Re: Layers for the package manager

To: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
Cc: debian-user@lists.debian.org
Subject: Re: Layers for the package manager
From: Nicolas George <george@nsup.org>
Date: Thu, 17 Nov 2016 10:54:43 +0100
Message-id: <[🔎] 20161117095443.GB3783333@phare.normalesup.org>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] faf6a0d8-46ab-2cfd-48e1-04f96cd3c32c@kalinowski.com.br>
References: <[🔎] 20161111193454.GA386638@phare.normalesup.org> <[🔎] 5ed7316d-cb93-aa00-f5e1-872061eea2b2@kalinowski.com.br> <[🔎] 20161112201826.GA932552@phare.normalesup.org> <[🔎] faf6a0d8-46ab-2cfd-48e1-04f96cd3c32c@kalinowski.com.br>

Le duodi 22 brumaire, an CCXXV, Eduardo M KALINOWSKI a écrit :
>							    Also, if I
> wanted to run another program from stable, I could build another docker
> image for that, but due to the clever way docker works, there'd be only
> one copy of the base system plus two layers, one for each image, with
> only the applications in question. That's a big advantage in relation to
> chroots or virtual machines.

I did not know Docker worked that way. It is interesting, and better
than I thought.

> And yet, even if a base layer is shared, docker images are completely
> isolated from one another and from the host system. If you want to share
> data, you need to explicitly configure that.
> 
> That does solve the isolation problem, and allows you to run packages
> from different repositories simultaneously, with different versions of
> libraries if necessary; and allows you to install packages from
> untrusted sources (or that are not available as .deb's) without messing
> with your "real" system.
> 
> It does not solve the problem you mention: if there is an update of
> OpenSSL, the images will continue to use the old version unless you
> rebuild them. The process can be automated, but at least you'll need to
> run a command to rebuild the images, and this can be time consuming.

Indeed. Compared to what I have in mind, it seems it would work for the
leaves/sinks of the graph system, but not the inner nodes.

Also, the isolation is kind of a mis-feature in this particular case

> Now might be a good time to dive into some of the internals, such as how
> the images and layers work:
> https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/
> That might give you some ideas for your solution. Take a look also at
> the pages "AUFS storage driver in practice" and "OverlayFS storage in
> practice". While you won't be able to do what you want with docker,
> perhaps you can get some ideas. I'd guess you'd need some kind of
> layering like done by docker, but sometimes changing the bottom layers
> (which is not possible with docker - only the topmost layer is ever
> changed).

Thanks for the pointers. I definitely do not have time to actually work
on it as a project, but knowing a few pointers will do no harm.
Union-capable filesystems were indeed something that I thought could
help an hypothetic implementation.

Regards,

-- 
  Nicolas George

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Layers for the package manager
  - From: Nicolas George <george@nsup.org>
- Re: Layers for the package manager
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: Layers for the package manager
  - From: Nicolas George <george@nsup.org>
- Re: Layers for the package manager
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>

Prev by Date: Re: Layers for the package manager
Next by Date: Re: Why? -- "A Modest Proposal"
Previous by thread: Re: Layers for the package manager
Next by thread: Re: Layers for the package manager
Index(es):
- Date
- Thread