On Tue, Aug 27, 2019 at 2:09 PM Tristan Cacqueray <tdecacqu@xxxxxxxxxx> wrote:
On Tue, Aug 27, 2019 at 01:22 John Harris wrote:
[snip]
> No online updates is the exact issue I see with this. That's a security nightmare.
>
> If you don't have a package manager there, it simply will not be updated.
> It'll be installed once, then either left there forever, un-updated, with tons
> of vulnerabilities piling up.
>
I see Kubernetes/OpenShift workloads as a very well suited use-case for purpose-built, minimal containers that do not require a package manager.
There is a lot of tooling available right now to automate container builds, continuous testing and integration, e.g ImageStreams on OpenShift.
In this model, changes to the container deployment are made by pushing a new immutable image and executing a custom fitted update strategie: staging, gradual updates, simultaneous versions, etc.
No container needs to be mutated ever. New ones are spun up, traffic is rerouted, old ones are destroyed.
You have voiced your concern with this new proposed approach and it is indeed not fitted for the workflow you are describing, but please let us focus away from the status quo on to new ideas wrt the Minimization effort.
Also I assure you, nobody is planning to take the standard Fedora dnf container away from you, or anybody.
IIUC the proposal from Christian to use rpm-ostree as a build stage to
produce the runtime container, then you can still do online update, but
instead of commiting the result of a dnf update, you commit a new
rpm-ostree composed rootfs.
Yes, exactly. Although the container build tooling/system and the container contents (i.e whether or not a package manager is included) are somewhat orthogonal here:
Right now, one can do something like `
dnf --installroot=/mnt/new-buildah-root
group install custom-environment`
to create a root for a container and installed group may include a package manager or not.
I am not aware of a way to do the equivalent with rpm-ostree, yet, and there are a lot of open questions I'd like to explore around that:
- How would a runtime update of the rpm-ostree-in-container work?
- Can we enable composing a dnf container with rpm-ostree (and the other way around, use dnf to create an rpm-ostree container root)
-Christian
Regards,
-Tristan
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx