On Monday, August 26, 2019 9:16:30 PM MST Tomasz Torcz wrote:
On Mon, Aug 26, 2019 at 06:46:29PM -0700, John Harris wrote:
> On Monday, August 26, 2019 5:50:53 AM MST Christian Glombek wrote:
>
> >
> > Wow, a model like _distroless_ is exactly what I think we need in and
> > from
> > Fedora to enable making those minimal, purpose-built and
> > service-specific
> > containers.
> >
> > I was thinking of a concept that has rpm-ostree compose a set of
> > packages
> > to a root dir, and put that in a container with Buildah.
> > Not sure how feasible it would be to add that functionality (as opposed
> > to
> > simply using dnf for this), but I'm thinking it would be super neat to
> > have a coreos-assembler that also does container composes from an
> > ostree manifest, in the same way it assembles OS images in different
> > formats for different platforms.
> >
> > I'd also like to link to Adam's super informational page here:
> >
https://asamalik.fedorapeople.org/container-randomness/report-f31.html
> > It would be great if we could include infos about the package sets of
> > our
> > ostree-based composes in there as well (FCOS, Silverblue and IoT). Also
> > note that our container scratch build size has gone up dramatically in
> > F31
> > (I don't know why, yet).
> >
> > cc'ing Ben Breard and Sanja Bonic for their general interest in the
> > Minimization effort.
>
>
> That sort of container is exactly the kind of thing that *cannot be
> maintained*. I say this as a sysadmin in a fairly large environment, that
>
> container simply *would not get updated*. It'd sit until it either quit
> working or somebody noticed it and removed it because it was a security
> risk, full of vulnerabilities.
John, if you do not want to use the containers, then don't do it.
There are people who like containers and are serious about them. Being
serious means that one has automated pipeline that builds, tests and
deploys updated container, without engaging sysadmins.
Your remarks do not move discussion forward. The point is how to get
smallest viable container. Your comments ignore decades of experience
of containerising workloads.
--
Tomasz .. oo o. oo o. .o .o o. o. oo o. ..
Torcz .. .o .o .o .o oo oo .o .. .. oo oo
o.o.o. .o .. o. o. o. o. o. o. oo .. .. o.
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines List
Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
I'm not saying not to use containers. There is a right way to do it, and a
wrong way to do it. A container should be as the name describes, a
containerized installation of the distro in question, with the utilities
needed to support a given role. Not something that never gets updated, never
gets security fixes. Deploying new GNU/Linux based systems without engaging a
sysadmin or the sysadmin team sounds like a recipe for disaster.
I disagree, and I find your remarks to be quite hostile. The smallest viable
container can exist without getting rid of required utilities, such as the
package manager.
--
John M. Harris, Jr. <johnmh(a)splentity.com>
Splentity
https://splentity.com/