Compare commits

..

No commits in common. "57f32743f3c35bed3153e99b61a5af684caecff7" and "1a7e566d5b481d4f7f5d8126940580cd7648a72f" have entirely different histories.

3 changed files with 28 additions and 92 deletions

View File

@ -32,18 +32,14 @@ the feed or `opml2md`'s best guess.
- [Blog JoeRess.com](https://joeress.com) [(Feed)](https://joeress.com/category/blog/feed/)
- [Ctrl blog](https://feed.ctrl.blog) [(Feed)](https://feed.ctrl.blog/latest.atom)
- [Drew DeVault's blog](https://drewdevault.com) [(Feed)](https://drewdevault.com/blog/index.xml)
- [duponin](https://dupon.in/index.xml) [(Feed)](https://dupon.in/index.xml)
- [Gaia Newsletter](https://apprise.prod.gaiaplant.app) [(Feed)](https://apprise.prod.gaiaplant.app/archive.xml)
- [Grumpy Website](https://grumpy.website) [(Feed)](https://grumpy.website/feed.xml)
- [ilja](https://blog.ilja.space/@/ilja/atom.xml) [(Feed)](https://blog.ilja.space/@/ilja/atom.xml)
- [MWL Blather](https://mwl.io) [(Feed)](http://blather.michaelwlucas.com/feed)
- [Paritybit](https://www.paritybit.ca) [(Feed)](https://www.paritybit.ca/feed.xml)
- [Secluded.Site](https://secluded.site) [(Feed)](https://secluded.site/posts/index.xml)
- [Signs of Triviality](http://www.netmeister.org/blog/) [(Feed)](https://www.netmeister.org/blog/rss.xml)
- [Snikket Blog on Snikket Chat](https://snikket.org/blog/index.xml) [(Feed)](https://snikket.org/blog/index.xml)
- [That HTML Blog](https://thathtml.blog/) [(Feed)](https://thathtml.blog/feed.xml)
- [The Spicy Web](https://www.spicyweb.dev/) [(Feed)](https://www.spicyweb.dev/feed.xml)
- [Thib' Blog](https://ergaster.org/) [(Feed)](https://ergaster.org/rss.xml)
- [tonsky.me](http://tonsky.me) [(Feed)](http://tonsky.me/blog/atom.xml)
- [Waldon](https://waldon.blog) [(Feed)](https://waldon.blog/feed)
- [Xe's Blog](https://xeiaso.net/blog) [(Feed)](https://xeiaso.net/blog.rss)
@ -87,7 +83,6 @@ the feed or `opml2md`'s best guess.
- [Hacker Stations](https://hackerstations.com/index.xml) [(Feed)](https://hackerstations.com/index.xml)
- [Ink & Switch](https://www.inkandswitch.com/index.xml) [(Feed)](https://www.inkandswitch.com/index.xml)
- [jmp.chat](https://blog.jmp.chat) [(Feed)](https://blog.jmp.chat/atom.xml)
- [Kagi Blog](https://blog.kagi.com/rss.xml) [(Feed)](https://blog.kagi.com/rss.xml)
- [Modos Laptop](https://www.modos.tech) [(Feed)](https://www.modos.tech/rss)
- [Sourcehut](https://sourcehut.org) [(Feed)](https://sourcehut.org/blog/index.xml)
@ -108,10 +103,10 @@ the feed or `opml2md`'s best guess.
