Re: [gentoo-hardened] Re: docker updates

[Jason Zaman <perfinion@gentoo.org>]

On Fri, Feb 27, 2015 at 08:04:52PM +0200, Alex Efros wrote:
> Hi!
> 
> On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote:
> > Somewhat sarcastic but actually true.  I don't recommend running 
> > production applications inside of Gentoo based containers.
> 
> This makes sense for Gentoo, but my question was CC: to this list not as
> off-topic, my host will be Hardened Gentoo, so kernel used by docker
> images will support GrSecurity&PaX, and I wanna have protection provided
> by hardened gcc for binaries run inside docker images.
> 
> > I highly recommend making containers as small as possible.  That 
> > means using statically linked executables and removing all 
> > traces of what we know as a distribution.  Production containers 
> > should not be based on Gentoo images.
> 
> Okay, not sure why it's so important, but this doesn't change anything -
> these statically linked executables without any traces of Gentoo still
> should be compiled with hardened gcc.
> 
> > docker pull ${NEW_IMAGE}
> 
> So, what $NEW_IMAGE should be to let me get small nice image with
> up-to-date binaries built with hardened gcc? :-)

I am not that familiar with docker, but I thought the idea was that you
build your own container images with your requirements? ie re-build the
image just once on only one server and then send it around to all the
others.

Alternatively, if you did not want to re-build the images themselves,
you could always setup a gentoo binhost on one machine and make all the
other containers pull those packages so there will not be the wasted
time compiling.

-- Jason
> 
> -- 
> 			WBR, Alex.
>