From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: Re: Relationship between Docker and Guix Date: Tue, 26 Nov 2019 10:57:36 +0100 Message-ID: <87zhgjgdtb.fsf@roquette.mug.biscuolo.net> References: <87tv6ubnlp.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:55712) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iZXbl-00032g-2p for help-guix@gnu.org; Tue, 26 Nov 2019 04:58:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iZXbj-0005jF-TA for help-guix@gnu.org; Tue, 26 Nov 2019 04:58:09 -0500 In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: zimoun Cc: Guix-devel , help-guix --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hellp zimoun, my two cents on Docker as container images builder (not as "container instantiation toolbox") zimoun writes: [...] > The relationship between Docker and GNU Guix is container and the LXC > [1] technology. They use both but differently: > > - Docker is rooted in mutable/imperative and tries to go to more > functional; Docker images are immutable, they are usually (but not exclusively) generated via `docker build` using an imperative "dockerfile language" (so immutable/imperative :-) ); images are used to instantiate Linux containers and there are tools (bind mounts, environment) to separate state (data/config) from "system" to obtain a stateless container: the "stateless" status of the container however is strictly tied to the stateless properties of the underlying ditribution used to build the container I'm not sure what you mean with "tries to go more funtional" since AFAIU dockerfile "language" is not going to be funcional anytime soon, probably it does not even need to. The main issue with the use of dockerfiles is that unfortunately the FROM layering option (usually *heavily* used by docker images packagers) often makes keeping control of what is actually distributed with the image [1], cryptominers included, simply an... illusion... ehrm hard work :-). I've done it for work and that is the main reason I *avoid* any docker image not built by me as soon as I can. [...] > Everything starts with a configuration file: Dockerfile versus manifest.s= cm. > > - Dockerfile depends on the state of the distribution that one will > use -- say Debian -- and each time "RUN apt-get update" and/or "RUN > apt-get install" is called then no one can know in advance what the > resulting disk image will *exactly* contain; The non reproducible (not stateful) nature of the resulting docker images directly depends on the distribution used to build it: Debian have no means to "pin" a specific version in time (tag or commit, ala Guix) to use; indeed if I use Guix as initial system image (FROM guix-base) and a combination of manifests and channels definitions I can get a reproducible image (never tried this, just theory :-) ) Anyway, using `guix pack -f docker...` is much much better than the above dockerfile example :-O This is just to say that it is not `docker build` fault not creating reproducible images :-) [...] Ciao. Gio' [1] even from a legal POV =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl3c9xAACgkQ030Op87M ORK3TRAAghKt3t1Dp6mthwOvA0z3DYbPdDoEwTJMjF4iuIOnPMCIOXJ4GjEllHD0 F4yqjkhqfP57FMYxXSI4GDpve5FqjuzjZAeqAPpoay7rFNhjqWf2U39mNS2BRaDX mVNuPiNQZ3dLZnTSNHHINmN9IcMeCSisB4OMKplgZjfQq5dsu+8aZKYGOLWO6V1Q +C7twrOK3MSZ95K97lzvwFmaI2kgLKMzO78npNUtVfeYeEoOBCfvrN+4XVdcDZzc YFE/9JaUQ2cDPLsUgvWnAe1+WR5ajvDMXFNgpm9DAowS5zjw6SeRhYmotGWGyTbY VBwLoUBovjAe0aeqINFlw/mE6RXx4Ge56gxIC0Zf5lazyvMQEUE1PiPjM8wtxxRe 6qIuKMnr9Gfp7w/DMY96GU6Btp1uU8XY+t2EpFLm+DnJRMjEDsB10i1r3IBBIt7Q bE0zXTRDdNC1OxP0WjTC/l01SGuOAHLDbJg763VKP43UQ0UMHMxdiL7vO5czcTUl 6MxcZ7U51xC2Dj1foUyFHbmW9KJbL/k1lBbcOtdasHfYMW6M0/5Vlj9yk53tuYKj WwtVbujZOTkcQJrrReNphtJvfuH7Rk68Y7cOfcq5EBRD7SIv0S9rMaglchvm8RH5 KrD2ybjUGs1zW+cOn68BT9qjJZalXQ5116TI1kI9otrx++HtQeE= =YEfF -----END PGP SIGNATURE----- --=-=-=--