-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Images #2
Comments
That is interesting. Not sure how far I want to support that, from a security perspective with Docker. Do we really want to give root access out? |
Oh, right, they do grant root, which would probably be a bad idea. Weird. This is totally out-of-scope for our initial sprint here, by the way, I just didn't want to lose the idea. |
💡 I wonder if we could build our container to run as non-root, but set up a virtualenv (for Python) so users could use Hmm, I bet multyvac hardcodes the root user in the ssh call, though. |
As discussed in chat, we could use an image that includes FROM progrium/busybox
MAINTAINER Yaser Martinez Palenzuela
RUN opkg-install bash bzip2
ADD conda_install.sh /root/conda_install.sh
#ADD Miniconda3-3.7.3-Linux-x86_64.sh /root/miniconda3/Miniconda3-3.7.3-Linux-x86_64.sh
RUN ["bash", "/root/conda_install.sh"]
ENV PATH /root/miniconda3/bin:$PATH Side note about this image: We can't actually use busybox though, as it doesn't have the ability to add users (unless you build busybox with it). Also, making a minimized base image in a multi-tenant system doesn't make sense because then everyone is building the same layers, resulting in more space rather than less. After installing numpy, scipy, ipython-notebook, scikit-learn there were 12304 files created or modified. The image ended up being 674.6 MB without even installing the rest of the scipy stack and that's only for Python 3. Across hundreds of users that 100*674.6MB of changes instead of just the 1 base layer shared across. |
We should call these "images" to be more familiar to Docker users who aren't familiar with multyvac, but accept "layer" as an alias so we maintain multyvac compatibility. |
Multyvac has a feature called a layer, which sounds an awful lot like a
docker run
followed by adocker commit
.The text was updated successfully, but these errors were encountered: