5/7/2020 Criu On Alpine Linux (docker For Mac
Sorry - but the phusion images are unnecessarily bloated. The existence of the them has been defended by 'fixing' many so-called problems that are actually no problem at all - or at least shouldn't be a problem if you know what the hell you're doing. No well, written software won't spawn zombie-processes - sorry. Reaping dead child processes is something pretty basic if you're using 'fork'.And then - a logger daemon. Guess mounting /dev/log into a container is too complex if you care about this?Logrotate - sure, useful - but if you care about logs and aren't sending them to your logger daemon or /dev/null, you probably want to store them externally - in a volume or mounted host directory - and have a separate container taking care of that.The ssh server. Containers are no vm's, if you have to log in on a container running in production - you're doing something wrong - unless that container's only job is running SSH (which can be useful for example for Jenkins build slaves).Cron - again - same thing: run in a separate container and give access to the exact things your cronjob needs.That is for me the essential thing about containers: separate everything.
![]()
Jul 12, 2019 That doesn’t mean you can’t use Docker on Mac or Windows. In fact, there’s Docker for Mac and Docker for Windows. I won’t go into details on how to install Docker on your machine in this post. If you’re on a Linux machine, this guide will help you get Docker up and running. Now that you have Docker set up on your machine, you’re one. Criu On Alpine Linux (docker For Mac Average ratng: 9,7/10 1856 reviews. Apr 25, 2016 - In rare cases, CRIU fails to restore the container,.
But sure, you could treat containers as a special VM only for one service - nobody is going to stop you. I however prefer isolating every single process and explicitly telling it how to communicate with other processes. It's sane from many perspectives: security, maintainability, flexibility and speed. Sorry, but it's not only Docker using 'containers' that way.
I'm no fan of systemd for various other reasons - but that is one thing it does correctly: use namespaces aka 'containers' to separate processes.It simply makes no sense to add additional unnecessary overhead and complexity to something that is essentially very lightweight. If you want a full-blown OS - a VM is much better suited at that, and modern hypervisors come with a ton of bells and whistles to help you manage full-os environments.
LXC is using containers in the same manner as VMs. There are still reasons to use a container over a VM.
To name a big one, application density. There's a Canonical page about it I can dig up if you want that claims you can get 14 times the OS density with LXC containers that you can with KVM VMs. That allows you to provide a high degree of separation while still allowing you to use more traditional tools to manage it.Not everyone is of the caliber that tends to browse HN.
Not everyone adapts to new technology as quickly as people around here tend to, especially if that new technology requires a huge upheaval in the way that things have been done for the last 10 or 15 years. Using containers the same way we do VMs provides a lot of the benefits of containers without requiring a drastic change from other departments. Scalability of LXC vs a HW VM was written up by a Canonical engineer here:I've had upto 512 LXC nested containers running quagga for bgp & osp to simulate 'the internet'. My machine is an i7 laptop and this used less than 8-10 gigs of ram to run.fyi the github of 'The Internet' setup was from the 2014 NSEC conference where they used it so the participants had a large internet routing simulation available to test security.The github for 'The Internet' simulation is here:'The Internet' creates 1 single LXC parent/master container and then 500+ Nested LXC containers each running quagga & setup for the simulation used.
They're supposedly coming along quite nicely with the security of containers. Can you run docker containers in userspace? It's been a while since I did much with it, I know LXC can with a fair bit of customization. That would do a lot to help with security, and if you're following good containerization principles you should be able to set a really finnicky IDS that shuts down containers on even the slightest hint of a breach. Modern KVM has a comparable density to containers (except for memory)It does, but the memory can make a big difference if you're running microservices.
If I'm guesstimating I'm thinking there's probably about a 200MB difference in memory usage between a good container image and a VM. With microservices that can grow quite a bit.
Let's say 4 microservices, needing at least 2 of each for redundancy, you're already looking at a difference of 1.6GB of memory. If you need to massively scale those that's.8GB of memory for every host you add, not including any efficiency gains from applications running on containers rather than VMs (which is going to be largely negligible unless we're talking a massive scale). Yeah that's cool, but my main point is that images which make use of the stable debian package system and are actively maintained are a better approach than an image that makes use of more obscure technology that could be abandoned, or worse, maintaining your own container infrastructure.
