tag:blogger.com,1999:blog-34692233.post4878302153262181403..comments2023-05-09T12:02:11.783+01:00Comments on Mind the Gap: Containers in Cloud Foundry: warden meets libcontainerGlynhttp://www.blogger.com/profile/08741529390385812080noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-34692233.post-22144787854378812732014-07-07T08:48:52.695+01:002014-07-07T08:48:52.695+01:00In Diego, the Ruby code of Warden has been replace...In Diego, the Ruby code of Warden has been replaced by Go to form Garden (which is a Warden server minus a backend) and the Warden-linux backend. The Warden-linux backend combined with Garden replaces Warden. Apologies that the terminology is a little confusing!<br /><br />Re-basing Warden-linux on libcontainer is a longer term item. I don't know whether the Diego project will run long enough to include the libcontainer work.Glynhttps://www.blogger.com/profile/08741529390385812080noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-9684659681501265672014-07-06T12:13:59.013+01:002014-07-06T12:13:59.013+01:00Hi,
Is this change included in Diego project? I r...Hi, <br />Is this change included in Diego project? I remember in the Diego's architecture, "Garden" will replace "Warden" which means warden is re-written in Golang. Is it still the plan?<br /><br />Thanks!Anonymoushttps://www.blogger.com/profile/16821114008329454832noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-32381793145974590952014-06-26T08:30:05.411+01:002014-06-26T08:30:05.411+01:00That's not on our (Steve's and mine) immed...That's not on our (Steve's and mine) immediate radar, but I believe some work is going on elsewhere to add dockerfile support to CF and this may involve the docker repository. Probably best for you to ask on vcap-dev.Glynhttps://www.blogger.com/profile/08741529390385812080noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-45048137947163780232014-06-25T19:49:06.498+01:002014-06-25T19:49:06.498+01:00Hi!
One thing that is not quite clear to me is wh...Hi!<br /><br />One thing that is not quite clear to me is whether you guys are going to embrace the docker packaging format as well. IOW, would I every be able to use a Docker registry as a GitHub of sorts for managing the applications that my organization deploys to CF?<br /><br />Thanks!Roman Shaposhnikhttps://www.linkedin.com/in/shaposhniknoreply@blogger.comtag:blogger.com,1999:blog-34692233.post-50599710420507406122014-06-23T07:51:46.354+01:002014-06-23T07:51:46.354+01:00We'll be focussing mostly on bringing the libc...We'll be focussing mostly on bringing the libcontainer API up to parity with warden, so I guess that means we will be interested in unprivileged containers.Glynhttps://www.blogger.com/profile/08741529390385812080noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-35752700916242333672014-06-21T21:41:12.915+01:002014-06-21T21:41:12.915+01:00Great post and thanks for sharing your plans.
Are...Great post and thanks for sharing your plans. <br><br />Are you going to lend a hand to support unprivileged containers?<br />Here is the link to <a href="https://github.com/dotcloud/docker/pull/4572" rel="nofollow">PR</a>Blue Eyeshttps://www.blogger.com/profile/11044604444714658256noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-55214141410340438612014-06-21T21:39:53.012+01:002014-06-21T21:39:53.012+01:00Great post and thanks for sharing your plans.
Are...Great post and thanks for sharing your plans. <br><br />Are you going to lend a hand to support unprivileged containers?<br />Here is the link to <a href="https://github.com/dotcloud/docker/pull/4572" rel="nofollow">PR</a> Blue Eyeshttps://www.blogger.com/profile/11044604444714658256noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-74843076458439242722014-06-20T05:52:21.256+01:002014-06-20T05:52:21.256+01:00I see, thanks for the explanation Glyn. I think f...I see, thanks for the explanation Glyn. I think for the "security groups" needs we don't need cgroups changes to be dynamic. We just need to be able to change the network iptables dynamically (not sure if that falls under the same constraints or not)<br /><br />I would take a look at the api proposal but it would be way over my head. :) All I know is that as an end user I want to be able to change what a container's network interface can and cannot connect to without recreating/restarting the container.<br /><br />If that isn't possible under the selinux constraints that's fine. Otherwise it would be nice if you could keep that use case in mind as you continue this work.<br /><br />Thanks,<br />MikeMike Youngstromhttps://www.blogger.com/profile/15272547669585768890noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-80829452363438293172014-06-20T04:58:09.691+01:002014-06-20T04:58:09.691+01:00No, not as far as I can tell. The technologies und...No, not as far as I can tell. The technologies underpinning libcontainer are the same as those underpinning warden, so they should both be capable of supporting the same sorts of changes, at least in principle. Clearly there is a bigger community in libcontainer/docker to approve any change, but also the benefit of more eyes to spot mistakes.<br /><br />OTOH, there may be some practical constraints that get in the way. libcontainer's function is a bit broader than warden's with some support for SELinux, for example, which is likely to complicate any security changes. Also libcontainer seems to be designed to conform to systemd and is also looking towards exploiting the croups unified hierarchy when that ships, so these may also have implications for how easily security groups can be managed. However, even if warden had kept its own container implementation, there were requirements to support SELinux (in order to make some potential exploits more difficult) and also at least tolerate unified hierarchy, which may have drawn warden in the systemd direction. If these requirements had been satisfied by warden, then warden and libcontainer would have had similar complications for the kind of security changes you describe.<br /><br />Essentially, warden and libcontainer are at similar levels of function and are subject to similar future requirements.<br /><br />Perhaps you'd like to review the <a href="https://github.com/docker/libcontainer/pull/28" rel="nofollow">libcontainer API proposal</a> and suggest how to ensure security group changes can be supported in the future?Glynhttps://www.blogger.com/profile/08741529390385812080noreply@blogger.comtag:blogger.com,1999:blog-34692233.post-30432087670584086342014-06-19T17:34:09.610+01:002014-06-19T17:34:09.610+01:00Looks great Glyn!
Question. Our organization is ...Looks great Glyn!<br /><br />Question. Our organization is very interested in the "Security Groups" work being implemented in Cloud Foundry right now. (1) <br /><br />Although initially it has been decided that security group changes will require an application restart. The idea of making security group changes to a container on the fly is a future enhancement our organization is very interested in. In a previous post of yours (2) you mention that one of the advantages of Warden is its dynamic configuration capabilities. Do you think the move to libcontainer will hurt the ability to have dynamic CF security groups in the future?<br /><br />1: https://groups.google.com/a/cloudfoundry.org/forum/#!searchin/vcap-dev/security$20groups/vcap-dev/Dy4NVBiasxA/NLsISSGxmpUJ<br /><br />2: https://groups.google.com/a/cloudfoundry.org/forum/#!searchin/vcap-dev/docker$20vs$20warden/vcap-dev/V-lVpMpNqL4/-kx8qDBPd7MJMike Youngstromhttps://www.blogger.com/profile/15272547669585768890noreply@blogger.com