Fossil SCM
Removed a TODO-based section of the new containers doc that wasn't meant to be checked in yet. Made a few improvements to the new Podman material as well.
Commit
5adf6c40d9478e63780fc9c0ebb1c889be9e2b9b9e72f3dcf3e6f85d66d5ff2f
Parent
f0399ea9cace1d0…
1 file changed
+7
-17
+7
-17
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -445,34 +445,21 @@ | ||
| 445 | 445 | [DD]: https://www.docker.com/products/docker-desktop/ |
| 446 | 446 | [DE]: https://docs.docker.com/engine/ |
| 447 | 447 | [DNT]: ./server/debian/nginx.md |
| 448 | 448 | |
| 449 | 449 | |
| 450 | - | |
| 451 | -### <a id="runc" name="containerd"></a>Stripping Docker Engine Down | |
| 452 | - | |
| 453 | -The core of Docker Engine is its [containerd] daemon and the [runc] | |
| 454 | -container runner. It’s possible to run our Fossil container using only | |
| 455 | -these tools, leaving out all the rest. Those two pieces come to about a | |
| 456 | -tenth the size of Docker Engine on the system where I tested this. | |
| 457 | - | |
| 458 | -**TODO:** Work out how to do this and document it. | |
| 459 | - | |
| 460 | -[containerd]: https://containerd.io/ | |
| 461 | -[runc]: https://github.com/opencontainers/runc | |
| 462 | - | |
| 463 | - | |
| 464 | 450 | ### <a id="podman"></a>Podman |
| 465 | 451 | |
| 466 | 452 | The biggest downside of that method is that you don’t have all of the |
| 467 | -userland tools for managing the containers. | |
| 453 | +user-land tools for managing the containers. | |
| 468 | 454 | |
| 469 | 455 | A lighter-weight alternative to Docker Engine that doesn’t give up so |
| 470 | 456 | much of its administrator affordances is [Podman], initially created by |
| 471 | 457 | Red Hat and thus popular on that family of OSes, although it will run on |
| 472 | 458 | any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of |
| 473 | -Docker Engine. | |
| 459 | +Docker Engine. It can even be made to run [on macOS via Homebrew][pmmac] | |
| 460 | +or [on Windows via WSL2][pmwin]. | |
| 474 | 461 | |
| 475 | 462 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 476 | 463 | `docker` command and everything that sits behind it, some of the tool’s |
| 477 | 464 | design decisions affect how our Fossil containers run, as compared to |
| 478 | 465 | using Docker. The most important of these is that, by default, Podman |
| @@ -480,10 +467,13 @@ | ||
| 480 | 467 | regular user. This is generally better for security, but [we dealt with |
| 481 | 468 | that risk differently above](#chroot) already. Since neither choice is |
| 482 | 469 | unassailably correct in all conditions, we’ll document both options |
| 483 | 470 | here. |
| 484 | 471 | |
| 472 | +[pmmac]: https://podman.io/getting-started/installation.html#macos | |
| 473 | +[pmwin]: https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md | |
| 474 | + | |
| 485 | 475 | |
| 486 | 476 | #### <a id="podman-rootless"></a>Fossil in a Rootless Podman Container |
| 487 | 477 | |
| 488 | 478 | If you build the stock Fossil container under `podman`, it will fail at |
| 489 | 479 | two key steps: |
| @@ -491,11 +481,11 @@ | ||
| 491 | 481 | 1. The `mknod` calls in the second stage, which create the `/jail/dev` |
| 492 | 482 | nodes. For a rootless container, we want it to use the “real” `/dev` |
| 493 | 483 | tree mounted into the container’s root filesystem instead. |
| 494 | 484 | |
| 495 | 485 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 496 | - becomes the root once the Fossil server is up and running. | |
| 486 | + becomes the file system’s root once the Fossil server is up and running. | |
| 497 | 487 | |
| 498 | 488 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 499 | 489 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 500 | 490 | and rebuild. |
| 501 | 491 | |
| 502 | 492 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -445,34 +445,21 @@ | |
| 445 | [DD]: https://www.docker.com/products/docker-desktop/ |
| 446 | [DE]: https://docs.docker.com/engine/ |
| 447 | [DNT]: ./server/debian/nginx.md |
| 448 | |
| 449 | |
| 450 | |
| 451 | ### <a id="runc" name="containerd"></a>Stripping Docker Engine Down |
| 452 | |
| 453 | The core of Docker Engine is its [containerd] daemon and the [runc] |
| 454 | container runner. It’s possible to run our Fossil container using only |
| 455 | these tools, leaving out all the rest. Those two pieces come to about a |
| 456 | tenth the size of Docker Engine on the system where I tested this. |
| 457 | |