No well, written software won't spawn zombie-processes - sorry.And yet it happens. The ssh server. Containers are no vm's, if you have to log in on a container running in production - you're doing something wrongThe SSH server is incredibly useful for diagnosing problems in production, so I for one applaud it (although it's not really necessary anymore with docker exec). Cron - again - same thing: run in a separate container and give access to the exact things your cronjob needs.Or just run it in-container to keep your service clusters together. That is for me the essential thing about containers: separate everything.It's a question of degree.
Where you draw the line is almost always a personal, aesthetic choice. And yet it happens.I can understand that argument. It's an edge case, and building a sane Dockerfile on top of Alpine that runs applications through S6 (or runit), which developers use for their applications is the way to go for me. This is what phusion baked in?The SSH server is incredibly useful. (although it's not really necessary anymore with docker exec).It's an additional attack vector and, by your own admission, it's useless. Docker exec has been baked into docker for over a year.Or just run cron in-container to keep your service clusters together.Per-container cron sounds painful.
Then you have to deal with keeping every container's system time in sync with the host (yes, they can deviate). Not only that, if you have a periodic cron job that runs an app to update some database value, scaling becomes bottlenecked and race conditions (and data races) can get introduced. You are prevented from running multiple instances of one application to alleviate load because the container has the side-effect of running some scheduled job. Cron should be separate.One can also choose the degree to which they want to throw out good practices that prevent them from repeating others' mistakes. No well, written software won't spawn zombie-processes - sorry. And yet it happens.Strange, I have been running software in docker for almost 2 years in production on 6 docker hosts running a ton of containers these days, and yes - a lot of this software spawns child-processes.In all this time I have never seen zombie processes with one major execption: Phusion Passenger to run our Redmine instance.
If you run this under supervisord as 'init' process - you indeed notice the init process cleaning up 'zombie processes' at startup like this:2015-12-24 01:00:32,273 CRIT reaped unknown pid 600)2015-12-24 01:00:34,774 CRIT reaped unknown pid 594)2015-12-24 01:00:35,802 CRIT reaped unknown pid 610)So that case for me is the exception, and I do use an init process (supervisord) to run only apache with passenger. Note that using Apache with PHP or plain does not leak zombie processes. Some things you really can't split into one-process-per-container.
Like how WAL-E needs to run alongside the Postgres daemon (or at least, I was unable to get it to run otherwise). You might argue you shouldn't run Postgres in a Docker container, but that's just one example of IPC you can't delegate to shared files / TCP ports.The real problem with splitting things into a bunch of containers is that the story around container orchestration is still poor. Kubernetes is the leader here, but running a production-ready cluster takes some work (besides Google Container Engine, there are some nice turn-key solutions for spinning up a cluster on AWS but they come with short-lived certificates and rigid CloudFormation scripts which create separate VPCs; so you have to setup your own PKI and tweak CloudFormation scripts). I see no reason why it couldn't run in a separate container. You'd probably have to mount the postgres socket directory and the WAL archive dir into it, but it could be tricky - true. But containers are just a tool.
Some things are not suitable to run in containers, don't try to shoe-horn everything into them.Other than that, there's no problem running postgres itself in a container - as long as your data is stored in a volume ending up being bind-mounted on the local disk, and not on the layered filesystem - otherwise performance will suffer badly.And yes - orchestration - especially on small-scale - is still a sore point. All the tools like kubernetes seem to focus on large scale and scaling multiple instances of the same containers - which is not what I and many people need. Something like docker-composer, but in daemon form would be nice. Personally, I've run into weird issues sharing sockets and other files that need to be read+write on both containers. One thing is you have to set up the users very carefully/similarly in both containers, due to file ownership issues with bind mounts (UIDs have to align in both containers).Agreed about not shoehorning things into containers. Redis, for instance, should be ran with custom kernel parameters (transparent huge pages disabled), so doesn't fit well in the container paradigm since containers share the same kernel.
I'm currently toying with IBM bluemix (mostly because they have a relatively big free tier) and they have resource-based billing, but you since can't make containers arbitrarily small and you pay for RAM reserved for a container, it is effectively per container. So even if you only need 1 GB for 30 min every night, you either build something that starts a worker container on schedule or you pay for resources you don't use 98% of the time. I guess other platforms are similar.But of course, if you can afford to use that in production it probably doesn't matter very much, and you might choose a different platform if it bugs you. Just came to mind because I just was wondering how to split stuff up. Size of programs, in terms of disk, memory, cpu time, and network usage, is bloated by multiple orders of magnitude by all the confused people who think the only thing that matters is 'developer productivity'.
