I didn’t use docker. I went from scratch. You need to be able to compile rust and run nginx or similar
this post was submitted on 01 Jun 2023
26 points (100.0% liked)
Technology
39193 readers
71 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
Most of these projects are FOSS, so you have two options. Either ask the devs for OpenBSD support (but try installing everything on OpenBSD to see what goes wrong). Or try modifying the program yourself to add OpenBSD support.
Developers of these projects often target Linux, since it is by far the most used server kernel/OS. *BSD is not nearly as common.
The only way to potentially change that industry wide is to have enough people stubbornly use *BSD and help implement *BSD support for Linux specific tools they use.
Official support is often only provided with a docker setup as it standardizes bundled libraries and other needed blobs. This makes it easier to support many Linux distros.
It's "annoyingly hard" because you're not using modern tooling. If Docker is unavailable on your preferred OS, then that OS is stuck in the past. Simple as that.
Docker makes it easy to install a program, including all its dependencies, in a repeatable way. Since you're familiar with BSD, it's similar to jails except with better isolation, fewer security holes/issues, and the software you want to run is preinstalled. Docker containers are essentially mmutable which makes upgrades easy - just throw away the old container and replace it with the new version. (persistent files are stored separately, in "volumes")
You can of course manually install the same software by looking at the Dockerfile and manually performing the same steps, but there's no guarantee that it'd work well on an unsupported OS.
It’s “annoyingly hard” because you’re not using modern tooling.
Calling Docker "modern" is a stretch, as it's not much more than glorified Solaris Zones, but please enlighten me: Which feature of a federated web application requires modern tooling?
Since you’re familiar with BSD, it’s similar to jails
OpenBSD does not have jails.
except with better isolation
How so?
fewer security holes/issues
Actually, not using Docker prevents a number of security holes/issues.
and the software you want to run is preinstalled.
If you grab an image with it. You could as well just grab a tar archive with it... with less side effects.
Docker containers are essentially mmutable which makes upgrades easy
And security patches impossible.
Calling Docker “modern” is a stretch, as it’s not much more than glorified Solaris Zone
And yet the OS you're using doesn't support it. Hmm.
OpenBSD does not have jails.
Sorry, I didn't realise that these are FreeBSD-specific (I guess? I'm not too familiar with BSD)
Which feature of a federated web application requires modern tooling?
Deployment. All web apps and APIs are moving towards containerization - Docker for smaller scale deployments, and Kubernetes for large-scale deployments.
except with better isolation How so?
I didn't think jails had CPU, memory, or process limits similar to what cgroup2 provides, but it looks like this functionality was added to FreeBSD at some point. Sorry for the incorrect information.
Actually, not using Docker prevents a number of security holes/issues.
Sure, Docker has had a few issues, but overall it's more secure to run your apps in Docker containers. If an app gets compromised, the attacker will generally be stuck inside the Docker container rather than getting access to your entire system. If you're worried about (very rare) container escape security holes, using unprivileged containers helps - You can run the app inside the container as an unprivileged user, and you can also run the entire Docker container as an unprivileged user on the host system.
And security patches impossible.
Security patches are easier than if you used a tar archive to install the software. With a tar archive you threw into /opt or whatever, the app and its config/data are often stored together, so you need to be mindful of things like not overriding customized config files. Since Dockers containers are immutable and all the actual data is stored elsewhere, it's always safe to delete the container and replace it with a patched version.
And yet the OS you’re using doesn’t support it.
It would, but Docker doesn't support it. I'm not sure how this means that the OS was worse.
Sorry, I didn’t realise that these are FreeBSD-specific
They are, including its descendants (that includes the FreeBSD 4.8 fork DragonFly BSD).
Deployment.
How is "run this black box of arbitrary software, requiring a kernel module and numerous services" a superior deployment than tar xf application.tgz? Just because people do it, people could still do the wrong thing. Not every website is Facebook.
Sorry for the incorrect information.
No problem. I was genuinely curious.
