Strategic Thinking (was: Re: Speculative: Rust for base system components)

[Wojciech Puchar]

>> why this "microservices" - which are simply complete programs without
>> dependencies (or should be) - cannot be run simply as processes on
>> different user accounts?
>
> Several reasons:
> 1) Separate accounts don't provide as much security as separate
> containers.  Capsicum does, but people aren't used to using Capsicum

I use separate processes and don't feel the lack of security. I don't use 
capsicum too.

Could you explain it more precisely why standard process and user/group 
separation is insufficient?

Simply access rights and setting
security.bsd.see_other_uids=0

is enough for me.

If something could be added then it would be limiting what ports can each 
user open. But it's not really a problem.

> 2) Fragmentation.  The Linux world is much more fragmented than the
> FreeBSD world.  It's hard to write a program that will work correctly

That's what i agree with you.

Anyway if these microservices would be statically linked this argument 
would be irrevelant. And from what i've read it's how microservices should 
be made.

> 3) Fashion.  You may not care about the latest IT craze, but a lot of
> IT departments do.  And you can't change their minds all by yourself.

I don't even try to change their minds. I don't discuss with such people. 
You can discuss and present arguments to people that don't think.

> If FreeBSD is to be used by people who deploy microservices, then it
> needs to do what they want.  That means it needs Docker or something
> similar (IT admins won't want to learn ezjail if they're already
> comfortable with Docker), or we need to convince people to use
> CloudABI.  CloudABI has the potential to outperform containers.  It
> just hasn't gained traction yet.
> -Alan

Docker is already in ports. If someone want to use it - what a problem?

Anyway if they prefer linux let they use linux.