On Monday, August 26, 2019 9:39:47 PM MST John Harris wrote: > On Monday, August 26, 2019 9:16:30 PM MST Tomasz Torcz wrote: > > > On Mon, Aug 26, 2019 at 06:46:29PM -0700, John Harris wrote: > > > > > > > On Monday, August 26, 2019 5:50:53 AM MST Christian Glombek wrote: > > > > > > > > > > > > > > Wow, a model like _distroless_ is exactly what I think we need in and > > > > from > > > > Fedora to enable making those minimal, purpose-built and > > > > service-specific > > > > containers. > > > > > > > > I was thinking of a concept that has rpm-ostree compose a set of > > > > packages > > > > to a root dir, and put that in a container with Buildah. > > > > Not sure how feasible it would be to add that functionality (as > > > > opposed > > > > to > > > > simply using dnf for this), but I'm thinking it would be super neat > > > > to > > > > have a coreos-assembler that also does container composes from an > > > > ostree manifest, in the same way it assembles OS images in different > > > > formats for different platforms. > > > > > > > > I'd also like to link to Adam's super informational page here: > > > > https://asamalik.fedorapeople.org/container-randomness/report-f31.html > > > > > > > > It would be great if we could include infos about the package sets of > > > > our > > > > ostree-based composes in there as well (FCOS, Silverblue and IoT). > > > > Also > > > > note that our container scratch build size has gone up dramatically > > > > in > > > > F31 > > > > (I don't know why, yet). > > > > > > > > cc'ing Ben Breard and Sanja Bonic for their general interest in the > > > > Minimization effort. > > > > > > > > > > > > That sort of container is exactly the kind of thing that *cannot be > > > maintained*. I say this as a sysadmin in a fairly large environment, > > > that > > > > > > container simply *would not get updated*. It'd sit until it either quit > > > > > > working or somebody noticed it and removed it because it was a security > > > risk, full of vulnerabilities. > > > > > > > > > > John, if you do not want to use the containers, then don't do it. > > > > There are people who like containers and are serious about them. Being > > serious means that one has automated pipeline that builds, tests and > > deploys updated container, without engaging sysadmins. > > > > > > Your remarks do not move discussion forward. The point is how to get > > > > smallest viable container. Your comments ignore decades of experience > > of containerising workloads. > > > > -- > > Tomasz .. oo o. oo o. .o .o o. o. oo o. .. > > Torcz .. .o .o .o .o oo oo .o .. .. oo oo > > o.o.o. .o .. o. o. o. o. o. o. oo .. .. o. > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > > Archives: > > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxx > > g > > I'm not saying not to use containers. There is a right way to do it, and a > wrong way to do it. A container should be as the name describes, a > containerized installation of the distro in question, with the utilities > needed to support a given role. Not something that never gets updated, > never gets security fixes. Deploying new GNU/Linux based systems without > engaging a sysadmin or the sysadmin team sounds like a recipe for disaster. > > I disagree, and I find your remarks to be quite hostile. The smallest viable > container can exist without getting rid of required utilities, such as > the package manager. > > -- > John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> > Splentity > https://splentity.com/ > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx For an example of containers used properly, please see my 2016 Fedora Magazine article on systemd-nspawn: https://fedoramagazine.org/container-technologies-fedora-systemd-nspawn/ -- John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> Splentity https://splentity.com/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
