Fedora Server and Docker

[Stephen Gallagher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/02/2014 02:39 PM, Simo Sorce wrote:
> On Mon, 2014-06-02 at 13:55 -0400, Stephen Gallagher wrote:
>> On 06/02/2014 01:51 PM, Simo Sorce wrote:
>>> On Mon, 2014-06-02 at 08:03 -0400, Stephen Gallagher wrote:
>>>> I've been playing with Docker quite a bit lately,
>>>> particularly the Fedora Dockerfiles[1] to see what might be
>>>> useful for the Fedora Server.
>>>> 
>>>> For one thing, it occurs to me that we may want to have a 
>>>> strategy for using Docker images in the Fedora Server for
>>>> any Roles that can support it[2].
>>>> 
>>>> Advantages: * Deployment can be scripted as dockerfiles
>>>> instead of full packages * The same Docker image is
>>>> guaranteed(?) to be loadable by the next version of Fedora,
>>>> making distro-upgrades safer. * Role upgrades can be handled
>>>> by starting up a new Docker image with the updated software
>>>> and then migrating data between them. * With Docker and
>>>> SElinux, our Roles can be isolated from the host server. (And
>>>> potentially migrated to a Fedora Cloud system later).
>>>> 
>>>> I've specifically been playing around with using Docker
>>>> images of PostgreSQL (our planned Database Server Role for
>>>> Fedora 21) and have found that the Fedora Dockerfile is
>>>> extremely easy to build and get running.
>>>> 
>>>> I think that it would be to our advantage to tend towards
>>>> using Docker images as the implementation for the Database
>>>> Server Role as well as the proposed memcached role and
>>>> potentially others, such as the fileserver or iSCSI target
>>>> roles.
>>>> 
>>>> This *would* imply adding the docker-io package as part of
>>>> the standard installation of the Fedora Server.
>>>> 
>>>> Thoughts?
>>>> 
>>>> 
>>>> [1] https://github.com/fedora-cloud/Fedora-Dockerfiles\ [2] 
>>>> FreeIPA, our choice of Domain Controller, is not currently 
>>>> supported under Docker, though upstream has a working 
>>>> proof-of-concept. This we can revisit down the road.
>>> 
>>> I am seriously concerned about security upgrades in a docker
>>> world, I do not see an easy way to manage that yet.
>> 
>> 
>> Would you mind elaborating?
>> 
>> I'm not sure which specific issues you see.
> 
> If you have layered images how do you upgrade a library in a lower 
> layer ? Do you just run yum update in the container each time you 
> restart it ?


In the specific case, I was thinking that we probably wouldn't have
layers for Roles (since they're going to be fairly self-contained
anyway). We'd have a single image (and Dockerfile that generates it).
So whenever an urgent update comes down, we can regenerate the new
image from the Dockerfile, migrate data-files and switch over. With
docker images, this can actually be done in a mostly atomic manner too
(since we would bring the new image up and prep it first, rather than
having to take down the existing service during upgrade).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlOMxt0ACgkQeiVVYja6o6MYrQCePP51789aBrm1xi6BSxX/J0mS
uO4AoJYjHaYc9fOWofViN0rjIUi1xueb
=doAU
-----END PGP SIGNATURE-----