- [Deeplinks](https://www.eff.org) [(Feed)](https://www.eff.org/rss/updates.xml)
- [DEV Community: Gary Kramlich](https://dev.to/feed/grim/) [(Feed)](https://dev.to/feed/grim/)
- [F-Droid](https://f-droid.org) [(Feed)](https://f-droid.org/en/feed.xml)
- [Golang Weekly](https://golangweekly.com/) [(Feed)](https://golangweekly.com/rss/)
- [InfoWorld Matt Asay](https://www.infoworld.com) [(Feed)](http://www.infoworld.com/author/Matt-Asay/index.rss)
- [IPFS Blog & News](https://blog.ipfs.tech) [(Feed)](https://blog.ipfs.tech/index.xml)
- [iTWire - Sam Varghese](https://itwire.com) [(Feed)](http://www.itwire.com/freelancer/itemlist/user/902-samvarghese?format=feed)
- [IVPN Blog](https://www.ivpn.net) [(Feed)](https://www.ivpn.net/blog/index.xml)
- [Jack Whitham](https://www.jwhitham.org/) [(Feed)](https://www.jwhitham.org/rss.xml)
- [Jim Salter Ars Technica](https://arstechnica.com) [(Feed)](https://arstechnica.com/author/jimsalter/feed/)
- [Jolla Blog](https://blog.jolla.com) [(Feed)](https://blog.jolla.com/feed/)
@ -133,7 +128,6 @@ the feed or `opml2md`'s best guess.
- [The Invisible Things](https://blog.invisiblethings.org/) [(Feed)](http://blog.invisiblethings.org/feed.xml)
- [The Register](https://www.theregister.com/) [(Feed)](http://www.theregister.co.uk/headlines.atom)
- [The Verge](https://www.theverge.com/) [(Feed)](http://www.theverge.com/rss/full.xml)
- [The Verge - Installer s](https://www.theverge.com/installer-newsletter) [(Feed)](https://www.theverge.com/rss/installer-newsletter/index.xml)
- [Threatpost](https://threatpost.com) [(Feed)](https://threatpost.com/feed)
- [TorrentFreak](https://torrentfreak.com/) [(Feed)](http://feeds.feedburner.com/Torrentfreak)
- [Wired Security](https://www.wired.com) [(Feed)](https://www.wired.com/feed/category/security/latest/rss)

View File

@ -48,10 +48,10 @@ migrate as soon as there's an installable release.
RAM, it's going to make do with 200 MBs of RAM and the kernel's <abbr
title="Out Of Memory">OOM</abbr> killer is going to have a fun time 🤠
- **Portability:** once set up and configured, VMs and containers can mostly be
treated as closed boxes; as long as the surrounding environment of the new
host is similar to the previous in terms of communication (proxies, web
servers, etc.), they can just be picked up and dropped between various hosts
as necessary.
treated as black boxes; as long as the surrounding environment of the new host
is similar to the previous in terms of communication (proxies, web servers,
etc.), they can just be picked up and dropped between various hosts as
necessary.
- **Density:** applications are usually much lighter than the systems they're
running on, so it makes sense to run many applications on one system. VMs and
containers facilitate that without sacrificing security.
@ -124,43 +124,19 @@ hk.os.h.k3.os3.app3: Many apps
## Containers
VMs use virtualisation to achieve isolation. Containers use **namespaces** and
**cgroups**, technologies pioneered in the Linux kernel. By now, though, there
are [equivalents for Windows] and possibly other platforms.
As most people know them right now, containers are exclusive to Linux.[^1] This is
because they use namespaces and cgroups to achieve isolation.
[equivalents for Windows]: https://learn.microsoft.com/en-us/virtualization/community/team-blog/2017/20170127-introducing-the-host-compute-service-hcs
**[Linux namespaces]** partition kernel resources like process IDs, hostnames,
user IDs, directory hierarchies, network access, etc. This prevents one
collection of processes from seeing or gaining access to data regarding another
collection of processes.
**[Cgroups]** limit, track, and isolate the hardware resource use of a
collection of processes. If you tell a cgroup that it's only allowed to spawn
500 child processes and someone executes a fork bomb, the fork bomb will expand
until it hits that limit. The kernel will prevent it from spawning further
children and you'll have to resolve the issue the same way you would with VMs:
delete and re-create it, restore from a good backup, etc. You can also limit CPU
use, the number of CPU cores it can access, RAM, disk use, and so on.