Maybe 20% is worth sacrificing, maybe 50%, but 100x? It could well be due to things like shared libraries. A larger distro will have more options enabled, causing more shared libraries to be linked into the same running processes, and thus more shared libraries to be fully loaded into memory.A smaller distro might even statically compile most things - Alpine does. If you dynamically link shared libraries, the whole library is loaded into memory to serve the process.
If you statically link, only the actually used part of the library is included in the binary.Statically linked binaries can't share the library in memory between each other like dynamically linked binaries can, but if all your processes are running in separate containers, they won't share those libraries anyway (unless they're all in a VM and the rarely used 'samepage merging' is enabled for the VM).Finally. Simplicity has knock-on effects. Making things simpler and smaller (not easier), and reducing the number of moving parts in the implementation, makes cleaning up more stuff easier. Using Gentoo stable in production right now. I'm in charge of how long a package is supported now. All execs get a brand new gentoo machine built with binaries compiled by myself.You wouldn't believe how fast you can get a gentoo machine up and running compared to other distros.
Build for a minimum common architechture (all intel binaries are based on Sandy Bridge, all ARM based on Rockchip RK3088), and installing for new computer is little more than untarring a bunch of binaries to /. My record is 5 minutes for a full KDE Plasma 5.5 software stack. We use Alpine Linux for our applications and I like it, and I too shudder at it being used for the entire production system.
As a sysadmin, you can still administer the LTS distro that hosts the docker containers and whatever other pieces of the stack you interact with. Alpine Linux containers, like any other container, should host an instance of an application (maybe not even that, depending on how complex the application is) - not the entire production server, not SSH keys, not iptables, firewall rules, etc. It makes a lot of sense to use something like Alpine Linux for Docker images. If you're going to build a 'process container' like Docker - something that does not encourage the same mindset as a traditional container or VM - it makes sense to start with a stripped-down operating system and then build it up to be exactly what you need.Perhaps loud suggestions like these are necessary due to a bias in the group that uses Docker. 20% people that really know what they're doing and have chosen Docker for a specific reason, and the hangers-on who try to emulate them by using the same tools.Docker is an interesting, useful, and extremely overhyped tool.
I may be wrong, but I feel like its popularity has caused a bunch of people who don't really need Docker to use it. Besides popularity, they can't really explain why they are using it over something like LXC or FreeBSD jails.I imagine (again, no data to back this up) that this same large percentage of people are also the ones that just keep using the default Ubuntu image once they finish the 'Get Started' tutorial.I'm glad to see suggestions like this gaining popularity. If you're going to make the most of Docker, I think there's value to be found in really committing to the mindset of a 'purpose-built, no-frills environment for running a single process.' From what I can tell right now, a huge number of people are using Docker 'sort of like a VM but you need more of them, and Git is integrated and you have to tell it to do something or it stops running'. Have you had trouble with any specific libraries? We're using alpine-based images with statically-linked binaries and haven't had any issues compiling third-party libs.
One area you're likely to run into trouble is RPC, but I only discovered that in messing about with something experimental.The real problem with musl in these environments is its DNS behavior, particularly if you're running on a platform like Kubernetes that uses DNS search domains for service discovery. Not hard to work around, but the workarounds are a bit, er, inelegant. I'm pretty new to Docker, so I'm curious about 'a project with 75 gems/packages and a couple of native extensions that need to be compiled'.Is the common procedure in the Docker world to build an application image that includes all the build tools that were used to build native dependencies? That seems like it does generate a pretty large image.I figured I'd take a three-step approach to my first node.js app in Docker:1. Build an image to build my dependencies.
![]()
This uses the same base image as step #2 will, but installs all the development tools and libraries (eg. Build-essentials, libpq5-dev), and then outputs a.tar.gz to a shared volume containing my nodemodules folder.2. Build an image with my dependencies; imports the runtime versions of any libraries (eg. Libpq5), imports & expands the.tar.gz generated by #1.3. Build an image with my application, FROM the image in #2.The process is optimized by having the automation check for the existence of #2 by hashing the contents of the relevant Dockerfiles, and the package.json list of dependencies, and doing a `docker pull` with that hash to see if I've already built #2. If so, my build just needs to build #3.It's a bit more complex (Hello, everything in Docker-land), but ends up being pretty powerful. But your post makes me think I've over-complexified it a bit.
