1 |
On Tue, Dec 10, 2019 at 8:25 AM Thomas Deutschmann <whissi@g.o> wrote: |
2 |
> |
3 |
> On 2019-12-10 13:44, Rich Freeman wrote: |
4 |
> > I'm not talking about container-host mapping. I'm talking about |
5 |
> > building the same container 100 times and having the container end up |
6 |
> > with the same UIDs inside each time. |
7 |
> > |
8 |
> > Build order in portage isn't really deterministic, especially over |
9 |
> > long periods of time, so you can't rely on stuff getting installed in |
10 |
> > the same order. |
11 |
> |
12 |
> Assume you are building a container for dev-db/mysql. I can only think |
13 |
> of one scenario where you would end up with different UIDs: That's when |
14 |
> dev-db/mysql (or a dependency) would suddenly create an own user and |
15 |
> will be merged before mysql's user was created. |
16 |
> |
17 |
> But this is very theoretically. Especially in a container world, you |
18 |
> will create one container per services so it's *very* unlikely that |
19 |
> something like that will ever happen. Not? |
20 |
|
21 |
There are cases where you might have more than one service in a |
22 |
container, and there is certainly the issue of dependencies. It |
23 |
certainly makes sense to limit a container to a single function, but |
24 |
internally that could involve multiple processes. |
25 |
|
26 |
> Aside benefits from reproducible builds in general (which Gentoo doesn't |
27 |
> provide), please share reasons why one would care about used UIDs/GIDs |
28 |
> in containers... |
29 |
|
30 |
Well, that is simple. In the mysql example /var/lib/mysql would be |
31 |
bind-mounted from outside the container, since it needs to be |
32 |
persistent anytime the container is updated. If you update the |
33 |
container and it ends up with a different UID for mysqld, then it |
34 |
wouldn't be able to read anything in /var/lib/mysql as it would still |
35 |
have the previous UID. You'd need to keep the two in sync somehow. |
36 |
|
37 |
In fact, that is the very example you go on to offer... |
38 |
|
39 |
> > Uh, the container processes shouldn't even see the host |
40 |
> > processes/files whether they have the same UIDs or not... |
41 |
> |
42 |
> Especially when you put mysql or any other service using data into a |
43 |
> container, service running in that container must be able to access this |
44 |
> data. And one common way to do that is allowing container to access data |
45 |
> stored on host, i.e. |
46 |
> |
47 |
> > $ docker run \ |
48 |
> > --name some-mysql \ |
49 |
> > -v /my/own/datadir:/var/lib/mysql \ |
50 |
> > -e MYSQL_ROOT_PASSWORD=my-secret-pw \ |
51 |
> > -d mysql:tag |
52 |
> |
53 |
> which will make /my/own/datadir from host available in container as |
54 |
> /var/lib/mysql. |
55 |
> |
56 |
|
57 |
This is obviously exactly how you'd do it if you were using docker, |
58 |
but you don't need to keep the UID in the container in sync with |
59 |
anything else in the host. If security is a concern you'd probably |
60 |
want to make sure that nothing non-root can reach the directory since |
61 |
its UID might be in use for something else. |
62 |
|
63 |
In any case, this is why consistent UIDs in scratch installs are |
64 |
useful. When you're building a new version of a container you don't |
65 |
want all its UIDs to change. And of course this isn't just limited to |
66 |
containers, but anything where you have persistent storage. It is |
67 |
just that the idea of creating new instances from scratch instead of |
68 |
updating them in-place has become more fashionable around the same |
69 |
time that containers have become more fashionable. You could do the |
70 |
same thing with a bare-metal host, though it would be a bit more |
71 |
painful (perhaps using A/B partition booting, or less painful if |
72 |
you're booting from a SAN or something like that). |
73 |
|
74 |
-- |
75 |
Rich |