matcha_addict

@matcha_addict@lemy.lol

This profile is from a federated server and may be incomplete. Browse more on the original instance.

matcha_addict,

The package manager would not be part of the container image. The package manager is only used to build it. The container image will only include the packages the user specifies.

combining portions of images as multi-stage builds

That’s something I am making use of for this, actually :)

What you’re describing not only already exists…

Can you please give an example of a tool that can build a container image by being given only a list of packages it needs to have?

My tool would be as simple as doing something like this:

build-container --packages nodejs-20.1.1, yarn-4.2.2, some-app-i-made-1.0.0

And I would have a container that only has nodejs binary, yarn, and my own app. no package manager or any utils.

matcha_addict,

Did not know about apko. I am not attached to distroless, just thought it was a nice to have. So apko might be a reason I don’t pursue this project anymore. Thanks for showing me!

Your comment is very insightful for other reasons too. Thanks a lot :)

matcha_addict,

I had a feeling nixos would have something, but I avoided it because it seemed more than a day’s worth of learning (and also its a bit opinionated). But I will revisit it one day!

matcha_addict,

the base image is nodejs

Which has its own dockerfile. My proposed tool would allow using other images as base too, but that is not the problem it is solving.

copy your app

Well you’d have to have it compiled or built if that is required in your case. With my system, the build recipe would be a gentoo ebuild (shell-script-like) that you would just reference.

The example I gave is pretty simple, you’re right. Say in another case, you list the following packages:

nodejs, nginx, vpn-app(wireguard), some-system-monitoring-app, my-app

You could start with a nodejs base or an nginx base, and then write the steps to install the other. You’d also have to make sure to get all the deps if they have them.

You’re unlikely to find a ready image that has all what you want. But with my method, you can compose different ones however you like, rather than having to find an image that matches your exact use case.

matcha_addict,

Distroless is not core to the idea. It’s only a nice to have. The main point is the composability, Declarative design, etc.

matcha_addict,

Please demonstrate how the example I gave above can be done with common scripting tools, such it would mimic the declarative experience I described. I don’t think it is possible as you claim.

Can you please point to where I deflected any questions? I looked and could not find any instances of such.

I actually answered the question “why”, please refer to previous comments. It is also answered in the main post. But I will rephrase and summarize again here:

  • when creating a container image that requires certain applications installed, most dockerfiles explicitly install the dependencies of said applications as well. With my tool, you only declare the package you need, and it will resolve dependencies automatically and install them for you.
  • the above would work with distroless containers too, as the package manager used is outside of the produced container.
matcha_addict,

I tried it about a year ago. I don’t remember why I left it, but I think I did have a couple issues with it related to nvidia. I’ll try it again.

matcha_addict,

Not very clear to me that this is any more valuable than OG NixOS.

This sounds a lot like the forgejo vs gitea fork. I love the forgejo people but I am yet to see a sufficient differentiator.

matcha_addict,

Pulling in mainline gitea changes, I did see. But I didn’t see any notable differences from gitea. Do you know of any?

matcha_addict,

Gitea claims to be working on federation too, which puzzles me that forgejo presents it as a differentiator.

matcha_addict,

I like fuzzle as a rofi alternative for wayland. It’s made by the same developer as Foot terminal.

matcha_addict,

How does it compare to XFCE

Iran launches drone attack against Israel as Biden rushes to White House (www.theguardian.com)

Iran said it launched dozens of drones and ballistic missiles towards Israel on Saturday in a major attack following days of acute tension building up in the region and warnings from the US and elsewhere about a wider conflict erupting....

matcha_addict,

Unfortunately, I’m not certain it’s in Israel’s best interest that this doesn’t escalate. They can probably do serious damage to Iran whereas the reverse is far less certain (evidently from this attack). And they knew very well that their embassy attack will bring Iranian retaliation. Now they’ll just use that for an even greater response.

matcha_addict,

Painting Israel as a victim just for having a small population / geography… I don’t know about that. They’ve committed far too many massscres since their inception to be portrayed like that.

matcha_addict,

If we keep going back, Israel has committed far too many hostilities that were never responded to. Hell, they bomb syria most weeks without any retaliation form Syria. They commit horrors against west bank citizens all the time.

matcha_addict,

You cannot say it started with hezbollah and Hamas were shooting rockets into Israel. The occupation has been committing massscres since 1917.

matcha_addict,

Israel doing more genocide. Disappointing but not surprising.

matcha_addict,

Call it whatever you want, I literally don’t care about emantics and I won’t argue them. It doesn’t discount the horror that Israel commits.

matcha_addict,

No one reading your comment will take you seriously when you claim OP said something they didn’t say. You realize the comment is right there for us to read, right?

matcha_addict,

As opposed to an active genocidal occupier in Palestine?

matcha_addict,

Not really. The occupation only began in 1917 at the earliest categorization.

matcha_addict,

Where did I make any self rule claims? Don’t see why it’s relevant.

matcha_addict,

I think I understand your point of confusion. The original comment said this has been going on for thousands of years, and I meant to say that it only began around 1917. Although there was an Ottoman occupation before the brief Arab rule period, the Ottoman occupation did not have the turmoil and issues associated with the Zionist occupation.

matcha_addict,

Given they mention arch and gentoo, I suppose they intend it as a daily driver / desktop.

matcha_addict,

By your logic, you cannot dismiss the project for being a personal one. Only if it fails, is it dismissable.

matcha_addict,

Didn’t say you can’t whatever you want. I said “by your logic”. That was assuming you don’t contradict your own logic, but of course you can otherwise :)

matcha_addict,

When I thought about this question, I decided to ditch both sudo and doas entirely. I am certain this is an unpopular opinion, but I preferred setting up a granular permission + user system instead, and keeping root privileges for only a handful of use cases (primarily for system updates and package installations).

