Developing with Docker

I don&#x27;t think I agree with this. Docker is an amazing tool, I&#x27;ve used it for everything I&#x27;ve done in the last 7 years, but this is not how I&#x27;d approach it.<p>1. I think the idea of local-equal-to-prod is noble, and getting them as close as possible should be the goal, but is not possible. In the example, they&#x27;re using a dockerized postgres, prod is probably a managed DB service. They&#x27;re using docker compose, prod is likely ECS&#x2F;K8S&#x2F;DO&#x2F;some other service that uses the image (with more complicated service definitions). Local is probably some VM linux kernel, prod is some other kernel. Your local dev is using mounted code, prod is probably baked in code. Maybe local is ARM64, and prod is AMD64.<p>I say this not because I want to take away from the idea of matching dev and prod as much as possible, but to highlight they&#x27;re inherently going to be very different. So deploying your code with linters, or in debug mode, and getting slower container start times at best, worse production performance at worse - just to pretend envs which are wildly different aren&#x27;t different seems silly. Moreover if you test in CI, you&#x27;re much more likely to get to a prod-like infra than a laptop.<p>2. Cost will also prohibit this. Do you have your APM service running on every dev node, are you paying for that for all the developer machines for no benefit so things are the same. If you&#x27;re integrating with salesforce, do you pay for a sandbox for every dev so things are the same. Again, keeping things as similar as possible should be a critical goal, but their are cost realities that again make that impossible to be perfect.<p>3. In my experience if you actually want to achieve this, you need a remote dev setup. Have your code deployed in K8S &#x2F; ECS &#x2F; whatever with remote dev tooling in place. That way your DNS discovery is the same, kernels are the same, etc. Sometimes this is worth it, sometimes it isn&#x27;t.<p>I don&#x27;t want to be negative, but if one of my engineers came to me saying they wanted to deploy images built from their machine, with all the dev niceties enabled, to go to prod, rather than proper CI&#x2F;CD of prod optimized images, I&#x27;d have a hard time being sold on that.

This demonstrates the most pernicious thing about Docker: it is now easier than ever for someone to design a Rube Goldberg machine and then neatly sweep it under the rug.<p>When you see the dev environment setup described, the knee jerk reaction should be to simplify it, not to automate the running of 30 disparate commands. Then you can much more easily run it in production, instead of boxing up the mess and waiting until you actually have to debug it.

Including developer tooling in a Docker image is missing one of the really useful things about Docker: not needing all that stuff. By using a multi-stage build, you can do all the slow dev stuff at image build time, then only include the output in the image, and that includes things like building a library which wants a different set of conditions to build than your application wants to run.<p>It also adds an additional level of risk - if your image is compromised, but all that is running in it is your app, oh well. If it&#x27;s compromised, and it&#x27;s able to call out to other parts of your stack (yes, some of this is down to the specific deployment process), that&#x27;s much worse.

Docker is a deployment mechanism. This means publishing Docker images is a deployment activity not a development one.<p>I don&#x27;t think software developers should publish Docker images at all [1]. This is a huge impedance mismatch with serious security implications. In particular, your Docker image needs a regular release cadence that is different from your software releases.<p>Including a Dockerfile is fine, they allow the person doing the deployment to customize&#x2F;rebuild the image as needed (and help with development and testing too).<p>[1]: Though I&#x27;m not saying you can&#x27;t be both a developer and sysadmin in your organization. Are you?

I love Docker (more so the idea of containers). Use it almost everywhere: self hosting services, at work everything is deployed as a docker container.<p>Except local development. Absolutely hate the &quot;oh need to add a dependency, gotta rebuild everything&quot; flow.<p>I do use it if the project I&#x27;m developing against needs a DB&#x2F;redis&#x2F;etc, but I don&#x27;t think there&#x27;s a chance I&#x27;m going back to using it for local development.<p>In fact, at work, the project where we do use docker in development actually causes the most headaches getting up and running.<p>I use a combination of CPU architectures, so the idea of running _exactly_ what&#x27;s in production when developing is already out the window.

&gt; What if running the linters was as easy as: $ docker compose exec web &#x2F;scripts&#x2F;run-linters<p>This seems to ignore the fact that I also run linters in my IDE to get immediate feedback as I’m writing code. As far as I know there’s no way to combine these two approaches. Currently I’m just careful to make sure my local ruff version matches the one used in CI.<p>It may be possible with VS Code dev containers, but last time I looked at those I was turned off by the complexity.