| 458 | **TODO:** Work out how to do this and document it. |
| 459 | |
| 460 | [containerd]: https://containerd.io/ |
| 461 | [runc]: https://github.com/opencontainers/runc |
| 462 | |
| 463 | |
| 464 | ### <a id="podman"></a>Podman |
| 465 | |
| 466 | The biggest downside of that method is that you don’t have all of the |
| 467 | userland tools for managing the containers. |
| 468 | |
| 469 | A lighter-weight alternative to Docker Engine that doesn’t give up so |
| 470 | much of its administrator affordances is [Podman], initially created by |
| 471 | Red Hat and thus popular on that family of OSes, although it will run on |
| 472 | any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of |
| 473 | Docker Engine. |
| 474 | |
| 475 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 476 | `docker` command and everything that sits behind it, some of the tool’s |
| 477 | design decisions affect how our Fossil containers run, as compared to |
| 478 | using Docker. The most important of these is that, by default, Podman |
| @@ -480,10 +467,13 @@ | |
| 480 | regular user. This is generally better for security, but [we dealt with |
| 481 | that risk differently above](#chroot) already. Since neither choice is |
| 482 | unassailably correct in all conditions, we’ll document both options |
| 483 | here. |
| 484 | |
| 485 | |
| 486 | #### <a id="podman-rootless"></a>Fossil in a Rootless Podman Container |
| 487 | |
| 488 | If you build the stock Fossil container under `podman`, it will fail at |
| 489 | two key steps: |
| @@ -491,11 +481,11 @@ | |
| 491 | 1. The `mknod` calls in the second stage, which create the `/jail/dev` |
| 492 | nodes. For a rootless container, we want it to use the “real” `/dev` |
| 493 | tree mounted into the container’s root filesystem instead. |
| 494 | |
| 495 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 496 | becomes the root once the Fossil server is up and running. |
| 497 | |
| 498 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 499 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 500 | and rebuild. |
| 501 | |
| 502 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -445,34 +445,21 @@ | |
| 445 | [DD]: https://www.docker.com/products/docker-desktop/ |
| 446 | [DE]: https://docs.docker.com/engine/ |
| 447 | [DNT]: ./server/debian/nginx.md |
| 448 | |
| 449 | |
| 450 | ### <a id="podman"></a>Podman |
| 451 | |
| 452 | The biggest downside of that method is that you don’t have all of the |
| 453 | user-land tools for managing the containers. |
| 454 | |
| 455 | A lighter-weight alternative to Docker Engine that doesn’t give up so |
| 456 | much of its administrator affordances is [Podman], initially created by |
| 457 | Red Hat and thus popular on that family of OSes, although it will run on |
| 458 | any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of |
| 459 | Docker Engine. It can even be made to run [on macOS via Homebrew][pmmac] |
| 460 | or [on Windows via WSL2][pmwin]. |
| 461 | |
| 462 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 463 | `docker` command and everything that sits behind it, some of the tool’s |
| 464 | design decisions affect how our Fossil containers run, as compared to |
| 465 | using Docker. The most important of these is that, by default, Podman |
| @@ -480,10 +467,13 @@ | |
| 467 | regular user. This is generally better for security, but [we dealt with |
| 468 | that risk differently above](#chroot) already. Since neither choice is |
| 469 | unassailably correct in all conditions, we’ll document both options |
| 470 | here. |
| 471 | |
| 472 | [pmmac]: https://podman.io/getting-started/installation.html#macos |
| 473 | [pmwin]: https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md |
| 474 | |
| 475 | |
| 476 | #### <a id="podman-rootless"></a>Fossil in a Rootless Podman Container |
| 477 | |
| 478 | If you build the stock Fossil container under `podman`, it will fail at |
| 479 | two key steps: |
| @@ -491,11 +481,11 @@ | |
| 481 | 1. The `mknod` calls in the second stage, which create the `/jail/dev` |
| 482 | nodes. For a rootless container, we want it to use the “real” `/dev` |
| 483 | tree mounted into the container’s root filesystem instead. |
| 484 | |
| 485 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 486 | becomes the file system’s root once the Fossil server is up and running. |
| 487 | |
| 488 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 489 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 490 | and rebuild. |
| 491 | |
| 492 |