-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/02/2014 02:39 PM, Simo Sorce wrote:
On Mon, 2014-06-02 at 13:55 -0400, Stephen Gallagher wrote:
> On 06/02/2014 01:51 PM, Simo Sorce wrote:
>> On Mon, 2014-06-02 at 08:03 -0400, Stephen Gallagher wrote:
>>> I've been playing with Docker quite a bit lately,
>>> particularly the Fedora Dockerfiles[1] to see what might be
>>> useful for the Fedora Server.
>>>
>>> For one thing, it occurs to me that we may want to have a
>>> strategy for using Docker images in the Fedora Server for
>>> any Roles that can support it[2].
>>>
>>> Advantages: * Deployment can be scripted as dockerfiles
>>> instead of full packages * The same Docker image is
>>> guaranteed(?) to be loadable by the next version of Fedora,
>>> making distro-upgrades safer. * Role upgrades can be handled
>>> by starting up a new Docker image with the updated software
>>> and then migrating data between them. * With Docker and
>>> SElinux, our Roles can be isolated from the host server. (And
>>> potentially migrated to a Fedora Cloud system later).
>>>
>>> I've specifically been playing around with using Docker
>>> images of PostgreSQL (our planned Database Server Role for
>>> Fedora 21) and have found that the Fedora Dockerfile is
>>> extremely easy to build and get running.
>>>
>>> I think that it would be to our advantage to tend towards
>>> using Docker images as the implementation for the Database
>>> Server Role as well as the proposed memcached role and
>>> potentially others, such as the fileserver or iSCSI target
>>> roles.
>>>
>>> This *would* imply adding the docker-io package as part of
>>> the standard installation of the Fedora Server.
>>>
>>> Thoughts?
>>>
>>>
>>> [1]
https://github.com/fedora-cloud/Fedora-Dockerfiles\ [2]
>>> FreeIPA, our choice of Domain Controller, is not currently
>>> supported under Docker, though upstream has a working
>>> proof-of-concept. This we can revisit down the road.
>>
>> I am seriously concerned about security upgrades in a docker
>> world, I do not see an easy way to manage that yet.
>
>
> Would you mind elaborating?
>
> I'm not sure which specific issues you see.
If you have layered images how do you upgrade a library in a lower
layer ? Do you just run yum update in the container each time you
restart it ?
In the specific case, I was thinking that we probably wouldn't have
layers for Roles (since they're going to be fairly self-contained
anyway). We'd have a single image (and Dockerfile that generates it).
So whenever an urgent update comes down, we can regenerate the new
image from the Dockerfile, migrate data-files and switch over. With
docker images, this can actually be done in a mostly atomic manner too
(since we would bring the new image up and prep it first, rather than
having to take down the existing service during upgrade).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlOMxt0ACgkQeiVVYja6o6MYrQCePP51789aBrm1xi6BSxX/J0mS
uO4AoJYjHaYc9fOWofViN0rjIUi1xueb
=doAU
-----END PGP SIGNATURE-----