-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/18/2015 09:55 AM, Miloslav Trmac wrote:
Hello, 2015-11-17 21:54 GMT+01:00 Stephen Gallagher
<sgallagh(a)redhat.com <mailto:sgallagh@redhat.com>>:
Similar to my thread about the @server-hardware-support group, the
@container-management group also takes up a good chunk of space
(38MB above the minimal install) in the default Server install, as
well as including an additional available-by-default service.
Originally, we included Docker for its popularity and because
Cockpit and rolekit each had some support for operating with it. In
F23 and onwards, rolekit is capable of automatically-installing
docker if it is required to support a role, so having it installed
by default is no longer critical from that perspective.
This leaves Cockpit: one of Cockpit's more popular features is the
ability to manage Docker images and containers from the UI.
<snip>
As a side-note, I think this is a policy we should consider
following throughout Server: try to do lazy package installation
whenever
possible.
So I am vaguely worried about this trend. Should image size really
the #1 priority?
In the case of Docker, I'm less concerned about the image size (though
it's non-trivial) and more concerned about the presence of an
additional always-on service. It *is* a potential security risk
(particularly since Docker is effectively a potential
privilege-escalation path).
Functionality added by default, and especially as mandatory, on top
of minimal install (whatever minimal install is this year), is not
just useful the way a new feature is useful in an appliance; it is
also (and IMO primarily) useful as making the “platform” more
valuable because application writers can depend on the feature
being always available, and users can expect the applications to be
more easily deployed.
Right, so really this thread is about whether we want to treat Docker
as "API" for Fedora Server. We have been doing this so far, but it's
reasonable to reopen the conversation, particularly in terms of
feedback from users that they dislike having this be a non-optional
component of Server. Add that to the fact that Fedora and Red Hat's
strategy for Docker and containers has been mostly focused on Project
Atomic and I would say there's an argument to be made that Docker is
not an obvious necessity for Fedora Server.
Docker is a good example: its users are not rolekit and Cockpit,
its users are all the Dockerized applications out there; and/if/
Docker succeeds as an application delivery mechanism, its value to
all the other applications will be much larger than the value of
making rolekit and Cockpit a bit easier to deploy.
I think you got this backwards. Cockpit and rolekit are consumers of
Docker; they make it easier to deploy docker containers.
You’re right, we can reasonably modify Cockpit or other
applications we package, for not having Docker available; but we
may not be able to modify all the other applications out there. Or
perhaps we can officially decide e.g. that the way to deploy Docker
containers is to run something like (atomic install), and have
(atomic install) deal with automatically installing Docker.
Or we can simply make the @container-management group an optional
install for the Server media, such that users who want it can opt-in
and everyone else can skip it. Or we could try to find a way to do the
reverse: allow people to opt-out of it.
Today, it's a hard dependency because we A) install the
@container-management group by default and B) the `cockpit`
metapackage includes `cockpit-docker` which pulls in `docker` as a
dependency.
Now, perhaps Docker should not be a part of the Fedora Server
platform, not yet, or not ever. I don’t know, and I could easily
accept an argument that it should not be there. It just worries me
that the conversation is in terms of feature vs. storage, without
talking about the platform at all.
Right, I think that's the real purpose of this thread. Not to solve
the general case but to decide whether Docker in specific is something
we want to consider a core API of Fedora Server. If it is, then we
need to communicate that better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlZMmbAACgkQeiVVYja6o6O3dQCgmgcCsRYDOCMk4eF7nNi3nnH4
47QAn2Au68ULpGGC2UpGohR0aD+JE9Dc
=hVTg
-----END PGP SIGNATURE-----