Skip to first unread message
James Bayer
Oct 9, 2013, 8:48:08 PM10/9/13
to vcap...@cloudfoundry.org
Primarily Alex Jackson from the Cloud Foundry engineering team has put together analysis that we believe presents a very objective comparison of the capabilities of Warden and Docker [1]. There is also a brief mention of the new lmctfy project from Google [2]. If you are interested in this area, please review and let us know if you have adjustments or additions that should be made. The doc should be available for public comments using GDocs or you may reply on this thread.
The Cloud Foundry team has no immediate plans to take action in code based on this analysis, but it will help inform future direction options. We are currently using Warden in several places:
- end user app process isolation in DEAs
- the recently usable bosh-lite [3] development env for BOSH that targets a Linux Host with Containers for BOSH development instead of an IaaS with VMs
In the past, several data multi-tenant data services like Redis, Mongo, etc that are not planned to be maintained actively by the CF Team had used Warden to isolate the service processes provisioned for dedicated tenants.
We welcome any input from the community on the current analysis and also as to what additional container capabilities are requested.
Dr Nic Williams
Oct 9, 2013, 9:01:15 PM10/9/13
to vcap...@cloudfoundry.org
The cf-services-contrib-release & cf-services-release are also using Warden for some of the services to provide isolation (especially for those services that do not have multi-tenancy).
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
cell +1 (415) 860-2185
twitter @drnic
Dr Nic Williams
Oct 9, 2013, 9:02:33 PM10/9/13
to vcap...@cloudfoundry.org
Sorry, couldn't Undo that fast enough after reading the disclaimer sentence on services.
Andrea Campi
Oct 9, 2013, 10:09:36 PM10/9/13
to vcap...@cloudfoundry.org, vcap...@cloudfoundry.org
Great doc!
Can you or Alex elaborate on:
How does Docker handle users and the “root” user in the container?
Docker runs processes as root inside the container. If you want/need a different user, you can create it when preparing the image and then use 'su' as usual.
Did you have a more complex scenario in mind?
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
solomo...@dotcloud.com
Oct 9, 2013, 10:26:02 PM10/9/13
to vcap...@cloudfoundry.org
On Wednesday, October 9, 2013 7:09:36 PM UTC-7, Andrea Campi wrote:
How does Docker handle users and the “root” user in the container?
Docker runs processes as root inside the container. If you want/need a different user, you can create it when preparing the image and then use 'su' as usual.
Docker can drop privileges to the uid of your choice with 'docker run -u' (there is a corresponding configuration field in the remote api). As a convenience it will also lookup non-numerical user ids by parsing /etc/passwd in the container's filesystem (if it exists).
The default uid is 0.
Christopher Ferris
Oct 10, 2013, 2:50:52 PM10/10/13
to vcap...@cloudfoundry.org
Awesome, thanks James for bringing this forward.
I know there's a lot of interest here, in IBM, in this subject as I am sure there is with others in the community.
Chris
Brian Martin
Oct 10, 2013, 3:06:19 PM10/10/13
to vcap...@cloudfoundry.org
Thanks James, I added some comments to your google doc.
Brian Martin
IBM Cloud Services
Reply all
Reply to author
Forward
0 new messages