This is all very good and true, but as usual the devil is found in the details. For instance, my company sells Docker images that depend on a very old and recently unmaintained binary. Over the years, I&#x27;ve found issues with that binary that make it very hard to be sure issues are completely reproducible from system to system (or, as the article suggests, from local to production). Sometimes, it&#x27;s as simple as a newer base image updating a core dependency (e.g. Alpine updating musl), but other times it seems like nothing changes but the host machine, and diagnosing kernel-level issues - say, your local Mac OS&#x27; LinuxKit kernel versus your production Amazon Linux or Ubuntu, and don&#x27;t forget x86 emulation! - make &quot;test what you develop and deploy what you test&quot; occasionally very daunting.

&gt; What if running the linters was as easy as:<p>&gt; $ docker compose exec web &#x2F;scripts&#x2F;run-linters<p>What do people do for making these kinds of commands less verbose and easy to remember?<p>We&#x27;ve done things like use Makefile with the above behind `make lint`. However, chaining together shortcuts like &quot;make format lint test&quot; gets slow because &quot;docker compose&quot; for each one takes time to start up.<p>If you instead run the Makefile while you have a terminal open inside one of the Docker containers, that can be faster as you can skip the &quot;docker compose&quot; step, but then not every Makefile target will be runnable inside a Docker container (like a target to rebuild the Docker image), so you have to awkwardly jump between terminals that are inside&#x2F;outside the Docker container for different tasks? Any tricks here?

But wait <i>how do you write code</i> if the services are all in docker like that?<p>What about my strongly typed monorepo?<p>(I prefer a variation of this where all <i>artefacts</i> like databases are in docker compose, but my monorepo services run outside docker)

I’ve been writing software for 20+ years. Sometimes I feel like I’m the only one who hasn’t had the problems Docker solves.

The one thing I feel like is missing in guides like this is key management. I don&#x27;t like the idea of putting secret keys in my compose.yaml and I would prefer to use something more... controllable? Auditable? The thing is, I don&#x27;t really know, because this isn&#x27;t the kind of stuff I work on for $dayjob. But I can&#x27;t help but feel like there&#x27;s something missing with key management, and for a noob like me I don&#x27;t know how to fit it into the larger puzzle.

I have experimented with a local setup in our team.<p>With the new Docker compose watch functionality I think it works well.<p><a href="https:&#x2F;&#x2F;docs.docker.com&#x2F;compose&#x2F;how-tos&#x2F;file-watch&#x2F;" rel="nofollow">https:&#x2F;&#x2F;docs.docker.com&#x2F;compose&#x2F;how-tos&#x2F;file-watch&#x2F;</a><p>For me this has negated the need for manual mounting.<p>I combine the above with dotnet watch —-non-interactive in the dockerfile for dotnet and a simple ng serve in our Angular apps.<p>If new dependencies are added via npm install you can set it so that Docker watch will auto rebuild your container. So it gets around that issue too.<p>I have a .bat file in our repo that runs the Docker compose action to start up all the needed services and has some powershell to wait until the main UI service is up. When it’s up it auto opens the web browser.<p>I have a docker container that uses Dozzle (<a href="https:&#x2F;&#x2F;dozzle.dev&#x2F;" rel="nofollow">https:&#x2F;&#x2F;dozzle.dev&#x2F;</a>) for log monitoring across the various services. It can also stop&#x2F;restart containers if needed.<p>I also have a container that can be ran to perform a database restore from an external Postgres DB into a local Postgres Docker container.<p>I will say that dotnet debugging is clunky. You can attach to the Docker container in Visual Studio but if a hot reload has happened you can’t debug again until the app has restarted. For dotnet if I need to do some intensive debugging I tend to spin it up outside Docker for this reason.

It sounds good, but Docker is also good for all sorts of other patterns too.<p>For instance: Docker is great for local development that never touches prod.<p>Docker is great for hybrid local dev, where you run some services in docker but not others.<p>If your desktop is Linux and you are building python based web services, then running python in a virtualenv is often much more responsive than having to rebuild some docker thing.

<p><pre><code> Developer Tooling This is where I tend to run into the most pushback on this pattern but it&#x27;s also the part that can greatly reduce headaches. Are you ready? Your immutable image includes everything you need for development: linters, tests, and debugging modules. I will sometimes even include a few useful system tools like netcat or ping, as well as a fancy prompt. None of these things are necessary for production. They are at best, image bloat, adding anywhere from 100 to 200 MB of useless code to your image that&#x27;s never used in the wild. Why then, would we want to include it? </code></pre> Sorry, but this is dangerous advice. This won&#x27;t pass most serious security audits and to use these tools, you&#x27;d likely need to be running as root.<p>Much better is to strip your immutable images to the bare minumum and instantiate a debug sidercar, eg [1], if you need to peer inside.<p>[1] - <a href="https:&#x2F;&#x2F;github.com&#x2F;mhoyer&#x2F;docker-swiss-army-knife">https:&#x2F;&#x2F;github.com&#x2F;mhoyer&#x2F;docker-swiss-army-knife</a>