- **[Linux namespaces]** partition kernel resources like process IDs, hostnames,
user IDs, directory hierarchies, network access, etc.
- **[Cgroups]** limit, track, and isolate the hardware resource use of a set of
processes
[Linux namespaces]: https://en.wikipedia.org/wiki/Linux_namespaces
[Cgroups]: https://en.wikipedia.org/wiki/Cgroups
### Application containers
The most well-known example of application container tech is probably
[Docker.][docker] The goal here is to run a single application as minimally as
possible inside each container. In the case of a single, statically-linked Go
binary, a minimal Docker container might contain nothing more than the binary.
If it's a Python application, you're more likely to use an [Alpine Linux image]
and add your Python dependencies on top of that. If a database is required, that
goes in a separate container. If you've got a web server to handle TLS
termination and proxy your application, that's a third container. One cohesive
system might require many Docker containers to function as intended.
[docker]: https://docker.com/
[Alpine Linux image]: https://hub.docker.com/_/alpine
```kroki {type=d2,d2theme=flagship-terrastruct,d2sketch=true}
Host kernel.Container runtime.c1: Container
Host kernel.Container runtime.c2: Container
@ -173,21 +149,6 @@ Host kernel.Container runtime.c3.Full OS.Many apps
### System containers
One of the most well-known examples of system container tech is the subject of
this post: LXD! Rather than containing a single application or a very small set
of them, system containers are designed to house entire operating systems, like
[Debian] or [Rocky Linux,][rocky] along with everything required for your
application. Using our examples from above, a single statically-linked Go binary
might run in a full Debian container, just like the Python application might.
The database and webserver might go in _that same_ container.
[Debian]: https://www.debian.org/
[rocky]: https://rockylinux.org/
You treat each container more like you would a VM, but you get the performance
benefit of _not_ virtualising everything. Containers are _much_ lighter than any
virtual machine.
```kroki {type=d2,d2theme=flagship-terrastruct,d2sketch=true}
hk: Host kernel
hk.c1: Container
@ -201,41 +162,28 @@ hk.c2.os2.app2: Many apps
hk.c3.os3.app3: Many apps
```
## When to use which
## When to use VMs
{{< adm type="warn" >}}
**Warning:** this is my personal opinion. Please evaluate each technology and
determine for yourself whether it's a suitable fit for your environment.
{{< /adm >}}
As far as I'm aware, VMs are your only option when you want to work with
esoteric hardware or hardware you don't physically have on-hand. It's also your
only option when you want to work with foreign operating systems: running Linux
on Windows, Windows on Linux, or OpenBSD on a Mac all require virtualisation.
Another reason to stick with VMs is for compliance purposes. Containers are
still very new and some regulatory bodies require virtualisation because it's a
decades-old and battle-tested isolation technique.
- Virtualising esoteric hardware
- Virtualising non-Linux operating systems (Windows, macOS)
- Completely isolating processes from one another with a decades-old, battle-tested technique
{{< adm type="note" >}}
See Drew DeVault's blog post [_In praise of qemu_][qemu] for a great use of VMs
[qemu]: https://drewdevault.com/2022/09/02/2022-09-02-In-praise-of-qemu.html
See Drew DeVault's blog post [_In praise of qemu_](https://earl.run/rmBs) for a great use of VMs
{{< /adm >}}
Application containers are particularly popular for [microservices] and
[reproducible builds,][repb] though I personally think [NixOS] is a better fit
for the latter. App containers are also your only option if you want to use
cloud platforms with extreme scaling capabilities like Google Cloud's App Engine
standard environment or AWS's Fargate.
[microservices]: https://en.wikipedia.org/wiki/Microservices
[repb]: https://en.wikipedia.org/wiki/Reproducible_builds
[NixOS]: https://nixos.org/
### When you use application containers
- Microservices
- Extremely reproducible builds
- (NixOS.org would likely be a better fit though)
- Dead-set on using cloud platforms with extreme scaling capabilities (AWS, GCP, etc.)