Sure, Docker has had a few issues, but overall it’s more secure to run your apps in Docker containers.
Docker imposes additional attack vectors to the underlying system, a (for example) backdoored PHP application running inside an OpenBSD chroot (OpenBSD runs its built-in web server inside chroot by default, so web applications can never reach anything outside the web folder anyway) does not, if I understand you correctly. I know that you consider the 1979 technology chroot to be not modern, but I wonder which security feature is missing.
Since Dockers containers are immutable and all the actual data is stored elsewhere, it’s always safe to delete the container and replace it with a patched version.
What if nobody maintains the container anymore, although the software itself is still maintained?
I feel you, I tried to install lemmy on the server on which I already run 7 other services (Matrix, PeerTube, my website with rails, Mastodon, another three websites with PHP, Nextcloud, Rainloop, some static HTML websites, and probably more). It's a really small server so not much resources left but everything is working fine sharing one instance of Nginx and one instance of Postgresql.
Lemmy also uses Nginx and Postgresql so I thought great, let me reuse those. But nope, after 4 days of trying I had to give up and get a new Server just for lemmy. I tried the install from scratch, there lemmy would just not compile. Then I tried to reuse the docker-compose but to connect the existing Nginx and Postgresql but nope, Postgresql didn't want to work with it because of a extension which was installed but somehow I couldn't get it to work. And then Nginx with the example config file didn't work at all.
Anyway on the new server it almost worked, the only thing which didn't work were the websockets because the example didn't set up anything for them. But I figured this last part out for myself and now I have to pay 5 EUR more each month to run Lemmy.
For me it was real easy setting up a node, because of docker. Docker+docker-compose were the only requirements to get it running. Docker (or the alternatives are available for a lot of systems, so supporting that makes sure it can run on a lot of machines.
For the remainder of systems, if the administrator decides to go for a less common install, I get that the developers aren't able to support that. There's just too much diversity in that kind of systems.
That's an interesting question. The percentage of servers (with the exception of routers, and other consumer appliances) that run OpenBSD (and variants) is actually extremely low when compared to the amount of servers running Linux. That being said you CAN set it up yourself, rust can easily compile to a binary that works with openbsd by using the target x86_64-unknown-openbsd.
As another commenter said here, *BSD is very far behind the developments of Linux, when compared to developer experience. And realistically, unless you're a huge organization that can dedicate a team of engineers just to manage your system, perhaps because your business is one of those antiquated companies that hate the GPL, or you're someone who likes getting into the weeds, there is no reason to ever use *BSD in a modern system.
there is no reason to ever use *BSD in a modern system.
Pfsense/OPNsense has been running on my router for... I can't even remember how long ago I built it. The BSD family of OSs are great pieces of opensource software and they absolutely have niches they excel at. Use the best tool for the job, and don't fall prey to marketed loyalty.
well I did say:
with the exception of routers, and other consumer appliances
but definitely, use whatever tool you like
And realistically (...) there is no reason to ever use *BSD in a modern system.
In my very personal opinion, there are a few not entirely unimportant advantages to using OpenBSD over Linux (and I suppose users of the other free BSDs have similar lists, but I no longer use any other free BSD):
- Culture. Basically, "shut up and hack". Not wasting the time of project members with dissolute thoughts about social interference, but devoting themselves exclusively to improving the technology so far, leads to the fact that (much like NetBSD) all sorts of technical achievements came out of OpenBSD, including OpenSMTPD, OpenSSH and LibreSSL. Linux to me often seems more like a support group than a technical project.
- Predictability. The Linux community seems to constantly need new completely different approaches to everyday things. The systemd debacle with numerous reports of computers no longer starting (or shutting down) is not yet over, and there is already debate about the now-but-really future of the desktop. Many Linux distributions do not know anything like an "upgrade", the normal approach to a new version is "download the installation DVD and start it". In OpenBSD it is essentially three commands (
sysupgrade,reboot,sysmerge) - and it has never happened to me that after rebooting I was suddenly sitting in front of a completely different system. Yes, all this may not be cool - but predictability seems to me to be a not entirely irrelevant feature (also and especially for large companies). - History. Linux is a clone of Minix, which is itself essentially a clone of BSD, which was not yet free software in 1991. You might as well use the original, right? ;-)
edit: See also my previous answer for further advantages.