I find this topic very interesting. On one hand, I am sure that every person reading this has run into a ‘bug’ introduced because of a dev&#x2F;prod mismatch. On the other hand, the only way to get a total match is to either pay an obscene amount of money or roll everything yourself (which will also have cost, much of which can never be recovered).<p>As an example, I can build something, deploy it on my own and create a near one to one match. But that means building everything and never using a managed service. If the application interfaces with another tool like Salesforce, do we have multiple instances for every single developer?<p>Or, do we roll our own CRM?<p>Matching is great but in a managed world it’s very expensive.

It seems I do the opposite of many commenters.<p>I do not run Docker in production at all but I also do not develop any serious projects outside of Docker.<p>Installed on the host machine are only VSCode, Docker and Git.<p>You work on a project by cloning it, opening in VSCode and clicking on &quot;Reopen in container&quot;.<p>This will spin up generic services like databases and then the actual app container as a VSCode Remote Container, with all the development tooling inside the container.<p>Does not matter if tooling changes between projects, any project can be worked on with a single click of &quot;Reopen in container&quot;.<p>Host machine stays clean.

At work, we took the radically different approach of not having such a thing as a local environment. It won&#x27;t necessarily work for every tech stack, but we mostly use lambdas, RDS, SQS, dynamoDB, kafka, and S3, so it&#x27;s trivial to spin up and tear down the stack as we go. Essentially, instead of trying to ship the local machine to prod, we bring prod to the local machine.<p>It&#x27;s a breath of fresh air not having to maintain a separate local environment.

As someone new to Docker, the thing that is never answered (including in this post, the irony of the title...) is what an actual dev workflow looks like.<p>Let&#x27;s say I&#x27;m working on a web app. I start my container, awesome. Now I make a code change. What do I do? Since the code is copied in the container, do I have to stop, rebuild the image, and start again? Or does it automagically rebuild like most frameworks support? And how about debugging, are there any hoops to jump through connecting a debugger to a container? And what about the filesystem. If I need to inspect the output of something, say a log file in the container, is that easy to do? I&#x27;ve tried this before and got pretty lost trying to access the filesystem.<p>None of these questions are obvious to Docker beginners like myself. We get the whole &quot;consistent environment&quot; benefits of Docker, now talk about a practical workflow please. :)<p>edit: thanks for the answers!

&gt; At it&#x27;s simplest, stuff like this: if ENVIRONMENT == &quot;prod&quot;: do_something_only_production_does() ...shouldn&#x27;t happen.<p>This is a common refrain among people that IMO do not have a lot of experience in big, complex systems, especially ones running a lot of legacy code. Like, ideally, sure, but in reality making this possible almost always involves extra cost, time, and complexity, and what do you gain from that, really? It&#x27;s a pretty concept, but not at all practical.

That last point about differences between dev, test and prod should be right at the top. It&#x27;s rare to find teams that have set themselves up for success (for reasons I do not fully understand)

&gt;but importantly, the image at each of these stages is exactly the same: reproducible at every turn<p>This is wrong. Hadn&#x27;t read any further.<p>Regards,<p>NixOS adept

I was hoping the article was about using a Docker container *<i>as*</i> your development environment. Talk about easily compartmentalizing and standardizing your projects across machines.<p>Imagine if you got to a new job and your setup instructions were literally `docker pull mycorp:development.mobile &amp;&amp; docker run mycorp:development.mobile`.<p>- Oh, your machine was lost? Take your new machine and docker pull docker run.<p>- Someone migrated project A to python 3.8 but project B still requires python 3.6? docker pull docker run.<p>- You have to work on some backend code? docker pull docker run.<p>- But the backend code uses an IDE that I don&#x27;t have installed. Docker Pull! Docker Run!<p>Every job I&#x27;ve ever started has come with a sheet explaining how to set your machine up to work on the codebase. Install this, upgrade that, change this environment variable, and for the love of god don&#x27;t install a newer version than this. I mean, I know I&#x27;ve been lucky to get a sheet, but this is usually the first full day of work.<p>I&#x27;ve never really tried to get this going. I assume that it&#x27;d be possible to get an OS instance up in docker that you just VNC into. Load up that image with the tools you need (IDE, git, etc.), wire up some stuff for security (GitHub keys, probably other stuff), and clone the initial commit of your repo so that people can just `git pull` the rest.<p>Maybe this is a thing. I haven&#x27;t looked in a few years.

Thank you. This is a great resource!