Docker really is the future

Docker does neat stuff, but if it's really the future then I am going to be disappointed. Using the Docker daemon as a high-level interface to clone(2) has been nice, but Dockerfiles are a weak format (why not use a general purpose programming language?), the pre-built binaries on DockerHub are just asking for exploitation, and unioning a bunch of disk images is a hack to deal with the imperative nature of how images are built. Projects like Nix and GNU Guix are what I want the future to be. With them I don't have to put trust into any single third party, I get nearly bit-for-bit reproducible builds, system-wide deduplication of packages, functional/declarative system configuration, atomic updates/rollback, quick setup of development environments (with or without a container), and more.

&gt; Up until now we’ve been deploying machines (the ops part of DevOps) separately from applications (the dev part). And we’ve even had two different teams administering these parts of the application stack. Which is ludicrous because the application relies on the machine and the OS as well as the code, and thinking of them separately makes no sense. Containers unify the OS and the app within the developer’s toolkit.<p>False. VM Blue&#x2F;Green Phoenix Deployments were essentially &quot;build VM for each release to production; spin up new VM; spin down old VM&quot; which is essentially what Docker enables, except in container form....which you could have done with OpenVZ or any other containerization solution that has existed to date, even on AWS.<p>&gt; Up until now, we’ve been deploying heavy-weight virtualized servers in sizes that AWS provides. We couldn’t say “I want 0.1 of a CPU and 200MB of RAM”. We’ve been wasting both virtualization overhead as well as using more resources than our applications need. Containers can be deployed with much smaller requirements, and do a better job of sharing.<p>As someone who runs &amp; leases 128MB RAM VMs for various purposes...wut?<p>You could have just as easily used OpenVZ to achieve this and literally everything else on your list:<p><a href="https:&#x2F;&#x2F;openvz.org&#x2F;Main_Page" rel="nofollow">https:&#x2F;&#x2F;openvz.org&#x2F;Main_Page</a><p>Or any other container-based solution.<p>The only real thing you are saying with this article is:<p>&quot;We like the Docker ecosystem and we feel its better than all other solutions.&quot;<p>Fair enough, but at least don&#x27;t pretend Docker is the only way to solve these problems.

Your post is invalid at some point. Of course Docker is great, of course new technologies are great. BUT the first point isn&#x27;t so much of a joke. Docker is not the future, at least not for everyone. Currently Docker will not change the way how apps will be built, Docker will change nothing, ... at the beginning.<p>To start out new development, people should and never forget this, don&#x27;t care about microservices and docker and anything else. They should just build a fucking big Monolith. After they did that, and they are getting more people for development or more people at their page &#x2F; service &#x2F; whatsever they can still start to split everything.<p>Don&#x27;t build a fucking Unicorn just to be accurate. Start out boring. Do this every time and don&#x27;t listen to anybody that tells you how good microservices and docker is. Deploy your app manually (okai this step could be skipped), then use a tool LIKE ansible or puppet, then if you need more, look at the things that bigger companies use.<p>But never ever over architect your project &#x2F; application &#x2F; service.

One of the things that rankles the greybeards is when people think over-hyped tools like Docker are original creations and they don&#x27;t acknowledge that containerization has been around for a long time. It&#x27;s not really that anyone makes this claim per se, but just a general impression fostered by the cool kids&#x27; relative youth and ignorance.<p>We all wish that software could be judged on objective merits, but the sad truth is that now more than ever the software development world is so big that UX and marketing for dev tools actually matter a lot more. Of course over time we still gravitate towards better things as lessons are learned, but in order to figure out what the actual best tool is, huge investments need to be made to get it to work. Until millions of man hours are invested, it&#x27;s impossible to say whether something like Docker will in fact be better than what came before, or whether it will peter out at another local maximum due to a fundamentally flawed philosophy. If you can&#x27;t generate some initial hype then it&#x27;s hard to get enough developer mindshare to even test the premise of something as complex as Docker.

So Docker is beautiful and wonderful thing, and it is the future, and anybody who doesn&#x27;t like it has no credibility because they just don&#x27;t like change, and they are Philistines.<p>I stopped reading after that.

&gt; We are always faced with a choice between staying still with the technologies we know, or taking a bit of a leap and trying the new thing, learning the lessons and adapting and iterating and improving the industry around us.<p>I think they forgot the third popular choice -- taking a bit of a leap, trying the new thing, and finding that it doesn&#x27;t involve really adapting, iterating, or improving, it&#x27;s pretty much just a reinvented wheel.<p>This might explain why the author apparently has trouble drawing a picture of the motivations behind curmudgeons who hate anything new.<p>If your tool <i>really</i> <i>genuinely</i> solves problems <i>without</i> creating a new layer of complexity, it&#x27;s not going to have very many haters.

Both this and the previous tongue-in-cheek rant are correct. It depends on who you are.<p>The fact is that not everyone is going to need to scale to Google-like sizes, and not every app is going to need to scale <i>in the same way</i>.<p>For many developers trying to build products, getting bogged down in all this emerging Docker-centric complexity is a case of premature optimization. Build your thing, polish it, get users, get customers, etc., and if you manage to get so many that scaling becomes a problem then you now have a &quot;good problem to have.&quot;<p>... and the problem with the Docker ecosystem is <i>not</i> that it is new. I love new stuff. The problem is that it&#x27;s a lot like the web framework ecosystem, which is an example of the CADT development model:<p><a href="http:&#x2F;&#x2F;www.jwz.org&#x2F;doc&#x2F;cadt.html" rel="nofollow">http:&#x2F;&#x2F;www.jwz.org&#x2F;doc&#x2F;cadt.html</a><p>To a certain extent that&#x27;s an artifact of all this Docker stuff being new and very much in its experimentation phase. I expect that the web will settle down a little someday, and this stuff will too, but for now it&#x27;s a crazy wild west of people implementing Yet Another Everything. There&#x27;s also a bit of a funding wave going through this area, which is causing a lot of me-too Docker startups to pop up and do the same things over and over.

I&#x27;d agree that containers will be huge in the future. But it might not be with Docker, that&#x27;s all.

The same thing happened with &quot;the cloud&quot; and &quot;nosql&quot; etc etc. 2% of people crow &quot;this changes everything!&quot; and 2% yell back &quot;this changes nothing you morons!&quot; and both groups of people are wrong, and the other 94% of us just keep working and are grateful for all of the cool new tools that help us get to our goals faster.<p>10 years ago you couldn&#x27;t build a Heroku unless you were a genius. Now you can build a Heroku clone in a month. That&#x27;s progress.<p>Also, it&#x27;s still just computers. Can we move on?

Previous Blog post[1] is Gold!<p>[1] <a href="http:&#x2F;&#x2F;blog.circleci.com&#x2F;its-the-future&#x2F;" rel="nofollow">http:&#x2F;&#x2F;blog.circleci.com&#x2F;its-the-future&#x2F;</a>

The only potential use I see for Docker&#x27;s potential is to distribute applications with data as combined appliances: so if you want a PostGIS server preloaded with maps, you can do `docker fetch some_postgis_server` and end up with something you can query. But then when you try to build such an appliance (containing a lot of data), and push it to Docker Hub, it ends up failing with a mysterious error code overnight, and you open a ticket, and nobody follows up on that ticket. Docker has to get better at that kind of thing before I can consider using it again.

I think the future is something like prefabricated &#x2F; disposable &#x2F; immutable(ish) infrastructure. Stop managing servers, start managing your service.<p>Containers are a big part of that - they made the idea more palatable and usable. But if you&#x27;re doing this BECAUSE of Docker and containers and PaaS being cool, rather than the benefits of disposability and prefabrication in enabling stable &#x2F; predictable scale out , availability, and change management of your bits, you&#x27;ve probably already lost.<p>Netflix arguably started this cloud-native wave. They still use VMs.

