Bug#746394: Please consider shipping pre-built images in Debian packages
2014-05-01 0:59 GMT+02:00 Chris Fordham ch...@fordham-nagy.id.au: Personally, I'd prefer that we use packer instead of bootstrap-vz ( https://github.com/andsens/bootstrap-vz) to build official Debian images of which should be published on http://cdimage.debian.org or the more appropriate file server for users to download. One of the issue with Packer, at least for EC2 (Ocean, GCE, ..?) is it creates an image from an existing EC2 instance. So you need to get an EC2 account and use some minimal Amazon resources to build an image. With bootstrap-vz, you build your images only locally on your computer, no need of remote account/resource. Olivier On Thu, May 1, 2014 at 4:21 AM, Miguel Landaeta nomad...@debian.org wrote: On Tue, Apr 29, 2014 at 09:59:49PM +0200, Jan Wagner wrote: Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. And what debian-cloud team? (CCing them) I don't know if that it's outside of the tasks of the team (what do you think guys?) but it would be nice if you can provide properly maintained and signed images? I'm a member of that team (I'm almost inactive although) but maybe we can contribute with that. For example, I have a very simple image in my web page[1] generated with debootstrap and signed with my key since is the only one I trust so far to play around with docker. 1. http://people.debian.org/~nomadium/docker/images/ -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://db.debian.org/fetchkey.cgi?fingerprint=4CB7FE1E280ECC90F29A597E6E608B637D8967E9 Faith means not wanting to know what is true. -- Nietzsche -- gpg key id: 4096R/326D8438 (keyring.debian.org) Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438
Bug#746394: Please consider shipping pre-built images in Debian packages
Hi. Charles Plessy ple...@debian.org writes: One reason why bootstrap-vz exists is that broader frameworks such as Debian-Installer have more constraints and are harder to learn and maintain. In particular, Debian-Installer does not run as a simple command that prepares a tarball on a user's hard drive; it is a minimal Debian system that runs by itself. But I think that attempts to build larger frameworks than bootstrap-vz will end up re-inventing an installer for Debian. So for a Grand Unification I recommend to work on Debian-Installer directly. With respect to docker (in the context of #746394), I think that the providing of images should be much lighter than what the Debian installer usually does. AFAIU, docker containers are meant to be very lightweight, compared to installing on real hardware, and whereas it would be sad to reinvent the wheels the d-i is already providing, I think that much of its work is to detect hardware and configure appropriately, which is completely useless in the context of docker, since there's no hardware emulation, no real virtual machine, just a chroot-like container (LXC based), at least in the usual use of docker containers based on LXC running over Linux. So bootstrap-vz running debootstrap is probably much of what we need for a bootstrap-vz Docker provider, I guess (and the devil which is in the details). Hope this makes sense. Best regards, -- Olivier BERGER olivier.ber...@it-sudparis.eu - OpenPGP: 5819D7E8 Ingénieur Recherche - Dept INF - TMSP (http://www.it-sudparis.eu) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746394: Docker provider for bootstrap-vz Was: Re: Bug#746394: Please consider shipping pre-built images in Debian packages
Hi. Is anyone working on adding Docker provider for bootstrap-vz (i.e. building Docker.io images containing a Debian install, ready to run in a docker container) ? It seems a GSOC 2014 was proposed for this [0], but I can't find evidence that anyone is working on it. If someone is, please respond in [1] with appropriate details ;) Thanks in advance. Best regards, [0] https://wiki.debian.org/SummerOfCode2014/Projects/bootstrap-vz [1] https://github.com/andsens/bootstrap-vz/issues/128 Miguel Landaeta nomad...@debian.org writes: On Tue, Apr 29, 2014 at 09:59:49PM +0200, Jan Wagner wrote: Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. And what debian-cloud team? (CCing them) I don't know if that it's outside of the tasks of the team (what do you think guys?) but it would be nice if you can provide properly maintained and signed images? I'm a member of that team (I'm almost inactive although) but maybe we can contribute with that. For example, I have a very simple image in my web page[1] generated with debootstrap and signed with my key since is the only one I trust so far to play around with docker. 1. http://people.debian.org/~nomadium/docker/images/ -- Olivier BERGER olivier.ber...@it-sudparis.eu - OpenPGP: 5819D7E8 Ingénieur Recherche - Dept INF - TMSP (http://www.it-sudparis.eu) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746394: Please consider shipping pre-built images in Debian packages
