Open Stack

Thomas, fully agree. :)

Rayson Ho, even with containers, distro packages are preferable. Its really difficult at the moment to ensure your containers don't have security vulnerabilities backed into them. None of the docker repo's I've seen really help you with automating this. The only trick I've found is to setup a jenkins server that tests a 'docker run -it --rm containername [apt-get upgrade -y || yum upgrade -y] periodically, check the results to see if it does anything, and if it does, force a rebuild of the container using the native tools. And then ensure you either get notified or have some kind of orchestration system that notices the new containers and does the right rolling upgrades for you.

This process gets much more complicated if your using, random language provided tool on top of the distro provided tools as there are increasing numbers of sources to check.

Thanks,
Kevin
________________________________________
From: Thomas Goirand [zigo at debian.org]
Sent: Tuesday, May 10, 2016 5:01 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [tc] supporting Go

On 05/10/2016 04:19 PM, Rayson Ho wrote:
> I mentioned in earlier replies but I may as well mention it again: a
> package manager gives you no advantage in a language toolchain like Go

Oh... You mean just like in Python where we have pip, Perl where we have
CPAN, PHP where we have PEAR, or JavaScript where we have
gulp/npm/grunt/you-name-it?

Each and every language think it's "special" and that no distro should
be involved. Of course, the reality is different.

> IMO, the best use case of not using a package manager is when deploying
> into containers
> -- would you prefer to just drop a static binary of your
> Go code, or you would rather install "apt-get" into a container image,

For anything serious, the later, of course! The former is only for
hackers, calling themselves devs, who don't know about opts, playing and
thinking they're the cool guys. This fashion of "we're in a container,
so it's ok to do everything dirty" will soon be regarded by everyone as
one big mistake.

If you're using containers the wrong way, you loose:
1/ Version accountability
2/ Security audit
3/ Build reproducibility

Installing from $language manager instead of distro packages, be it in
containers or not, will almost always make you download random blobs
from the Internet, which are of course changing over time without any
notice, loosing the above 3 important features.

Cheers,

Thomas Goirand (zigo)


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev