Den lör 31 aug. 2024 kl 15:42 skrev Tim Holloway <timh@xxxxxxxxxxxxx>: > > I would greatly like to know what the rationale is for avoiding > containers. > > Especially in large shops. From what I can tell, you need to use the > containerized Ceph if you want to run multiple Ceph filesystems on a > single host. The legacy installations only support dumping everything > directly under /var/lib/ceph, so you'd have to invest a lot of effort > into installing, maintaining and operating a second fsid under the > legacy architecture. Using two fsids on one machine is far outside our scope for the 10-or-so clusters we run. Not saying no one does it, but it was frowned upon to have multiple clusternames on the same host, so I guess most people took that to also include multiple fsids running in parallel on the same host, even if the cluster name was the same. > The only definite argument I've ever heard in my insular world against > containers was based on security. Yet the primary security issues > seemed to be more because people were pulling insecure containers from > Docker repositories. I'd expect Ceph to have safeguards. Plus Ceph > under RHEL 9 (and 8?) will run entirely and preferably under Podman, > which allegedly is more secure, and can in fact, run containers under > user accounts to allow additional security. I do that myself, although > I think the mechanisms could stand some extra polishing.
 |