On Wed, Sep 04, 2019 at 02:41:49PM -0700, Troy Dawson wrote:
2 – Of those packages that need to be in the IoT image, which ones do you think are the top priority? And what parts do you think can be trimmed? These are from previous discussions.
Presumably `podman` is high priority.
why?
I’ve heard mention that there’s support for lxc images as an approach to packaging code within Fedora, but I’ve not managed to identify what the argument is. It makes sense in the context of a multiple machine environment, where there’s value in hiding the machine specifics, but in the context of IoT, the typical deployment is one machine with many cooperating processes and adding in an extra layer of indirection makes testing and operations more complex, while removing some of the dependency management/control of a package manager.
There's a bunch of points here so:
lxc images in Fedora? That's a new one to me and I've never had any discussion around that with anyone in the context of IoT.
In terms of mult machine environment that's exactly what IoT is, I've spoken with customers where they want tens or hundreds of thousands of machines, in one case there was even a desire for the millions and then you do need to hide the specifics of the machine because there will be multiple versions of applications running, multiple versions of HW etc so the ability to be able to manage each app or app stack independently on a lifecycle that's separate to the underlying OS is critical. If we need to patch the OS for something like Spectre, a WiFi or bluetooth flaw you don't necessarily want to have to impact the application stack to be able to do that.
I would ultimately, and pretty much all the feedback I've had is that running things in containers make things easier for teams as managing the dependencies for the apps in independent for each of the apps is easier and makes operations easier because they can look at each of the applications independently because each of the apps teams are independent to make the decision that is best of those teams independent of the underlying BaseOS and independent of the HW.
I’d love to understand the rationale for using containers in this context better, as I’m concerned that I’ve missed something. Are there any pointers?
It allows isolation. Isolation of the applications from each other and from the HW. A lot of IoT use cases want to run multiple independent applications on a single device and if one of those gets compromised the impact is has can be mitigated and not affect the underlying HW or other applications running along side it. Add to that it allows applications to be upgraded on different lifecycles to the underlying BaseOS or each other.