Yours isn't overly complex, it's one way to trim down an image. However, it is a lot more complicated than just defining 1 Dockerfile that at least copies in your package.json file separately to speed up future deploys that don't touch your packages.I guess I just don't see the time vs. Effort value in optimizing most smaller projects.For example, that 75 gem project may take 5 minutes to build once but after that it takes 10 seconds to build and push a version that updates the app code.I'm ok with this pattern for most of my projects because you can easily get by with 1 host to serve tens of thousands of requests a month on most typical projects.
It's not like I'm spinning up and destroying dozens of instances a day where the network overhead is a legit concern (if I were, then I would optimize). Please stop using Ubuntu as your base images people!I think Ubuntu images are a symptom of a much more serious disease: Ubuntu usage in general. Ubuntu is not really concerned with software freedom (its origin was Debian-plus-proprietary-blobs), nor does it strongly care about privacy (although it can be shamed into doing the right thing), nor does it care terribly much about getting along with everyone else (c.f. Wayland).As a distro for my family, it's fine.
But I expect my fellow developers to run something which indicates more technological prowess than does Ubuntu: Debian or Arch or Gentoo or Slackware are all good choices for different reasons. Except that Ubuntu provided a decent Linux on my desktop that is relatively polished to be used by a normal human being.They did, and they should be congratulated for that. I like to believe that Debian learnt a hard lesson from its long delay. Once I run that on my desktop, I don't really want to learn another distro, I'll just use that the server as well.Ubuntu on the server has essentially been Debian unstable-ish. It's not really a case of learning another distro.Your argument would also apply to running OS X Server, and I don't think anyone outside of Cupertino thinks that's a good idea There one difference between how I develop - I don't develop to show my technological prowessIf you like, substitute 'competence' for 'prowess.' Running Ubuntu is like running Windows: it's popular; it's not really wrong; it even has advantages; but running Windows doesn't indicate any level of competence. In Bayesian terms, P(competence Ubuntu).
Your argument would also apply to running OS X Server,And it does! Old work had a few in house servers with OS X. If it was free, we'd see a lot more of it, I am convinced. If you like, substitute 'competence' for 'prowess.'
Running Ubuntu is like running Windows: it's popular;Isn't the ability to quickly ship a stable, reliable product that customers are happy to pay for, a better sign of competence than say picking Slack or FreeBSD for server for now good reason except to show competence?The question is who is the show of competence for? Other developers, customers, management?
I can see developers boasting who knows how to configure and run obscure distros and use exotic functional languages and that's cool. I was just saying after a while you realize that show of prowess is not what is important. Isn't the ability to quickly ship a stable, reliable product that customers are happy to pay for, a better sign of competence than say picking Slack or FreeBSD for server for now good reason except to show competence?Sure! What I'm saying is that if someone is unable or unwilling to run something other than Ubuntu then I suspect he is less likely to be able to build that stable, reliable product in the first place.It's like how I suspect I'm likely to have a better meal if the cook prepares it from fresh ingredients than if everything comes pre-made off of a truck. Alpine Linux supporting selinux is only relevant in this discussion if you run Alpine as the container host. To the Alpine containers it is of no consequence.OpenBSD has more than a great track record on security, maintainability, community spirit. As has Debian.Alpine, after ten years, was simply not on the radar as a distro.It is merely developers that do not seem to care about the actual systems these containers are built from that find Alpine interesting.It's small, so even on a 3g connection you can download those containers and get the functionality a developer seeks.
And that is fine. It gets alpha code out in a timely manner without too many resources.Just do not pretend that this way of working will deliver sustainable, maintainable and consistent code that will work just as well inside as well as outside containers.Maintained, secure, stable and proven distributions have served any purpose given in the past. From embedded systems to HPCs, from trading floors to satellites.Saying any of the 'old school' distro's are a bad fit for running in a container is a display of ignorance at best. Nonsense, it's just a straight up ridiculously uncorrelated, terrible metric.
Which would you say has been more buggy and broken, djbdns or php? Nacl or mysql? Qnx or openssl? Windows 95 or ping? Which one of each do you think has had more 'discussion and updates'?
Which one of you think is better code?Code quality has nothing to do with how much jibber-jabber there is on some mailing list, nor with how widely used a piece of code is. It has to do with the actual code.In the case of Alpine Linux (which I've never used), probably 50% of the code is the linux kernel itself, another 20% is musl and busybox, and the rest is random gnu utilities.
