 So, the good thing about containers, no, okay, there's two things to bear in mind here. The first thing is that we're using Go to build a static binary, but when I did this about three or four months ago, I found that it wasn't actually properly static. I had to use these crazy other tag, other build arguments, in order to bring the NetGo library. Has anyone else talked about this? To be honest, I don't really understand why some people on the GoNuts IRC channel told me to do it this way. And it indeed works. It creates a static binary, which doesn't depend on, I guess, G-Lib C or whatever, that's usually found in a Linux machine, so you can run it in a very, very minimal environment. Ideally, I'm trying to get my minimal environment as fricking minimal as possible. I just want to run the binary, and that's the beauty of it, actually, because if you're doing, what do you call it? If you're doing deployments with a typical LAMP stack, where you have Apache, MySQL, PHP, I mean, we're talking like hundreds of megs worth of binaries, which is insane. The good thing about Golang is that, well, to be honest, the binaries that are generated with Go are quite big, but they're a lot smaller in comparison to a typical LAMP stack. So yeah, you create the stat, you create the proper statically built binary with the NetGo stuff, which is, God knows what it is, something to do with networking probably, and then the container itself. So with Docker, who's talked about Docker here? Was there a Docker speaker? So I don't like Docker because it's fricking bloated and heavyweight, so I've been looking for alternatives, and to be honest, there's some things about Docker that are really good, most of it is bad, but the cool thing about Docker is that the Docker file is pretty good, and when you're using system decontainers and also probably LXC containers, I don't know what is LXC, how do you pronounce LXC? LXC. LXC. LXC. LXC. Okay. Well, you have to build it up yourself. So this is what I'm doing right here. I'm basically creating, can you all see that clearly? I'm just creating a container directory, and I've called it foobar, isn't that clever? And then I'm packstrapping, and packstrap for those people who don't know is like the bootstrap, if you come from a Debian Ubuntu background, and the cool thing about all you need for a system decontainer is basically a Linux style environment, a Linux style file system. To be honest, I'm not too sure why, so this is the worst talk ever. It's like do it this way, do it that way. I don't know why, but systemD basically craps out if there isn't a Linux file system hierarchy as far as I understand it. So this creates the Linux file system. I copy in the static binary, and then I call systemD to run that Golang binary. Okay, that was incredibly boring, but the good thing about this is that it's fast. What the hell? Isn't Vim awesome? It's the best editor ever. What was I going to say? You're the one running the binary. I was going to just show you how quickly it like... Can you just push the over scan on your display? What's that mean? Can you talk English to me? Open up a window. Can you screen up the screen a bit? Is that better? Yeah. Is that better? Is that better? Yeah, that's better. Use the left-hand side. Okay, weirdoes. I need... Like if I'm... Well, I can't see what I'm doing now. Assuming I have... Okay, so basically let me just do this from scratch. If I do... I'm just like cleaning my container. So I think MAKE makes the binary. Is that what it does? I can't remember. For some strange reason, making that binary is a bit too long. God knows what it's doing. It's putting in fire. So the binary is what, 7.6 megabytes. And then I make the container. Think my MAKE file is a bit crap. I think I do a build... It's very built everything. Oh. Yeah, so basically I call packstrap. I basically extract the file system, and then I'm already running the binary. So if I go to localhost 3000, I'll be running my go lang app, which is very unimpressive. You just use it to put in the current date, and then it calculates the difference. So and there it is running. So I think it took about, well, if you ignore the binary build thing, and if you ignore the initial packstrapping, I think you'll find that the whole thing takes like no time at all, right? SystemD, SystemD, and spawn, manageD, foobar, and then the name of the binary, DC. It's instant. That's the beauty of LXC is just as fast, because, I mean, don't kid yourself. SystemD and spawn, SystemD generally is, I like to think of it, is just a very, very well-designed thin shimmy on LXC. I don't know if you've ever used LXC, but straight up, but LXC has got a terrible use interface in my opinion. SystemD and spawn, all it does is make it a lot easier to use. So there you have it. I think that should be a lot faster than Docker, and it should be a lot faster than anything I've ever seen. Do it timely. We'll do it timely. That won't work, because they'll be running the binary. Well, I mean, maybe it takes next to no time. I am cheating a little bit here, because by default, it doesn't set up, what do you call it, a host. It doesn't set up the networking. I'm just using NAT style networking, which is cheating a lot. I think Docker probably uses host, what do you call it, bridge networking by default. If I have to set up that sort of virtual network interface, you basically have to boot into SystemD in the container to set that all up, which means basically calling DH client as you boot it up. You can make it faster by calling just IP commands to set up the network interface. Anyway, long story short, if you want proper network isolation, it takes like another second. That's so bad, isn't it? What will you choose, SystemD? Well, I use Arch Linux. Anyone else cool enough to run Arch? Is this