Le duodi 22 brumaire, an CCXXV, Eduardo M KALINOWSKI a écrit : > Also, if I > wanted to run another program from stable, I could build another docker > image for that, but due to the clever way docker works, there'd be only > one copy of the base system plus two layers, one for each image, with > only the applications in question. That's a big advantage in relation to > chroots or virtual machines.
I did not know Docker worked that way. It is interesting, and better than I thought. > And yet, even if a base layer is shared, docker images are completely > isolated from one another and from the host system. If you want to share > data, you need to explicitly configure that. > > That does solve the isolation problem, and allows you to run packages > from different repositories simultaneously, with different versions of > libraries if necessary; and allows you to install packages from > untrusted sources (or that are not available as .deb's) without messing > with your "real" system. > > It does not solve the problem you mention: if there is an update of > OpenSSL, the images will continue to use the old version unless you > rebuild them. The process can be automated, but at least you'll need to > run a command to rebuild the images, and this can be time consuming. Indeed. Compared to what I have in mind, it seems it would work for the leaves/sinks of the graph system, but not the inner nodes. Also, the isolation is kind of a mis-feature in this particular case > Now might be a good time to dive into some of the internals, such as how > the images and layers work: > https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/ > That might give you some ideas for your solution. Take a look also at > the pages "AUFS storage driver in practice" and "OverlayFS storage in > practice". While you won't be able to do what you want with docker, > perhaps you can get some ideas. I'd guess you'd need some kind of > layering like done by docker, but sometimes changing the bottom layers > (which is not possible with docker - only the topmost layer is ever > changed). Thanks for the pointers. I definitely do not have time to actually work on it as a project, but knowing a few pointers will do no harm. Union-capable filesystems were indeed something that I thought could help an hypothetic implementation. Regards, -- Nicolas George
signature.asc
Description: Digital signature