On Fri, Feb 27, 2015 at 08:04:52PM +0200, Alex Efros wrote:
> Hi!
>
> On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote:
> > Somewhat sarcastic but actually true. I don't recommend running
> > production applications inside of Gentoo based containers.
>
> This makes sense for Gentoo, but my question was CC: to this list not as
> off-topic, my host will be Hardened Gentoo, so kernel used by docker
> images will support GrSecurity&PaX, and I wanna have protection provided
> by hardened gcc for binaries run inside docker images.
>
> > I highly recommend making containers as small as possible. That
> > means using statically linked executables and removing all
> > traces of what we know as a distribution. Production containers
> > should not be based on Gentoo images.
>
> Okay, not sure why it's so important, but this doesn't change anything -
> these statically linked executables without any traces of Gentoo still
> should be compiled with hardened gcc.
>
> > docker pull ${NEW_IMAGE}
>
> So, what $NEW_IMAGE should be to let me get small nice image with
> up-to-date binaries built with hardened gcc? :-)
I am not that familiar with docker, but I thought the idea was that you
build your own container images with your requirements? ie re-build the
image just once on only one server and then send it around to all the
others.
Alternatively, if you did not want to re-build the images themselves,
you could always setup a gentoo binhost on one machine and make all the
other containers pull those packages so there will not be the wasted
time compiling.
-- Jason
>
> --
> WBR, Alex.
>
