced to by other containers (e.g. a Debian Linux container in its minimal edition might be the base for the Kali Linux penetration testing container). Files that should persist are mounted via mount_nullfs into the container. The cool thing about that is: the images are created using a declarative manner, a yaml file. FreeBSD already provides lots of the technology necessary to build that (I am not talking about running Linux containers, but FreeBSD application level containers), however, it just lacks some glue like a system for defining a config file from which such a container is built, a repo, and I have no idea about how stable/performant unionfs is. Unfortunately I have not yet had time to look at the proposed projects of this thread. A few use cases come to mind (well, actually much more since I have worked with OCI/"Docker" since the beginning): "I want to host a simple public jitsi server, do not want to go through all the config. Someone made such a setup already and pushed that container to some repo, oh nice, let's just pull it and run it", or maybe: "oh, I do want to use keepass as password manager, but do not want it to be able to make network connections. Fine, just download the container and forbid network access." I am a lazy guy, I prefer spending my time on creating stuff and pushing it to a repository instead of fumbling around with ansible scripts to deploy that stuff when pushing and pulling an upgrade is so much easier via providing self-contained images. So, yes, I would absolutely love to see application level containers, or such a slick framework built around the great jail solution we already have. Passing around containers as a single binary package for FreeBSD - one may dream ;-) Regards, Robert On 13.04.23 17:43, Mario Marietto wrote: > For sure not everything,but something that is very requested and that it > has given a solid proof to be a valid and robust tool. I think Docker > has all these requisites. > =20 --=20 Mario. =20 ------=_Part_4101183_520072997.1681514419814 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Simply put, Linux could have= done the same thing as jails but opted to not go in a standardized directi= on.

Instead, they went into a direction proprietary kerne= l hooks.  The people in the BSD world are always doing project review = before even thinking of writing code.

Look at how jails a= re designed.  There are no proprietary hooks in my mind.  They ju= st create a process that is nothing more than a process in the kernel's pro= cess table.  Simple.  Straightforward.

IF Linux= had adopted a 'jail-like' design, there would be interoperability to some = degree.  Imagine that Linux had a real packaging system and ports syst= em that didn't land the user in dependency hell on a constant basis.  = It could do a lot of things that jails do.  Linux community could choo= se to do something like docker/podman but instead, have everything that wou= ld make calls to package repos, OS versions, etc.

I can r= un 4 different versions of PostgreSQL on 4 different versions of FreeBSD in= 4 jails....  I could choose to upgrade any of the 4 versions of the o= perating system to something more recent (I tend to stay with -RELEASEs) an= d I could choose to stay with the OS versions and upgrade the versions of P= ostGreSQL... mix, match, it all works

FreeBSD does resear= ch, design and they take their time.  I have no problems running on an= ything when it first releases.  I have actually seen Linux kernels go = through security and operation patches of as many as 20-30 in the first 3 m= onths of release.  That's not proper design.  That's not proper e= ngineering.

Again, someone stated before that the Linux = community thinks 'containers' are the latest thing.... BSD people see them = as mature 20 y.o. code.  *shrug*

Creating their hype= rvisor, BHYVE, I watched this community discuss it almost ad infinitum befo= re starting the work.

These are some of the prevalent dif= ferences between the philosophies of the two communities.  The are mor= e and maybe my interpretations are 100% good/accurate.

Al= so, remember, the BSD license is WIDE OPEN.... the Linux community could ha= ve, at any time, borrowed the jails code and started a jails project... 20 = YEARS AGO.

How about databases?  There was mySQL a= nd MariaDB and MongoDB and CouchDB... etc etc etc.....  And there is O= racle.... and Sybase... oh... I mean MS-SQL....  25 years ago.... Post= GreSQL...  Free!!!  OPEN!!!! Still is!!!  Bigger, better, st= ronger and faster than all of them.  People want to reinvent the wheel= .  They should be applauded for that.

However, after= seeing round wheels, why in the heck would someone say "I want to start wi= th my own SQUARE wheel" when there's someone giving away round ones?? = Well, I have yet to figure out if that's stupidity, arrogance or just plai= n lack of discipline and training and ego to not ask for help.

Paul

=20
=20
On Friday, April 14, 2023 at 03:45:49 PM PDT, Mario Mar= ietto <marietto2008@gmail.com> wrote:


So,let me understand : docker images aren't compatible with FreeBSD. I= magine that the FreeBSD jails will be not compatible with Linux. Wow,this is true interoperability.

<= div id=3D"ydpe4cab532yiv6171224177yqt24527" class=3D"ydpe4cab532yiv61712241= 77yqt4876069343">
On Sat, Apr 15, 2023= at 12:36=E2=80=AFAM Paul Pathiakis <pathiaki2@yahoo.com> wrote:


It was so easy to upgrade the OS versions= on the jails and the ports (had to run ports for bug fixes)  

I had some se= rious 'white hat' friends that offered to do pen testing....  (I was r= unning PF with redirects to the ports in the jails and nothing else was ope= n on them)... I got so many beers when they gave up. :)

Truly, believe podman and cont= ainerd are going to be a serious improvement/change.  However, at home= , on my machines, FreeBSD 13.1 and 13.2 will be this weekend.

My gf and her 85 y.o mom= are running GhostBSD right now.  THEY HAVE LOVED IT for the last 5 ye= ars.

Paul

=20
=20


I think docker is a good example of h= ow to NOT do things. There is a
re= ason why it is dying, lots of bad things have happened in docker land.

However, let me post my opinion. We can distinguish between two
different types of containerizations: sys= tem level containers and
applicati= ons level containers. Linux LXC and FreeBSD jails fall into the
former category.

OCI containers fall = into the application level container category and
<= div dir=3D"ltr">are moving away from the awkward Docker stack to sane solut= ions: podman,
containerd, cri-o et= c.
The basic idea is: I have a rep= ository which provides signed images for
the users to pull and use as a running container. For software ven= dors,
I can create an image which = is basically a tar with the files and
layered filesystems that can be pushed to the repository. Just like a
jail, all the needed software, libr= aries are contained in one image, but
easier accessible for users. The container consists of filesystem layer= s
identified by a hash, which can = be referenced to by other containers
(e.g. a Debian Linux container in its minimal edition might be the base<= br clear=3D"none">
for the Kali Linux penetration tes= ting container). Files that should
persist are mounted via mount_nullfs into the container. The cool thing
about that is: the images are create= d using a declarative manner, a yaml
file.

=
FreeBSD already provides lots of the technology necessary = to build that
(I am not talking ab= out running Linux containers, but FreeBSD
application level containers), however, it just lacks some glue li= ke a
system for defining a config = file from which such a container is built,
a repo, and I have no idea about how stable/performant unionfs is.=
Unfortunately I have not yet had = time to look at the proposed projects
of this thread.

A few use cases come to mind (well, actually mu= ch more since I have
worked with O= CI/"Docker" since the beginning): "I want to host a simple
public jitsi server, do not want to go through all= the config. Someone
made such a s= etup already and pushed that container to some repo, oh
<= /div>
nice, let's just pull it and run it", or maybe: "oh, = I do want to use
keepass as passwo= rd manager, but do not want it to be able to make
<= div dir=3D"ltr">network connections. Fine, just download the container and = forbid
network access." I am a laz= y guy, I prefer spending my time on creating
stuff and pushing it to a repository instead of fumbling around = with
ansible scripts to deploy tha= t stuff when pushing and pulling an upgrade
is so much easier via providing self-contained images.

= So, yes, I would absolutely love to see application level containers, or
such a slick framework built around = the great jail solution we already
have. Passing around containers as a single binary package for FreeBSD -
one may dream ;-)

Regards,<= br clear=3D"none">
Robert


=
On 13.04.23 17:43, Mario Marietto wrote:
> For sure not everything,but something th= at is very requested and that it
&= gt; has given a solid proof to be a valid and robust tool. I think Docker
> has all these requisites.
>




--
Mario.
------=_Part_4101183_520072997.1681514419814--