Hi, On Fri, Feb 26, Walddys Emmanuel Dorrejo Céspedes wrote:
Hello, i am fascinated on MicroOS and on the concept of transactional-update, this got 1000% of the juice of the concept of hier on Linux/GNULinux.
Now i am creating this thread to see if is possible the devs do the next change on the images:
On my opinion these packages need to be installed on the podman mode of microOS:
I will answer from the "Container Host" System Role view, not the plain MicroOS or MicroOS Desktop view.
- Apparmor pattern - the selection of packages are incomplete:
- Packages Installed * apparmor-parser * apparmor-profiles * patterns-microOS-apparmor
We are running our workload as Container and thus use SELinux, not AppArmor.
- Packages Not-Installed (but have to be installed by defaul) * apparmor-utils (the most basic one and is not installed). This package bring the apparmor control of the rules, i have a podman rootfless and the php-fpm pod is not working because i cant change the profile of this app. * apparmor-docs
Since we use SELinux we don't need them.
- Yast2
- Packages need to come by default * yast2-storage-ng * yast2-apparmor
MicroOS does not use YaST as local system management tool, as most modules don't work on a read-only root filesystem. We have/are working on Cockpit.
- Firewall - Packages that need come by defaul * firewalld
Firewall and container together is a really bad idea. Since the container runtime and firewalld are using iptables, there are very fast conflicts and either the one or the other get's broken. Better be careful on which services you run and which ports are open. If there are no open ports, you need no firewall. And if there are only open ports you would open in the firewall anyways, the firewall does not help, too. Don't forget: workloads are running in container, and if there is something opening a port you don't want, the container runtime will hide this port from outside.
- transactional-updates - Packages that must come installed by default * inotify-tools (how a module is out but not bring the dependencies, if this package is not install --do-not-change wont work)
If there are wrong dependencies, please open a bug.
- Others packages * git
What's the usecase? But you could also put that into a container.
* man
We have no docu, else: "busybox man"
* wget
MicroOS should be as small as possible. So as something requires already curl, we are using curl and not wget. Else there is still "busybox wget".
* docker
We are using podman. Thorsten
and that's my opinion.
thank you for the hard work
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)