| 1 |
On Fri, Feb 27, 2015 at 08:04:52PM +0200, Alex Efros wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote: |
| 5 |
> > Somewhat sarcastic but actually true. I don't recommend running |
| 6 |
> > production applications inside of Gentoo based containers. |
| 7 |
> |
| 8 |
> This makes sense for Gentoo, but my question was CC: to this list not as |
| 9 |
> off-topic, my host will be Hardened Gentoo, so kernel used by docker |
| 10 |
> images will support GrSecurity&PaX, and I wanna have protection provided |
| 11 |
> by hardened gcc for binaries run inside docker images. |
| 12 |
> |
| 13 |
> > I highly recommend making containers as small as possible. That |
| 14 |
> > means using statically linked executables and removing all |
| 15 |
> > traces of what we know as a distribution. Production containers |
| 16 |
> > should not be based on Gentoo images. |
| 17 |
> |
| 18 |
> Okay, not sure why it's so important, but this doesn't change anything - |
| 19 |
> these statically linked executables without any traces of Gentoo still |
| 20 |
> should be compiled with hardened gcc. |
| 21 |
> |
| 22 |
> > docker pull ${NEW_IMAGE} |
| 23 |
> |
| 24 |
> So, what $NEW_IMAGE should be to let me get small nice image with |
| 25 |
> up-to-date binaries built with hardened gcc? :-) |
| 26 |
|
| 27 |
I am not that familiar with docker, but I thought the idea was that you |
| 28 |
build your own container images with your requirements? ie re-build the |
| 29 |
image just once on only one server and then send it around to all the |
| 30 |
others. |
| 31 |
|
| 32 |
Alternatively, if you did not want to re-build the images themselves, |
| 33 |
you could always setup a gentoo binhost on one machine and make all the |
| 34 |
other containers pull those packages so there will not be the wasted |
| 35 |
time compiling. |
| 36 |
|
| 37 |
-- Jason |
| 38 |
> |
| 39 |
> -- |
| 40 |
> WBR, Alex. |
| 41 |
> |
Archives