Replying to Avatar cloud fodder

Still not sure if the filesystem layering was really a necessary part of containers. Having built thousands of docker containers and managing deployment pipelines I noticed how hard it is to actually utilize the layers effectively. Almost any change can easily blow the cache of a docker build. Usually you should be updating the OS frequently anyway for security reasons and caching it can lead to laziness on updates.

Systemd nspawn uses bind mounts and isolated filesystem access (like a chroot) which is nice for performance. It is a slight paradigm shift on what a container means, so far so good though..

One thing I've been really liking so far too is you can Boot your containers for multi process... For my use cases this is way superior to single process. For example, haproxy does hot reloading by managing processes. Additional processes managed by systemd from inside a container are also really handy.
Avatar
Mike Dilger ☑️ 2y ago

It seems to me that you should update your OS filesystem layer regularly, and many different containers that run on it would then benefit from that one update. That presents a risk that an update might break something, but as long as you don't jump major versions I think it is a reasonable strategy. This is how QubesOS layers things (it usees Xen virtualization) - you do OS updates in TemplateVMs and you build AppVMs to use an underlying TemplateVM.

Reply to this note

Please Login to reply.

Discussion

Avatar
cloud fodder 2y ago

Yep, that's the pattern I am using now.. you have the base OS filesystem from a debootstrap (Debian), then you can clone it and build the various app images on top. If you wanted to you could build smaller and smaller images, all depends on if you want to treat the container like a single process or have extra tools / shell and init system inside.