Fedora Server and Docker

Simo Sorce simo at redhat.com
Mon Jun 2 18:57:21 UTC 2014 

On Mon, 2014-06-02 at 14:47 -0400, Stephen Gallagher wrote:
> On 06/02/2014 02:39 PM, Simo Sorce wrote:
> > On Mon, 2014-06-02 at 13:55 -0400, Stephen Gallagher wrote:
> >> On 06/02/2014 01:51 PM, Simo Sorce wrote:
> >>> On Mon, 2014-06-02 at 08:03 -0400, Stephen Gallagher wrote:
> >>>> I've been playing with Docker quite a bit lately,
> >>>> particularly the Fedora Dockerfiles[1] to see what might be
> >>>> useful for the Fedora Server.
> >>>> 
> >>>> For one thing, it occurs to me that we may want to have a 
> >>>> strategy for using Docker images in the Fedora Server for
> >>>> any Roles that can support it[2].
> >>>> 
> >>>> Advantages: * Deployment can be scripted as dockerfiles
> >>>> instead of full packages * The same Docker image is
> >>>> guaranteed(?) to be loadable by the next version of Fedora,
> >>>> making distro-upgrades safer. * Role upgrades can be handled
> >>>> by starting up a new Docker image with the updated software
> >>>> and then migrating data between them. * With Docker and
> >>>> SElinux, our Roles can be isolated from the host server. (And
> >>>> potentially migrated to a Fedora Cloud system later).
> >>>> 
> >>>> I've specifically been playing around with using Docker
> >>>> images of PostgreSQL (our planned Database Server Role for
> >>>> Fedora 21) and have found that the Fedora Dockerfile is
> >>>> extremely easy to build and get running.
> >>>> 
> >>>> I think that it would be to our advantage to tend towards
> >>>> using Docker images as the implementation for the Database
> >>>> Server Role as well as the proposed memcached role and
> >>>> potentially others, such as the fileserver or iSCSI target
> >>>> roles.
> >>>> 
> >>>> This *would* imply adding the docker-io package as part of
> >>>> the standard installation of the Fedora Server.
> >>>> 
> >>>> Thoughts?
> >>>> 
> >>>> 
> >>>> [1] https://github.com/fedora-cloud/Fedora-Dockerfiles\ [2] 
> >>>> FreeIPA, our choice of Domain Controller, is not currently 
> >>>> supported under Docker, though upstream has a working 
> >>>> proof-of-concept. This we can revisit down the road.
> >>> 
> >>> I am seriously concerned about security upgrades in a docker
> >>> world, I do not see an easy way to manage that yet.
> >> 
> >> 
> >> Would you mind elaborating?
> >> 
> >> I'm not sure which specific issues you see.
> > 
> > If you have layered images how do you upgrade a library in a lower 
> > layer ? Do you just run yum update in the container each time you 
> > restart it ?
> 
> 
> In the specific case, I was thinking that we probably wouldn't have
> layers for Roles (since they're going to be fairly self-contained
> anyway). We'd have a single image (and Dockerfile that generates it).
> So whenever an urgent update comes down, we can regenerate the new
> image from the Dockerfile, migrate data-files and switch over. With
> docker images, this can actually be done in a mostly atomic manner too
> (since we would bring the new image up and prep it first, rather than
> having to take down the existing service during upgrade).

I fail to see how you do that if you have a lot of data and you need to
"migrate data-files".

It becomes a lot more complicated than a yum update, what's the gain ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the server mailing list