On 29 July 2014 15:30, Olivier Berger olivier.ber...@telecom-sudparis.eu wrote: Hi. Charles Plessy ple...@debian.org writes: One reason why bootstrap-vz exists is that broader frameworks such as Debian-Installer have more constraints and are harder to learn and maintain. In particular, Debian-Installer does not run as a simple command that prepares a tarball on a user's hard drive; it is a minimal Debian system that runs by itself. But I think that attempts to build larger frameworks than bootstrap-vz will end up re-inventing an installer for Debian. So for a Grand Unification I recommend to work on Debian-Installer directly. With respect to docker (in the context of #746394), I think that the providing of images should be much lighter than what the Debian installer usually does. AFAIU, docker containers are meant to be very lightweight, compared to installing on real hardware, and whereas it would be sad to reinvent the wheels the d-i is already providing, I think that much of its work is to detect hardware and configure appropriately, which is completely useless in the context of docker, since there's no hardware emulation, no real virtual machine, just a chroot-like container (LXC based), at least in the usual use of docker containers based on LXC running over Linux. So bootstrap-vz running debootstrap is probably much of what we need for a bootstrap-vz Docker provider, I guess (and the devil which is in the details). Hope this makes sense. Best regards, -- Olivier BERGER olivier.ber...@it-sudparis.eu - OpenPGP: 5819D7E8 Ingénieur Recherche - Dept INF - TMSP (http://www.it-sudparis.eu) -- To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/871tt4z412@olivierberger.com So bootstrap-vz running debootstrap is probably much of what we need for a bootstrap-vz Docker provider, I guess (and the devil which is in the details). I agree. Also a note about lightweightness, using --variant=minbase in a little bootstrap-vz test scenario I was to get the base install down to 98MB (this includes networking and all the basics). It would be interesting to see if people know some tricks on how to get that number down even further. Anders
Bug#746394: Please consider shipping pre-built images in Debian packages
Le mardi, 29 avril 2014, 13.46:44 Paul Tagliamonte a écrit : On Tue, Apr 29, 2014 at 06:38:34PM +0200, Didier Raboud wrote: please consider shipping Debian docker.io pre-built images in proper Debian packages. Having stable pre-built images in Debian packages ensures a trust link within the distribution. I'm not happy with the increasing incentive to download distribution images across untrusted links (although index.docker.io at least runs over HTTPS). I totally agree. I've been pushing for docker upstream to adopt OpenPGP signatures on images, but it looks like they want to go with SSL Certs. Once those are in place, I'm happy to provide a pseudo-official image. Well, sorry to nitpick, but having Debian's docker.io package ship a public key to trustfully download non-free distribution images wouldn't make it overly better. Debian users have a trust link with the Debian binary packages as shipped in the distro, but there's no good reason to extend that trust to what docker.io upstream built: we're talking about _big_ archives full of _binaries_ (for which there is strictly no freeness or trustworthiness warranties!) that then run on our machines! Similar to what we do for debian-installer-netboot-images, I was thinking we could have (at least for Debian docker.io containers) something like: # apt install docker.io-image-debian-wheezy This package would contain a docker.io image built on buildds, updated on point-releases. However, a better and more sustainable solution here is to ship a script to create a Debian image via debootstrap. Something small and auditable. Le mardi, 29 avril 2014, 21.59:49 Jan Wagner a écrit : Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. There's that, at least. It should get it's .sh postfix removed, get updated to support more than amd64 and be shipped as /usr/bin/docker.io- mkimage-debootstrap for example. I'd been considering a script to take an sbuild tarball = docker image. I've not done it yet, but this bug is good motiviation. Yay. I'll see if there's something I can do to help :) Yay². Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746394: Please consider shipping pre-built images in Debian packages