For anything else, a dedicated user is created, and given only permissions to do that exact thing only. Many of these users have no shell access at all, and for the ones that do, I use a password manager so I don’t have to memorize passwords for all of these users.

matcha_addict,

The short answer is that my distro did not let me do this easily. But that was for good reason.

A system update would require too many privileges that it would be almost indistinguishable from root.

Currently, every user I have is restricted in what files it has access to. A system update user would need access to so many files, including install locations of all binaries, and non-binary installation paths of all current and future programs I install (some package installs modify /var, many modify /etc, and so on).

This user will also have access to all these programs, down to system applications. It can trivially break a permission system I come up with.

It may be possible to restrict system updates to a user, but it would be such a powerful user that its not really worth it.

matcha_addict,

Yes I did, and that’s a very good point. What sudo does not allow me to do is grant a user access to modify or read specific files or directories. I can get both that and access to executing specific programs using a users/groups permission system.

Another thing I don’t like about sudo is that you end up using the same password for everything, which is also the password for logging in. Putting higher privileges behind my same login password opens me to a single point of failure.

matcha_addict,

Only the root user has access to system updates on my system currently.

What does rpm-ostree update do exactly? Does it execute the update? Or is that the rebase command only?

matcha_addict,

I see. I have little knowledge, but I bet that the “root privileges” part of this process is the reboot. Upon rebooting, system updates are applied from the new image via some privileged process.

That’s pretty neat. Unfortunately I haven’t ventured deeply enough into that type of system yet (was it called immutable distro or something?). I use gentoo, which doesn’t support this out of the box.

Thanks for showing me something new!

matcha_addict,

I daily drive wayland with nvidia and I play games modestly. I have Xorg installed as backup for when issues happen, but it’s been pretty rare in the last couple months.

Explicit sync Wayland protocol has finally been merged! (gitlab.freedesktop.org)

Since nvidia drivers do not properly implement implicit sync, this protocol not existing is the root cause of flickering with nvidia graphics on Wayland. This MR being merged means that Wayland might finally be usable with nvidia graphics with the next driver release....

matcha_addict,

For what it’s worth, I have only minor issues on wayland with nvidia, and all were fixable by changing some configuration option or something.

Maybe my demands aren’t too heavy, but I do play games. I also use gentoo which makes fixing things easier.

matcha_addict,

So is each Firefox tab a separate window with this design? And thus managed by sway as separate windows and tabbed accordingly?

matcha_addict,

4 GB RAM is not enough if you plan on using multiple tabs on a browser. And I don’t mean a ridiculous number of tabs. You might run out from 4 tabs or so.

matcha_addict,

I use foot because it’s wayland native and the developer is a very nice person. Only thing missing from it for me is ligature support.

A close second for me is WezTerm. It is very full featured, although I do not use a lot of its features. Developer is also extremely nice and helpful. It does have ligature support.

I personally use tiling window managers, so I have no need for built-in tiling / tabbing features.

Does anyone run their desktop environment containerized?

I’m used to using Linux from the terminal. I have a new machine which I plan to use mostly headless but would occasionally like to run a desktop environment and play games with GPU acceleration. I know I don’t have to launch the desktop environment on startup, but I was wondering if it’s possible to have that entire...

matcha_addict,

What are your goals? What’s the motive to containerize? Is it security?

Do you specifically need a full DE, or are you okay with something more lightweight like a window manager or kiosk mode display?

matcha_addict,

Why not nix?

I ask because I’ve been thinking of trying Guix or Nix. I lean more towards nix due to popularity but also because theoretically a language tailored for package recipes may do better than guille.

matcha_addict,

Stopped hopping when I realized most distros are just debian with certain things pre-installed or pre-configured. Decided to compare base distros, and settled on Gentoo for its powerful features, transparency and customizability.

matcha_addict,

I’ve created one project that no one uses. I’ve found a lot of friction contributing to existing projects. There has to be:

  • something to do
  • the maintainer is cool with having it done
  • the maintainer is okay not doing it themselves
  • is within my expertise or requires an acceptable amount of ramp up learning

Then I have to make sure to learn their code of conduct and do it exactly the way they want. Do they want testing? Do they want me to update the docs? So I have to get green light from maintainer to start? Etc.

matcha_addict,

I feel like this should be more about DE choice than distro.

matcha_addict,

How? Security is one of its selling points.

matcha_addict,

I agree, tho trivially solvable with aliases and Desktop app definitions, but still an extra step.

matcha_addict,

It looks to be similar. I’m not sure how trivial it is to add this. For nginx it’s basically built in. You just give it the Lua code. It’s also pretty capable. You can basically write a whole API back-end in it, which is pretty good for small APIs or functionalities, like an image resizing API.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • fightinggames
  • All magazines
    •