Technological advantages over Linux
paul at gromit.dlib.vt.edu
Fri Jul 24 16:00:19 UTC 2020
On Fri, 24 Jul 2020 12:21:27 +0100, Steve O'Hara-Smith <steve at sohara.org> wrote:
> Message: 2
> Date: Fri, 24 Jul 2020 12:21:27 +0100
> From: Steve O'Hara-Smith <steve at sohara.org>
> To: Victor Sudakov <vas at sibptus.ru>
> Cc: freebsd-questions at freebsd.org
> Subject: Re: Technological advantages over Linux
> Message-ID: <20200724122127.08ea76b6881fd483dc212287 at sohara.org>
> Content-Type: text/plain; charset=US-ASCII
> On Fri, 24 Jul 2020 10:28:40 +0700
> Victor Sudakov <vas at sibptus.ru> wrote:
>> Victor Sudakov wrote:
>> 3. FreeBSD lacks a native docker (what prevents from fixing
> Isn't the whole point of docker to package applications in
> containers so that (among other simplifications) there was no need to
> support multiple versions of services in the same environment.
> One service, one container works just as well in jails as in
> docker, granted it's not as easy as writing a yaml file and watching a
> poorly understood swarm of thousands of containers spring to life and
> provide a load-balanced service, but it isn't hard especially with iocage
> Personally I always run services in single service jails and have
> done for a lot longer than docker has existed. From what I can see docker
> offers very little advantage if what you need is one-off servers and you
> want complete control over what's on them and what they do. It offers huge
> advantages if you want to administer large load-balanced swarms of
> standardised components.
Whenever Docker comes up, it seems to me that in the FreeBSD world the cry that goes up is "they're just like jails." In my experience, though, FreeBSD jails are more heavyweight than Docker containers. Jails in FreeBSD are more analogous to using LXD in Linux---lightweight OS virtualisation.
Tools like iocage (which I use), Bastille, Pot, etc. reinforce this notion because they base their jails on FreeBSD releases. So, you get a lot of heavyweight cruft installed (or available) that your application probably doesn't need (like compilers, mailers, etc.) as well as services running you might not need (like cron, syslogd, etc.). I tried some years ago to create a very pared-down FreeBSD jail via /etc/src.conf settings (if nothing else but to reduce the internal attack surface of the jail), and found it quite tricky. (There are several hidden dependencies that are not well documented or tested when it comes to removing them from the system.) That's not to say you can't make a heavyweight Docker container, but there are a lot of *very* lightweight ones you can use as your starting point. :-)
The basic Docker paradigm is you execute one process in a container and when that process ends the container exits. Where I work, it's common for people to use the Docker container version of the "aws" [i.e., FreeBSD devel/awscli] command (with its gazillion build dependencies) rather than install the software natively. (Their "aws" command is basically an alias that invokes "docker run" on the "aws" Docker container.) Also, at DockerCon 2020, there was a presentation by the CURL developers about their making and maintaining the official CURL Docker container (https://github.com/curl/curl-docker) so you could run "curl" similarly. This makes it very easy to get access to any version of CURL you need (so long as you can run Docker), as befits a "Swiss Army knife"-like tool such as CURL.
I have not seen FreeBSD jails used in as lightweight a fashion as that (i.e., running as application binaries). Usually they are used to run long-running services. I doubt that is a technological limitation of jails, but is probably a tooling issue. And that, to me, is the main advantage of Docker: its ecosystem and mindshare. My experience of FreeBSD jails is that it is a great technology that has been let down somewhat by poor tools and fragmented communities (ezjail vs. iocage vs. cbsd vs. etc.). It's surprising to me that although jails were introduced in FreeBSD 4.0 it took until FreeBSD 9.1 for jail.conf to appear! The great success of Docker, in my mind, is that it forged a community and a standardisation around use of containers. Who knows, given better tools, maybe FreeBSD jails (and Solaris Zones, etc.) could have been just as big?
I think the other aspect of Docker containers you perhaps overlook is that they are based on immutable images. That makes it very good for application deployment. The "if what you need is one-off servers and you want complete control over what's on them and what they do" that you mention is rarely a use case for Docker containers in my experience. (What you say sounds like LXD OS containers to me.) What people want from Docker containers is a known application build that they can roll forward to or roll back to. Even today, there is no standard image format for FreeBSD jails, and the tools for migration/rollback of jails is not standardised across the many different tools that let you work with jails. Again, that's probably not the fault of jails but of the tooling ecosystem around them. (It's not a technological limitation of jails.)
> Regardless what is with the idea that one OS must be "better" than
> another - a Stilson is not better than a ring spanner, they are simply
> suited to different (but similar) tasks.
I agree entirely with this. That's why I have been loathe to contribute to this sort of thread until today. But, I think with jails there's a conceit in the FreeBSD community that there's an element of "we had Docker containers years ago but we call them jails." I don't think the comparison is 100% accurate. I like jails, but I believe the tooling and ecosystem around them falls short of that around Docker. That's a problem of support, not technology, IMHO.
More information about the freebsd-questions