1 |
On Fri, Feb 27, 2015 at 08:04:52PM +0200, Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote: |
5 |
> > Somewhat sarcastic but actually true. I don't recommend running |
6 |
> > production applications inside of Gentoo based containers. |
7 |
> |
8 |
> This makes sense for Gentoo, but my question was CC: to this list not as |
9 |
> off-topic, my host will be Hardened Gentoo, so kernel used by docker |
10 |
> images will support GrSecurity&PaX, and I wanna have protection provided |
11 |
> by hardened gcc for binaries run inside docker images. |
12 |
> |
13 |
> > I highly recommend making containers as small as possible. That |
14 |
> > means using statically linked executables and removing all |
15 |
> > traces of what we know as a distribution. Production containers |
16 |
> > should not be based on Gentoo images. |
17 |
> |
18 |
> Okay, not sure why it's so important, but this doesn't change anything - |
19 |
> these statically linked executables without any traces of Gentoo still |
20 |
> should be compiled with hardened gcc. |
21 |
> |
22 |
> > docker pull ${NEW_IMAGE} |
23 |
> |
24 |
> So, what $NEW_IMAGE should be to let me get small nice image with |
25 |
> up-to-date binaries built with hardened gcc? :-) |
26 |
|
27 |
I am not that familiar with docker, but I thought the idea was that you |
28 |
build your own container images with your requirements? ie re-build the |
29 |
image just once on only one server and then send it around to all the |
30 |
others. |
31 |
|
32 |
Alternatively, if you did not want to re-build the images themselves, |
33 |
you could always setup a gentoo binhost on one machine and make all the |
34 |
other containers pull those packages so there will not be the wasted |
35 |
time compiling. |
36 |
|
37 |
-- Jason |
38 |
> |
39 |
> -- |
40 |
> WBR, Alex. |
41 |
> |