Indeed great initiative here
@Jip-Hop with your very promising script. Thanks for your efforts so far.
I'm about to migrate from TrueNAS Core, where I've been using jails for a long time, to TrueNAS Scale, now when IXSystems seems to slowly abandon Core. I've truly enjoyed the versatile and powerful, yet lightweight on resources, jails on Core but are now migrating jail after jail to Docker on my Linux laptop as a proof of concept before upgrading the server itself from Core to Scale. Kubernetes is for sure an interesting technology and I wouldn't mind learning it to benefit from it professionally later on, but for a home NAS, with only a handful of users, it feels overkill. K8s seems to shine when you want to scale things for hundreds or thousands of users, which is surely a use case for TrueNAS Enterprise users. But for the TrueNAS community users my feeling is that a neat way to run Docker is much more straightforward and useful. I understand that IXSystems need to focus on their business customers but I'm sure they also understand their crucial symbios with the community throughout the years for bringing the product to where it is today. Hence I think it's also very important for IXSystems to focus on the community's needs in combination with the business customers' needs. And the community need is clear: An easy and lightweight way to be able to run Docker containers without risking the TrueNAS system integrity.
I really hope that IXSystems (ping
@morganL,
@Kris Moore et. al.) will start acknowledge that and start supporting your efforts here
@Jip-Hop and incorporate your script into core (pun intended) TrueNAS Scale. This "iocage" like way of bringing "jails" to TrueNAS Scale, thanks to your script initiative here, feels like what should have been done by IXSystems from the very beginning considering all users that are familiar with the concept through all the years with TrueNAS (and FreeNAS) core. This in parallell with the K8s path for the Enterprise users.
I'm a bit worried about the security part though. My feeling is that the way forward with this initiative is to harden that part to make it easier to argue that it should be included as a part of TrueNAS Scale itself. The most obvious start I think would be to ensure that the "jails" are not run as root by default. Hence make things like
Code:
--private-users=65536:65536 --private-users-ownership=chown
a default setting in the script and make sure that it runs smoothly and becomes well documented. Maybe have running as a root as an option but not as default. What do you think about this idea?