Date: Sun, 06 Jan 2019 11:44:29 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Wojciech Puchar <wojtek@puchar.net> Cc: Alan Somers <asomers@freebsd.org>, Cy Schubert <Cy.Schubert@cschubert.com>, Hackers freeBSD <freebsd-hackers@freebsd.org>, Igor Mozolevsky <igor@hybrid-lab.co.uk>, Enji Cooper <yaneurabeya@gmail.com> Subject: Re: Strategic Thinking (was: Re: Speculative: Rust for base system components) Message-ID: <201901061944.x06JiTwK004880@slippy.cwsent.com> In-Reply-To: Message from Wojciech Puchar <wojtek@puchar.net> of "Sun, 06 Jan 2019 20:09:54 %2B0100." <alpine.BSF.2.20.1901062002230.54477@puchar.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <alpine.BSF.2.20.1901062002230.54477@puchar.net>, Wojciech Puchar wr ites: > >> why this "microservices" - which are simply complete programs without > >> dependencies (or should be) - cannot be run simply as processes on > >> different user accounts? > > > > Several reasons: > > 1) Separate accounts don't provide as much security as separate > > containers. Capsicum does, but people aren't used to using Capsicum > > I use separate processes and don't feel the lack of security. I don't use > capsicum too. Really? Explain, please. > > Could you explain it more precisely why standard process and user/group > separation is insufficient? Why then did the industry move from mainframes to the client/server model? > > Simply access rights and setting > security.bsd.see_other_uids=0 > > is enough for me. This is nearsighted. > > If something could be added then it would be limiting what ports can each > user open. But it's not really a problem. The UNIX security model, even with ACLs, POSIX.1e, and capsicum, sucks. Again, we had that kind of model on the mainframe. Not quite TCP/IP ports but Google RACF and ACF2. > > > 2) Fragmentation. The Linux world is much more fragmented than the > > FreeBSD world. It's hard to write a program that will work correctly > > That's what i agree with you. > > Anyway if these microservices would be statically linked this argument > would be irrevelant. And from what i've read it's how microservices should > be made. They're self contained, linked against libraries in the container. > > > 3) Fashion. You may not care about the latest IT craze, but a lot of > > IT departments do. And you can't change their minds all by yourself. > > I don't even try to change their minds. I don't discuss with such people. > You can discuss and present arguments to people that don't think. When you do your own thing you become irrelevant. Lucky for me I'm close enough to retirement it doesn't matter however if I was younger I'd have to go with the times. Having said that, I choose to learn new technologies because I intend to continue to contract after retirement for the travel money. You have to realize that the choices made by the industry do make sense when you view them from the point of view of big capital. The idea is to reduce money spent on developers, sysadmins, computers and resources. Not that I say this is good but it is the world we live in. > > > If FreeBSD is to be used by people who deploy microservices, then it > > needs to do what they want. That means it needs Docker or something > > similar (IT admins won't want to learn ezjail if they're already > > comfortable with Docker), or we need to convince people to use > > CloudABI. CloudABI has the potential to outperform containers. It > > just hasn't gained traction yet. > > -Alan > > Docker is already in ports. If someone want to use it - what a problem? CloudABI is an attempt to offer an alternative. It didn't have the momentum that Docker and CR-IO (which will replace Docker) do. One day we will need to implement Linux namespaces and cgroups (which IMO are inferior to jails) but apps which intimately interface with those facilities should be able to port over to FreeBSD relatively easily. > > Anyway if they prefer linux let they use linux. And 95% of the UNIX-like world does. Should we give up and become a hobby O/S, like some other examples we can think of? Linuxisms suck but that's the world we live in. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901061944.x06JiTwK004880>