- When the app you want to run is _only_ distributed as a Docker container and
the maintainers adamantly refuse to support any other deployment method
- (Docker does run in LXD 😉)
- System containers
### System containers
- Anything not listed above 👍
## Crash course to LXD

View File

@ -14,18 +14,14 @@
<outline text="Blog JoeRess.com" type="rss" xmlUrl="https://joeress.com/category/blog/feed/" htmlUrl="https://joeress.com"></outline>
<outline text="Ctrl blog" type="rss" xmlUrl="https://feed.ctrl.blog/latest.atom" htmlUrl="https://feed.ctrl.blog"></outline>
<outline text="Drew DeVault&#39;s blog" type="rss" xmlUrl="https://drewdevault.com/blog/index.xml" htmlUrl="https://drewdevault.com"></outline>
<outline text="duponin" type="rss" xmlUrl="https://dupon.in/index.xml" htmlUrl="https://dupon.in/index.xml"></outline>
<outline text="Gaia Newsletter" type="rss" xmlUrl="https://apprise.prod.gaiaplant.app/archive.xml" htmlUrl="https://apprise.prod.gaiaplant.app"></outline>
<outline text="Grumpy Website" type="rss" xmlUrl="https://grumpy.website/feed.xml" htmlUrl="https://grumpy.website"></outline>
<outline text="ilja" type="rss" xmlUrl="https://blog.ilja.space/@/ilja/atom.xml" htmlUrl="https://blog.ilja.space/@/ilja/atom.xml"></outline>
<outline text="MWL Blather" type="rss" xmlUrl="http://blather.michaelwlucas.com/feed" htmlUrl="https://mwl.io"></outline>
<outline text="Paritybit" type="rss" xmlUrl="https://www.paritybit.ca/feed.xml" htmlUrl="https://www.paritybit.ca"></outline>
<outline text="Secluded.Site" type="rss" xmlUrl="https://secluded.site/posts/index.xml" htmlUrl="https://secluded.site"></outline>
<outline text="Signs of Triviality" type="rss" xmlUrl="https://www.netmeister.org/blog/rss.xml" htmlUrl="http://www.netmeister.org/blog/"></outline>
<outline text="Snikket Blog on Snikket Chat" type="rss" xmlUrl="https://snikket.org/blog/index.xml" htmlUrl="https://snikket.org/blog/index.xml"></outline>
<outline text="That HTML Blog" type="rss" xmlUrl="https://thathtml.blog/feed.xml" htmlUrl="https://thathtml.blog/"></outline>
<outline text="The Spicy Web" type="rss" xmlUrl="https://www.spicyweb.dev/feed.xml" htmlUrl="https://www.spicyweb.dev/"></outline>
<outline text="Thib&#39; Blog" type="rss" xmlUrl="https://ergaster.org/rss.xml" htmlUrl="https://ergaster.org/"></outline>
<outline text="tonsky.me" type="rss" xmlUrl="http://tonsky.me/blog/atom.xml" htmlUrl="http://tonsky.me"></outline>
<outline text="Waldon" type="rss" xmlUrl="https://waldon.blog/feed" htmlUrl="https://waldon.blog"></outline>
<outline text="Xe&#39;s Blog" type="rss" xmlUrl="https://xeiaso.net/blog.rss" htmlUrl="https://xeiaso.net/blog"></outline>
@ -66,7 +62,6 @@
<outline text="Hacker Stations" type="rss" xmlUrl="https://hackerstations.com/index.xml" htmlUrl="https://hackerstations.com/index.xml"></outline>
<outline text="Ink &amp; Switch" type="rss" xmlUrl="https://www.inkandswitch.com/index.xml" htmlUrl="https://www.inkandswitch.com/index.xml"></outline>
