| 1 |
Daniel Campbell: |
| 2 |
> On Sun, Mar 12, 2017 at 08:56:00PM +0000, Ural wrote: |
| 3 |
>> Hello guys. I am sorry about a bit of offtopic, but if everyone is |
| 4 |
>> interested, I am inviting anyone into |
| 5 |
>> https://github.com/edannenberg/gentoo-bb project discussion thread here: |
| 6 |
>> https://github.com/edannenberg/gentoo-bb/issues/102, where we user |
| 7 |
>> Docker as engine and Gentoo GNU/Linux as host OS. We have some ideas on |
| 8 |
>> (possibly) the best server and LAMP/LEMP management using Gentoo, Docker |
| 9 |
>> and GentooBB. Discussing the most table, fastest and secure dedicated |
| 10 |
>> server configuration to host everything. Thanks |
| 11 |
>> |
| 12 |
> |
| 13 |
> The concept sounds pretty neat; what do you guys do different than a |
| 14 |
> typical Gentoo installation? |
| 15 |
> |
| 16 |
> What does Gentoo do for a containerized environment? Does this project |
| 17 |
> include easier container management than usual? I like the |
| 18 |
> containers-as-services idea. If it's not hard to write/make one, I could |
| 19 |
> see this project taking off. |
| 20 |
|
| 21 |
The idea of this project is very simple. Manage containers, based on |
| 22 |
Gentoo. The only OS you can configure everything. I.E. -march=native, |
| 23 |
which decreases php memory usage by 25% and accelerates binaries. |
| 24 |
|
| 25 |
But in usual way, you will do |
| 26 |
# docker import stage3-xxx.tar.bz2 gentoo |
| 27 |
and emerge needed service, like nginx, mariadb or php. |
| 28 |
This way you will have bunch of unmanaged >1GB containers, which have |
| 29 |
90% unneded files and is hard to update. |
| 30 |
|
| 31 |
Our project solves this problem. You have bunch of preconfigured |
| 32 |
packages, which you already can install and use. Or you can easily |
| 33 |
create yours. The images are layered and nested, and your nginx |
| 34 |
container will be 17MB and have only what it need. |
| 35 |
You can easily rebuild/upgrade/recompile any container, or upgrade all |
| 36 |
at once. You just define all settings once. |
| 37 |
Example. To build php7 container, it will build busybox, glibc, openssl, |
| 38 |
and then including all previous containers will create a resulting |
| 39 |
nested container. So you have only one glibc or one bash for all child |
| 40 |
containers. So you can take one container as source, add to it a package |
| 41 |
and have another nested container. |
| 42 |
|
| 43 |
Why this 'container-per-service' is the best way? |
| 44 |
* Security. Containers are just isolated from host OS, thanks to |
| 45 |
cgroups, and if hijacked, don't access your rest system. That way if I |
| 46 |
use separate php containers for phpBB, piwik and other community-driven |
| 47 |
projects, hijacking phpBB will not allow access to rest services. Most |
| 48 |
containers runs unprivileged. |
| 49 |
|
| 50 |
* No any overhead. It is just another namespace inside kernel. |
| 51 |
|
| 52 |
* Ability to have blk and cpu priorities for different services, even |
| 53 |
when it is not possible to assign in usual native way, like priority for |
| 54 |
a mariadb database. If you have 3 mariadb containers, you can easily |
| 55 |
manage priorities as needed. |
| 56 |
|
| 57 |
* Easy to upgrade on production, preserving old versions. I described my |
| 58 |
way to do this in referenced issue, and I have just a few seconds of |
| 59 |
downtime, when I turn off old containers and start new, but all configs |
| 60 |
and data are mounted as volumes. If something is not well with upgraded |
| 61 |
containers, I can switch it back temporarily. |
| 62 |
|
| 63 |
* This project is already working well, mostly stable and is used on |
| 64 |
production. All I did was edited package config files for my need, and |
| 65 |
./main.sh build mynamespace. It builds all packages, emerging latest |
| 66 |
versions and compiling them from scratch, creating docker containers. |
| 67 |
After all built, you start using your containers. |
| 68 |
|
| 69 |
(the developing is going in spring branch and soon we will have big |
| 70 |
version update) |
| 71 |
|
| 72 |
|
| 73 |
|
| 74 |
> |
| 75 |
> Thanks for sharing! |
| 76 |
> |
Archives