[Users] Why open source OpenVZ project require commercial CloudLinux as platform?

Scott Dowdle dowdle at montanalinux.org
Tue Jun 30 04:15:38 PDT 2015 

Greetings,

----- Original Message -----
> Scott, I could ask you one simple thing. Please read this ticket
> https://bugzilla.openvz.org/show_bug.cgi?id=3227 and share your
> experience here.
> 
> If you think it's OK to offer _official_ templates with bunch of
> security issues I could agree with you and revoke all my complains.

I think it is "OK"... in fact... it is double plus special ok fine.

Really.

Distros don't update their install media every time there is a security update... so why should OpenVZ?  If they even attempted it, they'd be building updated OS Templates 24/7 round the clock.

As mentioned in the ticket... the particular issue you mentioned was fixed the next OS Template refresh... and it is just the normal eb-and-flow(sp?) of bug fixes and security updates: 1) The OpenVZ Project rebuilds their official OS Templates periodically and they are (very close to) current at release time, and 2) A container user is not relinquished of their duties to manage their system with keeping it updated... by using the stock / standard package tools provided by the distro maker.

For a comparison, have you seen the recently released analysis report of the Docker images?  That too I think is overblown... but you get my point.
 
> That's why I really interested in completely open source _automatic_
> template build system for my company.

This has been an ongoing issue for 6 or 7 years now with the demise of vzpkg... and renewed energy and questions about it are probably helpful... but I don't see any major breakthroughs coming for a few months... so those scripts you seem to turn your nose up at... are about the best you are going to get... unless of course more people dig into the vztt stuff and get it going.  Again, while those scripts might be a bit amateurish... they aren't really dramatically different (in methodology) than past and future OS Template build systems... nor are the results.  I guess it falls into the works-for-me-but-not-you category.

Since you trust the kernel OpenVZ gives you (or have you really gone through the sources with a fine-tooth-comb?)... I don't see why it is such a stretch to trust the OS Templates that they provide as well.  If you want to put some effort into eleaveating(sp?) your "backdoor fear" with the official OS Templates... all you have to do is create a container from them, get a package list... verify the packages... see what files exist that weren't provided by the official distro packages... and whatever files didn't verify (probably a very small list for both)... and verify that there is nothing fishing going on.  It shouldn't be too difficult.  Utilizing the official OS Templates, it is easy to update them yourself (1) Make container, 2) update container, 3) stop container, 4) do minor cleanup, and 5) compress the directory structure into a new OS Template file) for in-between official OS Template releases... so they are current.

Yeah, that's all some work... and you are a busy guy... servicing your own customers and all... and while donating containers to people who already use containers isn't anything to scoff at... it probably isn't going to get all of the work you want done... done.

TYL,
-- 
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]

More information about the Users mailing list