[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Relationship between Docker and Guix
From: |
Giovanni Biscuolo |
Subject: |
Re: Relationship between Docker and Guix |
Date: |
Tue, 26 Nov 2019 10:57:36 +0100 |
Hellp zimoun,
my two cents on Docker as container images builder (not as "container
instantiation toolbox")
zimoun <address@hidden> writes:
[...]
> The relationship between Docker and GNU Guix is container and the LXC
> [1] technology. They use both but differently:
>
> - Docker is rooted in mutable/imperative and tries to go to more
> functional;
Docker images are immutable, they are usually (but not exclusively)
generated via `docker build` using an imperative "dockerfile language"
(so immutable/imperative :-) ); images are used to instantiate Linux
containers and there are tools (bind mounts, environment) to separate
state (data/config) from "system" to obtain a stateless container: the
"stateless" status of the container however is strictly tied to the
stateless properties of the underlying ditribution used to build the
container
I'm not sure what you mean with "tries to go more funtional" since AFAIU
dockerfile "language" is not going to be funcional anytime soon,
probably it does not even need to.
The main issue with the use of dockerfiles is that unfortunately the
FROM layering option (usually *heavily* used by docker images packagers)
often makes keeping control of what is actually distributed with the
image [1], cryptominers included, simply an... illusion... ehrm hard
work :-). I've done it for work and that is the main reason I *avoid*
any docker image not built by me as soon as I can.
[...]
> Everything starts with a configuration file: Dockerfile versus manifest.scm.
>
> - Dockerfile depends on the state of the distribution that one will
> use -- say Debian -- and each time "RUN apt-get update" and/or "RUN
> apt-get install" is called then no one can know in advance what the
> resulting disk image will *exactly* contain;
The non reproducible (not stateful) nature of the resulting docker
images directly depends on the distribution used to build it: Debian
have no means to "pin" a specific version in time (tag or commit, ala
Guix) to use; indeed if I use Guix as initial system image (FROM
guix-base) and a combination of manifests and channels definitions I can
get a reproducible image (never tried this, just theory :-) )
Anyway, using `guix pack -f docker...` is much much better than the
above dockerfile example :-O
This is just to say that it is not `docker build` fault not creating
reproducible images :-)
[...]
Ciao. Gio'
[1] even from a legal POV
--
Giovanni Biscuolo
Xelera IT Infrastructures
signature.asc
Description: PGP signature