On 06/02/2014 01:51 PM, Simo Sorce wrote:
> On Mon, 2014-06-02 at 08:03 -0400, Stephen Gallagher wrote:
>> I've been playing with Docker quite a bit lately, particularly
>> the Fedora Dockerfiles[1] to see what might be useful for the
>> Fedora Server.
>>
>> For one thing, it occurs to me that we may want to have a
>> strategy for using Docker images in the Fedora Server for any
>> Roles that can support it[2].
>>
>> Advantages: * Deployment can be scripted as dockerfiles instead
>> of full packages * The same Docker image is guaranteed(?) to be
>> loadable by the next version of Fedora, making distro-upgrades
>> safer. * Role upgrades can be handled by starting up a new Docker
>> image with the updated software and then migrating data between
>> them. * With Docker and SElinux, our Roles can be isolated from
>> the host server. (And potentially migrated to a Fedora Cloud
>> system later).
>>
>> I've specifically been playing around with using Docker images
>> of PostgreSQL (our planned Database Server Role for Fedora 21)
>> and have found that the Fedora Dockerfile is extremely easy to
>> build and get running.
>>
>> I think that it would be to our advantage to tend towards using
>> Docker images as the implementation for the Database Server Role
>> as well as the proposed memcached role and potentially others,
>> such as the fileserver or iSCSI target roles.
>>
>> This *would* imply adding the docker-io package as part of the
>> standard installation of the Fedora Server.
>>
>> Thoughts?
>>
>>
>> [1]
https://github.com/fedora-cloud/Fedora-Dockerfiles\ [2]
>> FreeIPA, our choice of Domain Controller, is not currently
>> supported under Docker, though upstream has a working
>> proof-of-concept. This we can revisit down the road.
>
> I am seriously concerned about security upgrades in a docker world,
> I do not see an easy way to manage that yet.
Would you mind elaborating?
I'm not sure which specific issues you see.
If you have layered images how do you upgrade a library in a lower
layer ? Do you just run yum update in the container each time you
restart it ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York