[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] What is the current state of the container tools

     Here are some comments inline.

On Tue, Jul 10, 2018 at 7:39 AM Farkas Levente <lfarkas lfarkas org> wrote:
We're using centos and fedora for production and development. I'm waiting for a long time to be able to use docker's multi stage build feature which imho would an essential feature for all kind of container build. Unfortunately neither rhel/centos' nor fedora's latest release do not update docker in the last 1.5 years (!).

Regretfully, I can't comment on why Fedora hasn't shipped Docker CE, as I don't really participate as much as I wish I could with Fedora. But, I can say that you don't see an update in CentOS, because it hasn't been updated in Red Hat Enterprise Linux and CentOS is a rebuild of RHEL. Docker CE is not meant for enterprise editions of Linux. If you really want Docker CE or EE, I would encourage you to download CE or talk to Docker about purchasing Docker EE :-)
docker 1.13 was released January 19, 2017.

Yes, coincidentally, you will notice that this the last major release of the docker engine before it was split up into three new entities - Moby, Docker CE, and Docker EE. Moby is a bigger project than just the docker engine and was never really set up in a way to make it easy for a Linux distribution to build and ship the engine and cli together as a thing like what was done in the docker 1.13 days. So, basically, we just kept patching docker 1.13. Red Hat and Fedora would have been happy to have just kept shipping newer versions but alas, that just wasn't an option.

I understand that everybody would like to use the new and fancy OCI tools and stuff.
Yes :-) 
So I try to understand the current state of these tools. But it seems for me that these tools are far from ready and not even ready for daily usage.

I would love to know what other things give you that impression? I use these tools daily and I actually think they are quite good. In RHEL, Buildah is at 1.1<+, CRI-O is at 1.9+ and Podman is at 0.6.1 and heading for GA quickly. 
eg. buildah can only va run by root and no usable way to develop and test as a regular user etc.

The team is working diligently to drop as many privileges as possible and they are making good progress. That said, the fact that you know you are running as root with buildah is an improvement. I just want to make sure that it is crystal clear to you that when you have a docker daemon running on your box, you are running as root. Just because you are running the docker command as a user, doesn't protect you in any way shape or form.

docker run --privileged centos7 bash gives you a root shell. 

This is NO different than sudo. In fact it's worse, because at least sudo can log the commands that you run and log those off system if things are set up correctly.
First of all is there any good comprehensive tutorial (may with compare with docker) which tools should have to use and how.

Here's a good one: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/finding_running_and_building_containers_without_docker

..and until these tools get ready...

I really think you should give them more of  try, I am happy to help answer questions.
is there any plan or change that rh/fedora will update docker to something newer or everybody should have to use docker-ce packages from docker or other even more dirtier trick to build small containers?

I think I explained this above, but let me make sure this is crystal clear. There is no option for Red Hat to ship a new version of docker. The only option are:

1. Build and ship binary versions of the engine in Moby (no cli)
2. Can't ship Docker CE because it's not intended for enterprise distributions of Linux
3. Can't ship Docker EE because that requires a contract with Docker Inc.

I would encourage you to keep checking out the OCI Container Tools, or perhaps go download Docker CE.... Hopefully that helps...

Thanks in advance.

  Levente                               "Si vis pacem para bellum!"

Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty redhat com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com

Does Serverless and Containers spell the end for operating systems? http://bit.ly/2JfBUkf

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]