Lennart Poettering píše v St 27. 08. 2014 v 21:15 +0200: > On Wed, 27.08.14 21:00, Václav Pavlín (vpavlin@xxxxxxxxxx) wrote: > > > >I also offered to split out the hwdb in Brno, if you remember. If this > > >is about the hwdb, then let's just do that... > > > > Talk to Michal Sekletar about it then - he is working on "something" > > we call systemd-container internally. We need systemd running in > > Docker container. I don't like to have needless stuff in images but > > if the result is "just drop the hwdb" then I am fine with that. > > As discussed in Brno, "not liking to have needless stuff around" alone > is really not a convincing reason. > > I mean, you could make the case for the size of things, but afaics this > doesn't hold any water here... kmod is a 150K dep, and the other stuff, > is that any bigger? For 150K we shouldn't complicate things this much... > > You could also make the case for the dependencies, but this is kind the > same as the size argument... > > And you could make the case for "security", but that's really wrong too, > since recent systemd versions have exactly zero suid binaries, and if > you don't run the daemons, then you have exactly zero ways to raise your > priviliges. And just having dead code lying around is not really an > issue. I mean, if you managed to exploit something and smuggled in some > code, then you smuggled in some code, why would make it any difference > if there's dead code lying around or not in the container? > > > >But regarding kmod/devicemapper, can we please get some stats about how > > >big this individually are, and how much is saved by this? kmod at least > > >is 150K or so only. Is there really any value in doing this weird stuff > > >for a fricking 150K?! Fedora has no bigger fishes to fry? > > I'll prepare stats for you tomorrow. > > > > > >The systemd-container or fakesystemd stuff sounds awfully adhoc. Can we > > >please always discuss this first, and see if we can find a different > > >solution? We don't need three different "solutions", if one works > > >too... > > > > We've talked about this on Flock - it's not only about disk space > > but also about security reasons (CC'ing Dan Walsh). My goal was not > > Dan, can you elaborate what the rationale for this is? > > > to have needless junk in base image - if we are not going to use > > systemd to manage services there, why should it be there with all > > it's dependencies? > > This sounds awfully like a "just because!" reason... > > Lennart > > -- > Lennart Poettering, Red Hat I think that there was a problem in communication. We are *not* going to create systemd-container in fedora. That was just for rhel, because at least I wanted some quick and dirty solution. Our current plan in fedora is patch systemd to run in docker and split the hwdb, that's all. Lukas -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
