From kde-community Tue Oct 30 13:43:19 2018 From: Michael Reeves Date: Tue, 30 Oct 2018 13:43:19 +0000 To: kde-community Subject: Re: Discourse Message-Id: X-MARC-Message: https://marc.info/?l=kde-community&m=154090989127921 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--00000000000000d1b80579725f73" --00000000000000d1b80579725f73 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 30, 2018, 6:50 AM Paul Adams wrote: > On Tue, 30 Oct 2018 at 11:42, Ben Cooksley wrote: > > If you're running 10,000+ microservice instances, then you can have > > the teams of people needed to maintain the necessary overhead > > This is true. Also not your original point: you claimed that Docker > containers were generally unsuitable for production > The overhead is generally not that huge: you build, sign and upload > your images to registry you run. This is no different than when you > build, sign and upload your custom-built distro packages. > > Yes, running something like Openstack cause some additional overhead. > > > We delegate management of sites to people who look after them (where > > it makes sense) as it helps people get things done. > > They are essentially the "admin" of that specific site/service, but > > won't have root on the actual server that runs it. > > Good approach. It is by no means incompatible with running services in > a container. > You can give specific system users membership of a docker group, > allowing them to start/stop/deploy etc. You then control which > containers the user is actually allowed to manipulate in registry > config. > > Perhaps I am missing something? > Care would have to taken to insure such users can only use specific pre defined option sets. Otherwise the ability to run docker is equivalent to root access to the real file system via. --mount or --volumes. Probably other routes as well. Not hard to mitigate with the right setup. > > -- > Paul J. Adams > PhD MIEEE MBCS CITP > > GPG: 07DD 0812 Paul James Adams > --00000000000000d1b80579725f73 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


= On Tue, Oct 30, 2018, 6:50 AM Paul Adams <paul.adams@kde.org> wro= te:
On Tue, 30 Oct 2018 at 11:42, B= en Cooksley <bcooksley@kde.org> wrote:
> If you're running 10,000+ microservice instances, then you can hav= e
> the teams of people needed to maintain the necessary overhead

This is true. Also not your original point: you claimed that Docker
containers were generally unsuitable for production
The overhead is generally not that huge: you build, sign and upload
your images to registry you run. This is no different than when you
build, sign and upload your custom-built distro packages.

Yes, running something like Openstack cause some additional overhead.

> We delegate management of sites to people who look after them (where > it makes sense) as it helps people get things done.
> They are essentially the "admin" of that specific site/servi= ce, but
> won't have root on the actual server that runs it.

Good approach. It is by no means incompatible with running services in
a container.
You can give specific system users membership of a docker group,
allowing them to start/stop/deploy etc. You then control which
containers the user is actually allowed to manipulate in registry
config.

Perhaps I am missing something?

Care would have to taken to insure such user= s can only use specific pre defined option sets. Otherwise the ability to r= un docker is equivalent to root access to the real file system via. --mount= or --volumes. Probably other routes as well. Not hard to mitigate with the= right setup.

--
Paul J. Adams
=C2=A0 PhD MIEEE MBCS CITP

GPG: 07DD 0812 Paul James Adams
--00000000000000d1b80579725f73--