Which of those things is 'low quality' and has 'undiscovered bugs and security vulnerabilities' that broken, random, low-quality high-politics tire fires like most linux distributions don't have?But conversely, is it not intrinsically obvious that not having the grotesque pile of random freshman desktop apps and terrible init systems that other distros have, could reduce the attack surface to a point where a single organization could conceivably make sense of it? You are correct on all points concerning the quality of code of Alpine Linux. I do not doubt it.
But it is irrelevant to the discussion. The Linux kernel is not part of the containers that are based off of Alpine. Your sentences don't make sense next to each other. If you're unable to point to any fault in the quality of Alpine Linux, then why are you trying to create FUD about how Alpine Linux is unmaintainable, unsustainable, and insecure? Could you maybe, instead of just repeating it over and over without evidence, provide some example of how Alpine is concretely any one of those things?While you're at it, please show me the Debian, Ubuntu, or CentOS distribution that doesn't have desktop bus installed. Appologies if I am unclear.
why are you trying to create FUD about how Alpine Linux is unmaintainable, unsustainable, and insecure?I never tried to make that claim.What I am trying to say is that if YOU built YOUR software against Alpine, IT will be hard to maintain/sustain/insecure. Because your software will probably have dependencies. Dependencies not found in Alpine.
And now you have to maintain and test those dependencies. You'll have to keep informed on all the security advisories of those dependencies. All the changelogs. And by then, you've started to reinvent wheels that the fine folks of Debian, Ubuntu, Centos have invented already.That is a resource drain on companies that is inefficient and cumbersome with little to no added value. While you're at it, please show me the Debian, Ubuntu, or CentOS distribution that doesn't have desktop bus installed.A container is not the same beast as a distribution. It does not have the same requirements.
It is just a tarball. And you can throw anything into it, or out of it.I'm just saying to use debootstrap to throw stuff in that tarball so you have the benefits of an enterprise-level, proven distribution, instead of using this something that has not yet proven itself.
So if you ever need to take your software OUT of the container and run it on an AWS instance, or on your own hardware, you'll have no problem with it.In short: I see no added value for Alpine. It does not address my operational concerns, and raises a bucketload of new ones when I compare it to Debian, Ubuntu or Centos. A huge community and installable packages does not mean you need to use all those packages. The smallest container I've built is about 90MB, using Ubuntu.
That is pretty lightweight. Of course, the container doesn't actually do anything.Another thing to consider: if you software works inside you self-built Ubuntu container you can be pretty sure it works on any Ubuntu install anywhere. Even if your company does not use containers everywhere, your developers can.Edit: typo and sentence finishing. The biggest use case I've found for small images so far is for testing a microservices system on Travis or a similar CI. You package each of your services in a container, then use docker-compose11 to start everything up.
The faster it can pull down the images, the faster your CI build runs, so size can be important here.One interesting thing about Alpine is that it uses MUSL2 for its libc. If you want the bare minimum image size, you can use a scratch or busybox image and statically compile your binaries3.123. I'm using slugrunner from flynn 0 for deploying my apps. This way I can share a base image, and each compiled slug is about 40mb for ruby apps and 10mb for golang apps. This is similar to how heroku works.When I deploy, I generate the slug using slugbuilder, push it to a local storage on the same network, and each docker task is instructed to pull the 'latest' slug from the slug storage. Containers start after a code update in a couple of seconds.Continuous deployment can be easy achieved by copying slug from staging to production, similar to how pull docker image each time is currently done.01.
Also reminds me of the time when Kroah-Hartman mentioned that people working on embedded linux ended up improving power efficiency of Linux saving the data center guys tons of money.This right here. There's so many here decrying Alpine who can't see the bigger picture: having options for different Docker deployments will create possibilities currently undreamt of. Maybe you can't use it on your project; fine, keep on keepin' on with what suits you best, but don't knock another project just for a different approach, especially when it might have huge benefits to the overall environment in the future.
If you use Linux as your host operating system then with one or two commands you can have most graphical Linux applications up and running on your desktop in seconds. Package managers like apt-get, yum and pacman make installing new software almost seamless. If you are running an XWindows server (which you probably are) then getting a graphical application to appear on your screen from a remote Linux system or a Docker container can be as simple as setting the DISPLAY environmental variable. But macOS though?Many applications that exist for Linux also exist for Mac: Chrome, FireFox, VLC Player, Slack, Arduino IDE etc.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
February 2023
Categories |