| 1 |
On Thu, Feb 2, 2017 at 3:35 PM, james <garftd@×××××××.net> wrote: |
| 2 |
|
| 3 |
> |
| 4 |
> I think that unikernels are something everyone should be aware of |
| 5 |
> as they purport to be the latest trend in securing all sorts of systems. |
| 6 |
> (a brief read). |
| 7 |
> |
| 8 |
|
| 9 |
Not really for all sorts, more for servers. Otherwise I get it, and |
| 10 |
at this point now that I run almost everything in containers I tend to |
| 11 |
be more inclined to run different distros in those containers. |
| 12 |
|
| 13 |
> This is only the case because profiles are in general in a mess and there |
| 14 |
> are little in the way of conventions. What is so sacrosanct about upstream |
| 15 |
> for a truly embedded gentoo system or a gentoo based IoT device? |
| 16 |
|
| 17 |
Nothing, in that space. |
| 18 |
|
| 19 |
The problem is the new user experience. When somebody is new to |
| 20 |
Gentoo and not super-knowledgeable the first thing they're going to do |
| 21 |
is set up a desktop. Now, they might not call it a desktop. They |
| 22 |
might not even run X11 on it. But, they're basically falling into |
| 23 |
that desktop user experience where whatever they do install "just |
| 24 |
works" and is feature-complete. |
| 25 |
|
| 26 |
It is true that we also attract advanced users who are looking for |
| 27 |
something different. They have no issues getting any distro to dance |
| 28 |
for them, and they're picking Gentoo because it is best suited for |
| 29 |
their specific need. These users are much more likely to be |
| 30 |
interested in minimal configurations, embedded systems, the hardened |
| 31 |
profiles, and so on. |
| 32 |
|
| 33 |
However, the problem is that if we optimize mainly for the second |
| 34 |
group we basically lose the first group entirely, and I suspect that |
| 35 |
is overall going to be the bigger group. |
| 36 |
|
| 37 |
If what you want is a "unikernel profile" for Gentoo then you're going |
| 38 |
to be changing a LOT of assumptions. Forget openrc vs systemd, there |
| 39 |
is no reason to have any init implementation on the thing. Forget |
| 40 |
linux vs bsd, there is also no reason to have a kernel in a container. |
| 41 |
We don't need any editor because you're probably going to do any |
| 42 |
config file editing from outside of the container. And that @system |
| 43 |
set that has all that bootstrapping stuff is probably way overkill if |
| 44 |
all you ultimately need is a single package to work (and maybe not all |
| 45 |
of that package). Heck, your overall install approach also should be |
| 46 |
questioned. Rather than build your unikernel from inside its own |
| 47 |
container, you should be building from a more complete image and just |
| 48 |
installing the minimum RDEPENDs in the production container (as with |
| 49 |
catalyst or the chromiumos builds). And you probably wouldn't be |
| 50 |
upgrading such things in place either, you'd just be creating newer |
| 51 |
instances and cutting over from the old. |
| 52 |
|
| 53 |
I don't question that it would be great for Gentoo to support all of |
| 54 |
this stuff. I just think that we need to be careful not to destroy |
| 55 |
the experience of somebody who just wants a "typical" install in order |
| 56 |
to do it. Somebody who doesn't want to take the time to tweak how |
| 57 |
their java implementation works probably wants the default install to |
| 58 |
be something that meets the Oracle standard. Now, somebody who is |
| 59 |
into tailoring can look at their application and tweak the living |
| 60 |
daylights out of it, but that shouldn't be what you get when you run |
| 61 |
"emerge icedtea" or whatever. |
| 62 |
|
| 63 |
Sure, you could do all that with a profile, but the problem is: |
| 64 |
1. Maintainers aren't going to necessarily invest in that profile. |
| 65 |
2. New users won't necessarily use that new profile. |
| 66 |
|
| 67 |
And when those things doesn't happen users look at Gentoo as the OS |
| 68 |
that nothing works right on. |
| 69 |
|
| 70 |
-- |
| 71 |
Rich |
Archives