If 386BSD had been available when I started on Linux, Linux would probably never had happened.
The GPL licence is not a free licence, rather the opposite. But let's assume that the licence debate is actually relevant: Why should a company that needs to make money selling software be "antiquated" simply because (for example) some of its algorithms are trade secrets?
Indeed, each system bears its distinctive advantages and drawbacks, and the optimal choice often hinges on the specific requirements of the task at hand. Nonetheless, I believe that OpenBSD's utility is limited in contemporary scenarios.
Culture
It's undeniable that OpenBSD has spawned important technologies under its "shut up and hack" mantra, cultivating an environment conducive to technical breakthroughs. Conversely, the Linux ecosystem too has been a breeding ground for major projects, Docker and Git being just a couple of examples. The ethos within each community can differ considerably, contingent upon the project or distribution. The widespread popularity of Linux may attract a varied spectrum of users, some less technically adept than the typical OpenBSD user. However, that doesn't mean it's short on technologically adept contributors.
Predictability
I've chosen to make peace with systemd, seeing it as a necessary compromise, as it has become the preferred choice amongst the developer community. Unless one fancies rewriting systemd .unit files each time something needs to be installed (which I don't), the practical choice is to work with it.
Concerning the upgrading process, many Linux distributions today offer smooth upgrades without necessitating a complete reinstall. Your encounter may rely on the particular distribution you're using. Perhaps it's been a while since you last used Linux. I haven't come across a distro that requires a complete overhaul in quite some time. Rolling release distros are now increasingly prevalent and are even suggested for novices.
With nixos, which is my distribution of choice for the foreseeable future, I have an attribute that your OpenBSD system lacks: reproducibility. I can transfer a handful of configuration files to a brand new computer and replicate my system precisely, encompassing all my installed packages and configurations, including those in $XDG_CONFIG_HOME. It will literally recreate the same exact environment.
History
And both of them are inspired by Unix, what's your point? :P
Why should a company that needs to make money selling software be “antiquated” simply because (for example) some of its algorithms are trade secrets?
I think we're not gonna agree on this, but I believe that all code that matters should be FOSS, there is no reason for a company to keep their algorithms as trade secrets, and if anything being open source can only improve the world, not hinder it.
Unless one fancies rewriting systemd .unit files each time something needs to be installed (which I don’t), the practical choice is to work with it.
The last Linuces I deliberately played with :-) were Gentoo and Void, both being non-systemd distributions by default. The point is that, if Linux was about choice (at least that’s what I’m told rather often than not), a particular init system should not be a component on which other components depend.
At least none of the services on my servers demanded systemd just yet. Maybe I’m a minority.
I can transfer a handful of configuration files to a brand new computer and replicate my system precisely, encompassing all my installed packages and configurations, including those in $XDG_CONFIG_HOME. It will literally recreate the same exact environment.
Sounds like a glorified rsync to me. I can imagine how this could come in handy if you have a whole set of identical machines that should serve the exact same purpose. I never had this situation in my own environments yet.
And both of them are inspired by Unix, what’s your point? :P
The D in BSD means distribution. BSD was Unix until the early 90s. Admittedly, today's BSD is quite a different piece of software than 4.xBSD, especially given that both macOS and OpenBSD started with (a version of) it.
I believe that all code that matters should be FOSS
So do I, and the BSD license is a FOSS license. That does not necessarily mean that you are allowed to sell my code - or that I must not sell mine. Nobody said that FOSS requires “free of charge”. And if you spend quite a lot of money, I’m even sure that Microsoft will gladly sell you the Windows code. I a way, all code is free - it only depends on your bank account.