Re: After Summit questions
Stephen Levine <slevine@...>
> in a BOSH world where CF jobs were running on the VM itself, as opposed to “inside containers on a VM”, BOSH did indeed take care of that part [but then also there wasn’t the task to keep the container OS distro up-to-date – see #1]
In a way, BOSH did handle patching the container base images. When deploying a new CF rootfs (e.g., cflinuxfs3), rolling the BOSH VMs would update the container base images for every app with security patches. New cell VMs would come up with a patched version of cflinuxfs3, then old ones would go down.
For CF4K8s, this will be handled by kpack, which uses CNB (buildpacks.io) image rebasing functionality to swap the bottom OS layers of the deployed container images directly on the registry.
This results in the new container base images being distributed to each K8s node exactly once per base image update, after the first rebased image is deployed.
Then all the other images deployed on the node will "snap around" to point at the newly available base.
(This is a safe operation, because ABI compatibility is preserved when security patches are applied to the new base images -- just like in the CF model.)
From: cf-dev@... <cf-dev@...> on behalf of Krannich, Bernd <bernd.krannich@...>
Sent: Thursday, June 25, 2020 2:57 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] After Summit questions
I haven’t tried Fargate myself (and I don’t know if this has been tried/is supported for CF on Kubernetes), but running CF on top of Kubernetes, “patching” might refer to two separate layers:
Hope this helps more than it creates confusion. I realize things have gotten more complex on this front and probably what I wrote can be explained in a more accessible way (my bad). 😉
<cf-dev@...> on behalf of "ross.kovelman via lists.cloudfoundry.org" <ross.kovelman=merck.com@...>
After the first day of the summit, while very interesting, it left me and my teammates with a question. With no Bosh, since Bosh is for VMs, how will patching be done, especially when you use CF on a service like Fargate?