| 1 |
On Tue, Dec 10, 2019 at 8:25 AM Thomas Deutschmann <whissi@g.o> wrote: |
| 2 |
> |
| 3 |
> On 2019-12-10 13:44, Rich Freeman wrote: |
| 4 |
> > I'm not talking about container-host mapping. I'm talking about |
| 5 |
> > building the same container 100 times and having the container end up |
| 6 |
> > with the same UIDs inside each time. |
| 7 |
> > |
| 8 |
> > Build order in portage isn't really deterministic, especially over |
| 9 |
> > long periods of time, so you can't rely on stuff getting installed in |
| 10 |
> > the same order. |
| 11 |
> |
| 12 |
> Assume you are building a container for dev-db/mysql. I can only think |
| 13 |
> of one scenario where you would end up with different UIDs: That's when |
| 14 |
> dev-db/mysql (or a dependency) would suddenly create an own user and |
| 15 |
> will be merged before mysql's user was created. |
| 16 |
> |
| 17 |
> But this is very theoretically. Especially in a container world, you |
| 18 |
> will create one container per services so it's *very* unlikely that |
| 19 |
> something like that will ever happen. Not? |
| 20 |
|
| 21 |
There are cases where you might have more than one service in a |
| 22 |
container, and there is certainly the issue of dependencies. It |
| 23 |
certainly makes sense to limit a container to a single function, but |
| 24 |
internally that could involve multiple processes. |
| 25 |
|
| 26 |
> Aside benefits from reproducible builds in general (which Gentoo doesn't |
| 27 |
> provide), please share reasons why one would care about used UIDs/GIDs |
| 28 |
> in containers... |
| 29 |
|
| 30 |
Well, that is simple. In the mysql example /var/lib/mysql would be |
| 31 |
bind-mounted from outside the container, since it needs to be |
| 32 |
persistent anytime the container is updated. If you update the |
| 33 |
container and it ends up with a different UID for mysqld, then it |
| 34 |
wouldn't be able to read anything in /var/lib/mysql as it would still |
| 35 |
have the previous UID. You'd need to keep the two in sync somehow. |
| 36 |
|
| 37 |
In fact, that is the very example you go on to offer... |
| 38 |
|
| 39 |
> > Uh, the container processes shouldn't even see the host |
| 40 |
> > processes/files whether they have the same UIDs or not... |
| 41 |
> |
| 42 |
> Especially when you put mysql or any other service using data into a |
| 43 |
> container, service running in that container must be able to access this |
| 44 |
> data. And one common way to do that is allowing container to access data |
| 45 |
> stored on host, i.e. |
| 46 |
> |
| 47 |
> > $ docker run \ |
| 48 |
> > --name some-mysql \ |
| 49 |
> > -v /my/own/datadir:/var/lib/mysql \ |
| 50 |
> > -e MYSQL_ROOT_PASSWORD=my-secret-pw \ |
| 51 |
> > -d mysql:tag |
| 52 |
> |
| 53 |
> which will make /my/own/datadir from host available in container as |
| 54 |
> /var/lib/mysql. |
| 55 |
> |
| 56 |
|
| 57 |
This is obviously exactly how you'd do it if you were using docker, |
| 58 |
but you don't need to keep the UID in the container in sync with |
| 59 |
anything else in the host. If security is a concern you'd probably |
| 60 |
want to make sure that nothing non-root can reach the directory since |
| 61 |
its UID might be in use for something else. |
| 62 |
|
| 63 |
In any case, this is why consistent UIDs in scratch installs are |
| 64 |
useful. When you're building a new version of a container you don't |
| 65 |
want all its UIDs to change. And of course this isn't just limited to |
| 66 |
containers, but anything where you have persistent storage. It is |
| 67 |
just that the idea of creating new instances from scratch instead of |
| 68 |
updating them in-place has become more fashionable around the same |
| 69 |
time that containers have become more fashionable. You could do the |
| 70 |
same thing with a bare-metal host, though it would be a bit more |
| 71 |
painful (perhaps using A/B partition booting, or less painful if |
| 72 |
you're booting from a SAN or something like that). |
| 73 |
|
| 74 |
-- |
| 75 |
Rich |
Archives