[ale] Preferred Linux under Docker?
Ted W.
ted-lists at xy0.org
Tue May 16 01:00:23 EDT 2017
> I've yet to find a use case in our setup for it that wasn't either:
> 1. "Containers are cool, we need to use them!"
> 2. Incoherent string of buzzwords from someone who just got back from a conference.
Of course every environment is different but I hear this sentiment a lot
and I thought your comment made a good launching off point for another
mini rant on how containers can be useful. I'll list a few examples
below and try to explain in some detail why containers are a great fit
in each situation.
Bootstrapping a development environment:
Let's say I build an application in python and I post it on
GitHub for others to download and contribute. To build my Python
application you need several python dependencies and sometimes
these dependencies conflict with the versions installed on your
system from your package repository or that you have installed
manually to build some other Python application. Normally, you
would have to know how to setup a separate python environment
using a tool like pyenv to get an isolated environment. At best,
you already know how to do this. At worst, I have to write a
bunch of extra documentation or a script to do it for you. I
have to then keep up with this and make sure it remains accurate
as the project evolves.
If I'm using Docker in this scenario, I can write a Dockerfile
that contains all of my dependencies and ship that in the same
repository as my code. I don't have to care about what operating
system you're running. I don't have to worry about what
environment variables you have set or what package versions you
have that might cause weird issues that will get reported as
bugs. Additionally, if someone contributes code to the project
that changes the build process, they are also empowered to
change the build environment because it's clearly defined in a
single text file. When someone later tries to build the
repository, after pulling down the updates, they run docker
build (or some wrapper script provided in the repository) and
the container builds with these new dependencies and the
application build Just Works because the developer knew exactly
what the build environment looked like.
Deploying application updates:
You have an application you need to update. On a traditional
system, you have an operating system on a machine and you update
the application either through your package manager or through
some code deployment workflow. Once it's deployed, you find an
issue. With packages, you might be able to `yum downgrade` or
equivalent but what if it's a code change to your internal
application? What changed between the last version and this
version of the code? Can you easily revert these changes?
Maybe, if you had built it in to a package for the OS before
deployment.
If you're using containers to run your application, you build a
new version of your container which has the new version of your
code as well as any dependency updates. You shoot the old
container in the head and you start up the new container. If you
find a problem. You shoot this new one in the head and start the
old one up again. You can also use one of the many container
management platforms on the market (Swarm, Rancher, etc.) to
define a percentage of the containers running the application
which should be replaced by the new version to roll out the
application gradually.
Security
Containers are just processes on a host OS that are isolated
using cgroups and kernel namespaces. If you don't want your
container to do something, you can set the appropriate
restrictions on the host operating system. There are even tools
emerging now to improve this experience. Liz Rice recently gave
a talk this past week at OSCON [1] about restricting the syscalls
your container can make to the host kernel.
As someone already pointed out in another thread, you do have to
be aware of where your containers come from. In production, you
should really build your containers from the scratch image or
directly from the official (Alpine|CentOS|Debian|.*) container
repository. **
[1] https://conferences.oreilly.com/oscon/oscon-tx/public/schedule/detail/56840
** There are differing opinions on this
On Mon, May 15, 2017 at 01:41:09PM +0000, Beddingfield, Allen wrote:
> I've yet to find a use case in our setup for it that wasn't either:
> 1. "Containers are cool, we need to use them!"
> 2. Incoherent string of buzzwords from someone who just got back from a conference.
> Allen B.
>
>
> --
> Allen Beddingfield
> Systems Engineer
> Office of Information Technology
> The University of Alabama
> Office 205-348-2251
> allen at ua.edu
>
> On 5/15/17, 8:29 AM, "ale-bounces at ale.org on behalf of Jim Kinney" <ale-bounces at ale.org on behalf of jim.kinney at gmail.com> wrote:
>
> I still see 'containers' as a blend between a chroot and a virtual machine.
>
>
> As an admin, user willingness to download any old container they found on the tubes that has their solution stuffed into it is a terrifying idea.
>
>
> On Mon, 2017-05-15 at 09:22 -0400, leam hall wrote:
>
> On Mon, May 15, 2017 at 9:16 AM, Beddingfield, Allen <allen at ua.edu> wrote:
>
> Since I'm a SUSE guy, I would automatically say SUSE/openSUSE, but I'm sure you will get that answer from each person with their preferred distro(s).
>
>
>
>
> "If I knew SuSE like you know SuSE..." Sorry, couldn't resist.
>
> Remeber those Sun boxes? This will be going on them. We now have a
> garage to deal with the sound issue. :)
>
> After a couple decades I'm not sure the current distro vendors get it.
> RH seems to be moving away from being on the hardware or a VM, and
> wants to go theri own way like Solaris. If I'm going to go somewhere
> might as well go all the way.
>
> Leam
> _______________________________________________
> Ale mailing list
> Ale at ale.orghttp://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his
> own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
> http://heretothereideas.blogspot.com/
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20170516/00eb118b/attachment.sig>
More information about the Ale
mailing list