<outline text="jmp.chat" type="rss" xmlUrl="https://blog.jmp.chat/atom.xml" htmlUrl="https://blog.jmp.chat"></outline>
<outline text="Kagi Blog" type="rss" xmlUrl="https://blog.kagi.com/rss.xml" htmlUrl="https://blog.kagi.com/rss.xml"></outline>
<outline text="Modos Laptop" type="rss" xmlUrl="https://www.modos.tech/rss" htmlUrl="https://www.modos.tech"></outline>
<outline text="Sourcehut" type="rss" xmlUrl="https://sourcehut.org/blog/index.xml" htmlUrl="https://sourcehut.org"></outline>
</outline>
@ -85,10 +80,10 @@
<outline text="Deeplinks" type="rss" xmlUrl="https://www.eff.org/rss/updates.xml" htmlUrl="https://www.eff.org"></outline>
<outline text="DEV Community: Gary Kramlich" type="rss" xmlUrl="https://dev.to/feed/grim/" htmlUrl="https://dev.to/feed/grim/"></outline>
<outline text="F-Droid" type="rss" xmlUrl="https://f-droid.org/en/feed.xml" htmlUrl="https://f-droid.org"></outline>
<outline text="Golang Weekly" type="rss" xmlUrl="https://golangweekly.com/rss/" htmlUrl="https://golangweekly.com/"></outline>
<outline text="InfoWorld Matt Asay" type="rss" xmlUrl="http://www.infoworld.com/author/Matt-Asay/index.rss" htmlUrl="https://www.infoworld.com"></outline>
<outline text="IPFS Blog &amp; News" type="rss" xmlUrl="https://blog.ipfs.tech/index.xml" htmlUrl="https://blog.ipfs.tech"></outline>
<outline text="iTWire - Sam Varghese" type="rss" xmlUrl="http://www.itwire.com/freelancer/itemlist/user/902-samvarghese?format=feed" htmlUrl="https://itwire.com"></outline>
<outline text="IVPN Blog" type="rss" xmlUrl="https://www.ivpn.net/blog/index.xml" htmlUrl="https://www.ivpn.net"></outline>
<outline text="Jack Whitham" type="rss" xmlUrl="https://www.jwhitham.org/rss.xml" htmlUrl="https://www.jwhitham.org/"></outline>
<outline text="Jim Salter Ars Technica" type="rss" xmlUrl="https://arstechnica.com/author/jimsalter/feed/" htmlUrl="https://arstechnica.com"></outline>
<outline text="Jolla Blog" type="rss" xmlUrl="https://blog.jolla.com/feed/" htmlUrl="https://blog.jolla.com"></outline>
@ -110,7 +105,6 @@
<outline text="The Invisible Things" type="rss" xmlUrl="http://blog.invisiblethings.org/feed.xml" htmlUrl="https://blog.invisiblethings.org/"></outline>
<outline text="The Register" type="rss" xmlUrl="http://www.theregister.co.uk/headlines.atom" htmlUrl="https://www.theregister.com/"></outline>
<outline text="The Verge" type="rss" xmlUrl="http://www.theverge.com/rss/full.xml" htmlUrl="https://www.theverge.com/"></outline>
<outline text="The Verge - Installer s" type="rss" xmlUrl="https://www.theverge.com/rss/installer-newsletter/index.xml" htmlUrl="https://www.theverge.com/installer-newsletter"></outline>
<outline text="Threatpost" type="rss" xmlUrl="https://threatpost.com/feed" htmlUrl="https://threatpost.com"></outline>
<outline text="TorrentFreak" type="rss" xmlUrl="http://feeds.feedburner.com/Torrentfreak" htmlUrl="https://torrentfreak.com/"></outline>
<outline text="Wired Security" type="rss" xmlUrl="https://www.wired.com/feed/category/security/latest/rss" htmlUrl="https://www.wired.com"></outline>