|
hurr durrr babby's first script is possibly dangerous and has so many dependencies it needs its own special sandbox to play in
|
# ? May 10, 2022 05:09 |
|
|
# ? May 28, 2024 14:53 |
|
if your stack doesn't look like this you're basically a greybeard running solaris on a blade 1000
|
# ? May 10, 2022 16:04 |
|
"kubernetes" sounds like a german STI
|
# ? May 10, 2022 16:14 |
|
Beeftweeter posted:hurr durrr babby's first script is possibly dangerous and has so many dependencies it needs its own special sandbox to play in it isnt and doesnt though? its just easy to install. took me like 30 seconds. btw cron is deprecated yall stop suggesting it
|
# ? May 10, 2022 16:17 |
|
https://github.com/Jeeaaasus/youtube-dl/blob/master/Dockerfile#L43 Let's embed our dependency version and url into our Dockerfile! Well, only if we're running x86_64 -- otherwise let's just use the latest version of the distro package. Why not always use the distro ffmpeg? Then this poo poo: https://github.com/Jeeaaasus/youtube-dl/blob/master/Dockerfile#L79 Why? Just Why? Don't run a loving init inside your container. Run containers for each service. An init in your container just obscures the visibility docker provides into your service and fucks up your logging situation. One (primary application) process, one container, one set of logs.
|
# ? May 10, 2022 16:32 |
|
Beeftweeter posted:hurr durrr babby's first script is possibly dangerous and has so many dependencies it needs its own special sandbox to play in It's worse than babby's first script, because when you cram babby's first script into a Dockerfile, babby starts having to escape each of their scripts so the full script runs in a single RUN, and cleans up after itself so as to not pollute the layer.
|
# ? May 10, 2022 16:36 |
|
nudgenudgetilt posted:https://github.com/Jeeaaasus/youtube-dl/blob/master/Dockerfile#L43 i don't care. this is so i can download music videos via youtube.
|
# ? May 10, 2022 16:42 |
|
Jonny 290 posted:it isnt and doesnt though? its just easy to install. took me like 30 seconds. btw cron is deprecated yall stop suggesting it "pip install youtube-dl" is kinda easy, too. it even works on ios!
|
# ? May 10, 2022 16:47 |
|
Beeftweeter posted:"pip install youtube-dl" is kinda easy, too. it even works on ios! so is apt-get install (youtube-dl|yt-dlp) you can even get up to date versions from backports
|
# ? May 10, 2022 17:02 |
|
Jonny 290 posted:i don't care. this is so i can download music videos via youtube. Jonny 290 posted:Because I like Docker a whole lot and containerize everything i can and also i do it for my job now. Next do you do this bullshit at work though?
|
# ? May 10, 2022 17:03 |
|
Something there is that doesn't love a container He only says, "good process isolation makes good neighbors"
|
# ? May 10, 2022 17:50 |
|
nudgenudgetilt posted:do you do this bullshit at work though? you know full well the only container jonny290 toches at work is the cargo container he runs his pirate radio station out of
|
# ? May 10, 2022 17:51 |
RokosCockatrice posted:Something there is that doesn't love a container
|
|
# ? May 10, 2022 18:03 |
|
let's just sandbox the container of the vm running a sandbox inside of a container (don't call it a sandbox). surely this will solve our problems
|
# ? May 10, 2022 18:06 |
|
RokosCockatrice posted:you know full well the only container jonny290 toches at work is the cargo container he runs his pirate radio station out of goddamn 05's
|
# ? May 10, 2022 18:07 |
|
At work my containers have a /init. Some of them even have a complicated python script that sets up the container! (The containers are used for development and embedded build systems, and do not run long-standing services.)
|
# ? May 10, 2022 18:15 |
|
i did a thing on my old rear end android phone because i'm a big dumb baby
|
# ? May 10, 2022 18:19 |
|
BlankSystemDaemon posted:docker doesn't provide isolation https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container#isolation-examples Hth op
|
# ? May 10, 2022 19:04 |
|
nudgenudgetilt posted:do you do this bullshit at work though? No, but our customers do. we're a kubernetes provider. we dont loving care what they run in there, we're just gonna bill for cpu anyways
|
# ? May 10, 2022 19:15 |
|
who needs they cpuuy ate
|
# ? May 10, 2022 19:27 |
Mr. Crow posted:https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container#isolation-examples
|
|
# ? May 10, 2022 20:57 |
|
i’m really mad about docker
|
# ? May 10, 2022 21:10 |
|
don't they know they're doing it WRONG?? they should be ASHAMED
|
# ? May 10, 2022 23:49 |
|
i'm angry. ANGRY ABOUT LINUX you know, the thing with the stuff that's super redundant and gives you several slightly different ways of doing things, man that really pisses me off.
|
# ? May 10, 2022 23:52 |
|
I'm sure the mixup about docker isolation was made in good faith and a quick link to the docs will clear it up
|
# ? May 10, 2022 23:55 |
|
nudgenudgetilt posted:https://github.com/Jeeaaasus/youtube-dl/blob/master/Dockerfile#L43 you should always use an init, you need something to reap zombies and handle signal propagation correctly and that poo poo does not belong in your app
|
# ? May 11, 2022 00:33 |
|
the correct way to use docker is `shutdown -h now`
|
# ? May 11, 2022 00:52 |
|
I always code:
To make sure if anyone ever makes the mistake of calling docker, they feel it.
