Daniel Campbell: > On Sun, Mar 12, 2017 at 08:56:00PM +0000, Ural wrote: >> Hello guys. I am sorry about a bit of offtopic, but if everyone is >> interested, I am inviting anyone into >> https://github.com/edannenberg/gentoo-bb project discussion thread here: >> https://github.com/edannenberg/gentoo-bb/issues/102, where we user >> Docker as engine and Gentoo GNU/Linux as host OS. We have some ideas on >> (possibly) the best server and LAMP/LEMP management using Gentoo, Docker >> and GentooBB. Discussing the most table, fastest and secure dedicated >> server configuration to host everything. Thanks >> > > The concept sounds pretty neat; what do you guys do different than a > typical Gentoo installation? > > What does Gentoo do for a containerized environment? Does this project > include easier container management than usual? I like the > containers-as-services idea. If it's not hard to write/make one, I could > see this project taking off.
The idea of this project is very simple. Manage containers, based on Gentoo. The only OS you can configure everything. I.E. -march=native, which decreases php memory usage by 25% and accelerates binaries. But in usual way, you will do # docker import stage3-xxx.tar.bz2 gentoo and emerge needed service, like nginx, mariadb or php. This way you will have bunch of unmanaged >1GB containers, which have 90% unneded files and is hard to update. Our project solves this problem. You have bunch of preconfigured packages, which you already can install and use. Or you can easily create yours. The images are layered and nested, and your nginx container will be 17MB and have only what it need. You can easily rebuild/upgrade/recompile any container, or upgrade all at once. You just define all settings once. Example. To build php7 container, it will build busybox, glibc, openssl, and then including all previous containers will create a resulting nested container. So you have only one glibc or one bash for all child containers. So you can take one container as source, add to it a package and have another nested container. Why this 'container-per-service' is the best way? * Security. Containers are just isolated from host OS, thanks to cgroups, and if hijacked, don't access your rest system. That way if I use separate php containers for phpBB, piwik and other community-driven projects, hijacking phpBB will not allow access to rest services. Most containers runs unprivileged. * No any overhead. It is just another namespace inside kernel. * Ability to have blk and cpu priorities for different services, even when it is not possible to assign in usual native way, like priority for a mariadb database. If you have 3 mariadb containers, you can easily manage priorities as needed. * Easy to upgrade on production, preserving old versions. I described my way to do this in referenced issue, and I have just a few seconds of downtime, when I turn off old containers and start new, but all configs and data are mounted as volumes. If something is not well with upgraded containers, I can switch it back temporarily. * This project is already working well, mostly stable and is used on production. All I did was edited package config files for my need, and ./main.sh build mynamespace. It builds all packages, emerging latest versions and compiling them from scratch, creating docker containers. After all built, you start using your containers. (the developing is going in spring branch and soon we will have big version update) > > Thanks for sharing! >