Atomic workstation
drago01
drago01 at gmail.com
Wed Dec 3 22:05:10 UTC 2014
On Wed, Dec 3, 2014 at 11:00 PM, Josh Boyer <jwboyer at fedoraproject.org> wrote:
> On Wed, Dec 3, 2014 at 4:40 PM, Colin Walters <walters at verbum.org> wrote:
>> On Wed, Dec 3, 2014, at 03:47 PM, Josh Boyer wrote:
>>>
>>> Out of curiosity, couldn't you have an atomic/ostree "base" layer that
>>> is immutable (perhaps shared between Base, Server, Cloud,
>>> Workstation), and then use Docker containers on top of that as the
>>> "live" system?
>>
>> Good point, I didn't bring up the Docker part of Project Atomic. I think
>> it makes a significant amount of sense for Workstation to be investigating
>> using Docker for developer tooling, and that's already happening. Actually
>> containers for server side code help bring together the Server/Workstation
>> story far more than we ever had before.
>>
>> Previously in the package model, you can of course "yum install httpd $language"
>> on your workstation and start making a web app and testing it locally,
>> and many people do this today. But taking that same app
>> and ship it to a server had a different model. With containers, it becomes
>> a lot easier.
>>
>> It's also a huge benefit for web apps on the desktop to have isolated ports -
>> Docker makes it easy to have two web apps that both think they're listening
>> on port 80, and on the desktop you just look at "docker ps" to find where
>> they are.
>>
>> That said, this story breaks down a bit when one introduces clustering,
>> and that starts to lead back to local Vagrant usage or the like.
>>
>>> That would still fit with the "atomic is for Docker"
>>> approach you have today, while also giving some flexibility at the
>>> application layer. One could imagine Software installations become
>>> "create a new Docker container with this app inside of it", which then
>>> leads to it be automatically sandboxed, etc.
>>
>> No. Docker (alone) is not a desktop sandbox tool. As soon as any process
>> connects to your X server it has total control and could be a keylogger,
>> write data into your terminals, etc.
>
> With X, yes. It's not _worse_ than just running it all from the same
> OS install though.
> I thought this was less of a concern with Wayland, but I will admit I
> could be wrong.
No you are not wrong clients are isolated from each other on wayland.
See https://wiki.gnome.org/Initiatives/Wayland the "why switch to
wayland" part.
More information about the desktop
mailing list