On Tue, Apr 29, 2014 at 09:59:49PM +0200, Jan Wagner wrote: Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. And what debian-cloud team? (CCing them) I don't know if that it's outside of the tasks of the team (what do you think guys?) but it would be nice if you can provide properly maintained and signed images? I'm a member of that team (I'm almost inactive although) but maybe we can contribute with that. For example, I have a very simple image in my web page[1] generated with debootstrap and signed with my key since is the only one I trust so far to play around with docker. 1. http://people.debian.org/~nomadium/docker/images/ -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://db.debian.org/fetchkey.cgi?fingerprint=4CB7FE1E280ECC90F29A597E6E608B637D8967E9 Faith means not wanting to know what is true. -- Nietzsche signature.asc Description: Digital signature
Bug#746394: Please consider shipping pre-built images in Debian packages
Personally, I'd prefer that we use packer instead of bootstrap-vz ( https://github.com/andsens/bootstrap-vz) to build official Debian images of which should be published on http://cdimage.debian.org or the more appropriate file server for users to download. On Thu, May 1, 2014 at 4:21 AM, Miguel Landaeta nomad...@debian.org wrote: On Tue, Apr 29, 2014 at 09:59:49PM +0200, Jan Wagner wrote: Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. And what debian-cloud team? (CCing them) I don't know if that it's outside of the tasks of the team (what do you think guys?) but it would be nice if you can provide properly maintained and signed images? I'm a member of that team (I'm almost inactive although) but maybe we can contribute with that. For example, I have a very simple image in my web page[1] generated with debootstrap and signed with my key since is the only one I trust so far to play around with docker. 1. http://people.debian.org/~nomadium/docker/images/ -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://db.debian.org/fetchkey.cgi?fingerprint=4CB7FE1E280ECC90F29A597E6E608B637D8967E9 Faith means not wanting to know what is true. -- Nietzsche
Bug#746394: Please consider shipping pre-built images in Debian packages
On 1 May 2014 00:59, Chris Fordham ch...@fordham-nagy.id.au wrote: Personally, I'd prefer that we use packer instead of bootstrap-vz ( https://github.com/andsens/bootstrap-vz) to build official Debian images of which should be published on http://cdimage.debian.org or the more appropriate file server for users to download. On Thu, May 1, 2014 at 4:21 AM, Miguel Landaeta nomad...@debian.orgwrote: On Tue, Apr 29, 2014 at 09:59:49PM +0200, Jan Wagner wrote: Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. And what debian-cloud team? (CCing them) I don't know if that it's outside of the tasks of the team (what do you think guys?) but it would be nice if you can provide properly maintained and signed images? I'm a member of that team (I'm almost inactive although) but maybe we can contribute with that. For example, I have a very simple image in my web page[1] generated with debootstrap and signed with my key since is the only one I trust so far to play around with docker. 1. http://people.debian.org/~nomadium/docker/images/ -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://db.debian.org/fetchkey.cgi?fingerprint=4CB7FE1E280ECC90F29A597E6E608B637D8967E9 Faith means not wanting to know what is true. -- Nietzsche Could you elaborate on *why* you prefer packer? What are the advantages over bootstrap-vz? As I see it right now, I'd like to ask the question whether you could send packer via email or whether it would fit on a floppy (if you catch my drifthttps://www.youtube.com/watch?v=SricpmKQd3U ). Anders
Bug#746394: Please consider shipping pre-built images in Debian packages
On Wed, Apr 30, 2014 at 2:21 PM, Miguel Landaeta nomad...@debian.org wrote: On Tue, Apr 29, 2014 at 09:59:49PM +0200, Jan Wagner wrote: Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. And what debian-cloud team? (CCing them) I don't know if that it's outside of the tasks of the team (what do you think guys?) but it would be nice if you can provide properly maintained and signed images? I'm a member of that team (I'm almost inactive although) but maybe we can contribute with that. For example, I have a very simple image in my web page[1] generated with debootstrap and signed with my key since is the only one I trust so far to play around with docker. 1. http://people.debian.org/~nomadium/docker/images/ Not a docker user yet, but from what I understand it probably fits in with what we debian-cloud folks are doing and I, for one, would be happy to hear what you are doing. However, I would make sure to collaborate with paultag and the other docker.io package maintainers as I suspect. At this point, I guess finding a reliable safe distribution channel is the big open question. (This goes back to a trusted/official cloud image listing service I had proposed earlier. Sigh.. I need to follow up on that.) -Brian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746394: Please consider shipping pre-built images in Debian packages