|
# ? May 11, 2022 01:34 |
|
my homie dhall posted:you should always use an init, you need something to reap zombies and handle signal propagation correctly and that poo poo does not belong in your app docker has provided a reaping init via --init for the better part of a decade. I'm saying don't do full on process management modern init inside docker, because you end up fighting against both the init system and the process managmenet/logging facilities provided by docker (or whatever container runtime you've chosen with the exception of lx[cd]). and yeah, your app *does* need to handle reaping and signal propagation itself. putting an init process under your app is only useful if your app both spawns processes it fails to reap *and* regularly exits, so that the zombies can be re-parented to init and reaped. if you're spawning children and failing to reap them and never exiting, the zombies will chill until the parent exits outhole surfer fucked around with this message at 02:25 on May 11, 2022 |
# ? May 11, 2022 02:13 |
|
nudgenudgetilt posted:docker has provided a reaping init via --init for the better part of a decade. so you agree whenever your app actually runs, there needs to be an init and it should not be your application, that’s good. believe it or not, if your deployable unit is a container, there are legitimate use cases for needing more than one OS process inside of it. it’s why the deployable unit of orchestrators is explicitly not containers, but something higher level like pods
|
# ? May 11, 2022 04:05 |
|
my homie dhall posted:so you agree whenever your app actually runs, there needs to be an init and it should not be your application, that’s good. I'm saying all processes that spawn children should reap their children, but having --init is useful for when you're dealing with incompetently built applications if you're constrained that your deployable unit has to be a single container, but you need to run multiple services, use a containerization engine that exposes service state and logging to your host service and logging infrastructure -- systemd-nspawn, lxc, etc. the problem with using s6 on docker is that you've thrown away all logging and process management built into docker and have to expose logs via volumes, have to inspect processes by shelling into the container, and generally have to janitor it like a vm if you want to target docker, replace s6 with a docker compose file that makes it easy to inspect service state and logs without having to cowboy up a shell. it also means the same image can easily be reused in k8s to plug and play with all your bullshit infra there
|
# ? May 11, 2022 05:18 |
|
Jonny 290 posted:it isnt and doesnt though? its just easy to install. took me like 30 seconds. btw cron is deprecated yall stop suggesting it sheesh, it’s always been a scheduled batch job. no matter what mainframe OS you’re running, why would UNIX call theirs “cron” and go completely against standard nomenclature
|
# ? May 11, 2022 09:01 |
|
Beeftweeter posted:i'm angry. ANGRY ABOUT LINUX this but unironically Linux in particular and UNIX in general will give you five different ways to accomplish a goal and none of them will be the best way to do it unless one happened to have an author focused on exactly your goal or one isomorphic to it like why would you have a batching & queueing system with both immediate and scheduled jobs, unique and repeated jobs, and sensible priority mechanisms, when you can have multiple job scheduling systems and multiple queuing systems with no implementation sharing, only vague interaction, and essentially no thought given to prioritization?
|
# ? May 11, 2022 09:10 |
|
yes, having users results in a bigger ecosystem
|
# ? May 11, 2022 09:25 |
|
perhaps ... all software ... is a POS
|
# ? May 11, 2022 10:48 |
|
nudgenudgetilt posted:do you do this bullshit at work though? a few months back we had a problem with our vm cluster being unable to connect to ntp from outside, and the other protocols couldn't work, because the fake hardware clock only supposed PTP and the distro used only had timesyncd instead of chronyd. i got fed up and stuck this to the cloud-config.yml: code:
why did i run chrony in a docker instead of figuring out how to replace timesyncd with chronyd in the vm image? because gently caress linux, that's why. one tool to rule them all eschaton posted:this but unironically
|
# ? May 11, 2022 11:14 |
|
nudgenudgetilt posted:I'm saying all processes that spawn children should reap their children, but having --init is useful for when you're dealing with incompetently built applications lol do people really refer to systemd as s6, jesus christ anyway, I wouldn’t recommend running systemd in a container either, that’d be redacted. the point I’m trying to convey to you is sometimes a “service” may be composed of multiple OS processes working cooperatively and it’s not exactly uncommon. a trivial example is an application with something running alongside it that’s polling or listening for changes from an external system, writing to a file, and sending the application a sighup when that happens. the application itself should only have to know about what to do when it gets a sighup and how to serve farts so you need something there (I really like remco for this pattern specifically, but there are others) to monitor the processes and if they go down either restart them and keep going or kill itself so the container will die. and it should reap zombies as well, they are much easier to appear than you seem to think
|
# ? May 11, 2022 11:42 |
|
my homie dhall posted:lol do people really refer to systemd as s6, jesus christ Lol no https://skarnet.org/software/s6/
|
# ? May 11, 2022 11:47 |
|
o whoops lol
|
# ? May 11, 2022 12:52 |
|
|
# ? May 28, 2024 14:53 |
|
my homie dhall posted:so you need something there (I really like remco for this pattern specifically, but there are others) to monitor the processes and if they go down either restart them and keep going or kill itself so the container will die. and it should reap zombies as well, they are much easier to appear than you seem to think If you're running on docker, literally all the above is provided by docker itself. you don't need to wedge process supervision inside of the docker container, because dockerd *is* the process supervision. an init doesn't magically reap zombies that haven't been reparented under it. if you have pid 1 init, and pid 2 misbehaving application that spawns children, pid 1 cannot reap any children until pid 2 has exited. if the process that spawned the zombie doesn't exit regularly, your init process isn't doing poo poo for you with regard to zombies. zombie processes are both trivial to avoid, and trivial to gently caress up and create. they don't magically appear, they come from a specific well known gently caress-up.
|
# ? May 11, 2022 14:11 |