set up by the installation? Yes! High five to the Arch, dude. If you use Arch, it makes you cool. If you use Mac OS X, you're a loser. If you use Windows, I have absolutely no respect for you. How do you stumble upon the latest? How did I stumble upon it? I don't know. I've been exploring, well, I don't like Docker. I was looking for alternatives. I wanted to use LXC, but LXC was written by a madman, and then SystemD and Spawn came along. I'm using it on, what is my machine code? I'm using it at home, actually. Go home. Okay, maybe I'm going to service down. Why can't I? Is SHH blocked? Only you actually use it. What's the difference? Yes, it's just running the app without any container. Well, if, well, running, well, running the app without a container is, you can do it that way. Well, you can do that way, but it's, why can't I, is SHH blocked or something? Yes. Really? You're joking. I'm going to move on blocked SHH. This demands action. I bet you they won't. Actually, because of a static binary, you can actually run it there. This is what I have to do in Malaysia nowadays, because internet out in Malaysia sucks. Let's see if PayPal can block me here. They're probably going to block as well. It can't be. Yeah. I've never seen anyone properly block it. Is my IP changed? Exactly. What the fuck? Oh, yeah. You answered. No, actually, I still have PayPal API. Isn't that a PayPal address? Yes. Shit. What I was going to say, I was going to say something profound. Okay. Why do you use, that's a good question. Why do you use a container? Because it makes it like, well, I can't show you my machine at home, but if, can you see that? Why do you use container? Got me there. The answer is, I like a, what, what's the user name? What the, sorry, that instructed me. Why use a container? Why use a container? Because you basically say, you have that, well, it's just because it's isolated. Why would you want it isolated? You want it isolated so that it doesn't, if that binary is gained, and to be honest, I've written some stupid Go-Lang apps in the past. What is that directory thing called? The file server thing? There's a, yeah, there's a thing called like DER files. And I accidentally DER filed my home directory, and then people could accidentally take out my SHH, a secret key. That is very stupid. And it's actually pretty easy to do. I like, basically, I had like a dot where slash should have been or something like that. And then someone had my home directory contents. But if you have everything in container, then the only thing you, if that thing, if that binary gets gained or something, it's limited to that file system. And you're probably thinking to yourself, well, that's no different to using CHroot. And that's true. CHroot does the same thing as container. But with containers, there's so much more. You can actually control, like memory, you can control CPU, you can control all the sort of control groups surrounding that container. It's a bit fine grain. And to be honest, I never use these things, to be honest. But it's good to see when maybe it's taking too much RAM, and then you can limit the RAM. And then also, finally, when you use a network virtual interface, you can see, you can just like, look at, sorry, what that? You can just look at what's it called, proc, net, dev. You can just have a look at that, it doesn't look good. And you can see every single sort of TXRX packet and account for how many bytes are being sent, which is important. So you know what the hell it's doing. And if you run lots of machines, you get everything isolated. And there's also like, this is cool command, which I can't show you very easily. Okay. Good question, guys. Good question. Is you're making a static binary? Why didn't you pull in all the library dependencies into your container? Because that's lame. Because you've got to go all static or not, or, you know, or else it's just crap. You couldn't make it all static because of the party dependencies. So drop those dependencies, you know, I don't like shared systems. I mean, for me, you got to just do it right. And I want everything to me, a static, a static build is like a package. You either deploy a tar file or zip file, or you install or you deploy the whole goddamn binary. And I prefer to just use binaries. It's just so much easier to, you know, you know, for security to, to show on summit. And you just know exactly what it is. It's so much easier to roll back. The reason why I use containers is I package all my dependencies into that container. And when I pull the container, all the dependencies follow it. Well, I don't like to, well, you, I mean, that's perfectly valid use case. I'm not going to mock you too much. It's not religious. I try to make myself clear. There's a lot of benefits to using static builds. You can roll back easily. I love to see people roll back in a shared system. You can't. That's why you, that's why it's so bullshit. But if it's in a container, you can, you can just swap out a container. Well, I'd rather, I'd rather, I'm, I'm for simplicity. I'd rather swap out a binary. Yeah. And then I can MD5 summit. Exactly what the hell's going on. If you're using a shared system, you probably have to commit everything to get, which I've done a lot in the past, to be honest, just because I need to know what the hell's going on. But if it's just a binary, gee, well, you can commit that to get that makes things easy too. But it's a lot more complex when you're dealing with a shared system. I think that's it. Where's the pizza? You were sore feet. You were sore feet. Let me see if I can, what, what is going on here? Why can't I see my cursor anymore? Just to, I can't, what the hell's going on? Sorry. I'm not going to bother with this VPN. I'm going to just, I'm just going to go on the real internet with my phone.