Package: docker.io Version: 0.9.1~dfsg1-2 Severity: wishlist Hi dear docker.io maintainers, please consider shipping Debian docker.io pre-built images in proper Debian packages. Having stable pre-built images in Debian packages ensures a trust link within the distribution. I'm not happy with the increasing incentive to download distribution images across untrusted links (although index.docker.io at least runs over HTTPS). One possibility would be to build docker.io images similarly to what is done for debian-installer-netboot-images: download packages in a trusted way and make sure they get listed in the Built-Using field; then of course make sure they get (bin)NMUed at each stable release update. Opinions? Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746394: Please consider shipping pre-built images in Debian packages
On Tue, Apr 29, 2014 at 06:38:34PM +0200, Didier Raboud wrote: Hi dear docker.io maintainers, Heyya Didier! please consider shipping Debian docker.io pre-built images in proper Debian packages. Having stable pre-built images in Debian packages ensures a trust link within the distribution. I'm not happy with the increasing incentive to download distribution images across untrusted links (although index.docker.io at least runs over HTTPS). I totally agree. I've been pushing for docker upstream to adopt OpenPGP signatures on images, but it looks like they want to go with SSL Certs. Once those are in place, I'm happy to provide a pseudo-official image. However, a better and more sustainable solution here is to ship a script to create a Debian image via debootstrap. Something small and auditable. I'd been considering a script to take an sbuild tarball = docker image. I've not done it yet, but this bug is good motiviation. I'll see if there's something I can do to help :) One possibility would be to build docker.io images similarly to what is done for debian-installer-netboot-images: download packages in a trusted way and make sure they get listed in the Built-Using field; then of course make sure they get (bin)NMUed at each stable release update. Opinions? Cheers, OdyX Thanks, OdyX! Paul -- .''`. Paul Tagliamonte paul...@debian.org | Proud Debian Developer : :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `. `'` http://people.debian.org/~paultag `- http://people.debian.org/~paultag/conduct-statement.txt signature.asc Description: Digital signature
Bug#746394: Please consider shipping pre-built images in Debian packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Am 29.04.2014 19:46, schrieb Paul Tagliamonte: On Tue, Apr 29, 2014 at 06:38:34PM +0200, Didier Raboud wrote: please consider shipping Debian docker.io pre-built images in proper Debian packages. Having stable pre-built images in Debian packages ensures a trust link within the distribution. I'm not happy with the increasing incentive to download distribution images across untrusted links (although index.docker.io at least runs over HTTPS). However, a better and more sustainable solution here is to ship a script to create a Debian image via debootstrap. Something small and auditable. I'd been considering a script to take an sbuild tarball = docker image. I've not done it yet, but this bug is good motiviation. Did you have a look into /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate your own image via debootstrap. Cheers, Jan. - -- Never write mail to w...@spamfalle.info, you have been warned! - -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIVAwUBU2AEtQxwVXtaBlE+AQiRfhAAmzcl9tnmcMYt8MnCJEcNt59joUIIO4ko liEcadwncDu+ik5tfmu5yw1+rFHfo/7Kgle4gI2I8ADgihnm4pe5lLduuYowKEYz dJx1ye/98ZeqYr0gzh1ztX709AYxurk/mrmzopw7z5ptFJG2k20gD1MM2Q64437S m0oGhv0IRMDRRLLbtCkKqXFH6ZPPJeeDIXSlKjyQ1igc3Nk+5PPyfzXXDUfIwVjN j/3120RJV20ji2DUErgsFGLeW6D0goBRigavj1amt68kkb08wRIWy/EU458eI5UJ ZtC/7w294qmPHq+5chONc+50ui46Xye6dSLvoBPsFnt2I/1ZUFCy0GcI0YkGJDUq bC0kKp9cC7qTt+/2FdI0kZXjCeGqvLNUPM6KTwWbGWU1l7dOIhQrLP66QHqAxuWn WuETq+ZUwj46wodfcp47czcT0KQugKSYUOhdWRcOtFRgmsJhl1jzZD73QPRb2rsY fTzyPTNNQyCdisep0B6RxCbWD9mbAI3S0SBGsdAVteilW782DN9H+y/o9I9TFA2r SCV5XJEnoo0/Hx40sqWWpKHs9fDrIXygoRL6ytJUM7reiWtSGLXp5en1mCBYDoHi xcC8g6klJVfdZBBsv8MgfyP28iGSpJj9QG4tO4nGJRysgSRVyQxMce91+gU9wOSX gGqY/bDqCDI= =vvLZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org