Docker seems interesting. But it seems like there is room for something even better.<p>I imagine a Docker-like product where you can write a Dockerfile for your checkin test suite as easily as you can write .travis.yml right now. And then you can run a command to easily submit this &quot;job&quot; to AWS, Google Compute, or whatever other cloud provider you want.<p>Maybe I&#x27;m thinking about this right now because my Travis build has been stuck waiting to be scheduled for over 24 hours for no apparent reason. I&#x27;m at the mercy of the Travis people to take a look at this. What I imagine is a world where cloud execution is so commoditized that I can say &quot;sorry Travis, too slow, you lose my business today.&quot; I can hit CTRL+C, change my command-line to --submit-to=aws.amazon.com, and run exactly the same test suite there instead.<p>Oh, to dream...

He made some good points, but there&#x27;s a really good chance I&#x27;ll never need to scale at a level that requires Docker. Hopefully I&#x27;m wrong, but Azure&#x2F;AWS&#x2F;Heroku are probably going to be good enough or overkill for my needs.

Docker is an opinionated way to use containers. You don&#x27;t need to adopt that to get the benefits of containers. A lot of the messaging, hype and marketing conflates the 2 and it suits the docker ecosystem to do that but it does not benefit informed discussion.<p>By eschewing plain containers in favour of Docker you are embracing some complexity and it would help to have more discussions on the tradeoff and benefits of every approach, rather than just conflating containers to Docker.<p>The LXC project in development since 2009 on which Docker was based and now Systemd-nspawn give you pretty advanced containers with mature management tools, multiple container OSs, full stack linux networking, storage options, cloning, snapshotting etc. [1]<p>LXC and soon Systemd-nspawn (version 220) support unprivileged containers [2] that let&#x27;s non root users run containers. That&#x27;s a pretty big step forward for container security.<p>There is lot of innovation happening outside the hype of Docker. But these projects are not opinionated and stop at giving you container technology as lightweight VMs like KVM, Xen, Vmware stop at giving you virtualization.<p>Docker takes that as a base and restricts the container OS template to a single app, builds the container as layers using aufs, btrfs, device mapper, and enforces storage separation. This is not rocket science, you can do this yourself with overlayfs, aufs, btrfs, build single app containers etc [3]<p>By adopting the Docker way you are immediately taking away seamless migration of VM workloads and embracing some complexity. There are both upsides and downsides to this. For a lot of use cases the Docker approach may help, in others it may add unnecessary complexity. We have an indepth [4] look at the differences between LXC and Docker here for those who are interested.<p>Disclosure I run flockport.com that provides an app store for servers based on Linux containers.<p>[1] <a href="https:&#x2F;&#x2F;flockport.com&#x2F;guides" rel="nofollow">https:&#x2F;&#x2F;flockport.com&#x2F;guides</a><p>[2] <a href="https:&#x2F;&#x2F;www.flockport.com&#x2F;lxc-using-unprivileged-containers&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.flockport.com&#x2F;lxc-using-unprivileged-containers&#x2F;</a><p>[3] <a href="https:&#x2F;&#x2F;www.flockport.com&#x2F;experimenting-with-overlayfs" rel="nofollow">https:&#x2F;&#x2F;www.flockport.com&#x2F;experimenting-with-overlayfs</a><p>[4] <a href="https:&#x2F;&#x2F;www.flockport.com&#x2F;lxc-vs-docker" rel="nofollow">https:&#x2F;&#x2F;www.flockport.com&#x2F;lxc-vs-docker</a>

I&#x27;d say my problem with the whole massive containerization hype circus is less that I&#x27;m a curmudgeon who hates anything new, and more of a practicioner who hates marketing and social hype promoting a half solution to a narrow problem as a full solution to all problems.<p>Containerization isn&#x27;t new. It just has a brand name now, and the &quot;all the way&quot; solution to this problem is unikernels.

Docker is a broken package manager with no checksumming or version, leveraging layered filesystems to introduce more bugs with a chroot post install hook

This whole article seems completely confused with its definitions and train of thought, which I suppose is delightfully ironic.<p>Some quarrels:<p><i>Into that world drops Docker: a new way of doing almost everything. It throws away old rules about operating systems, and deployment, and ops, and packaging, and firewalls, and PaaSes, and everything else.</i><p>That&#x27;s a dramatic overstatement if I ever saw one. The rules haven&#x27;t been thrown away. They&#x27;re there, just the subsystems partitioned into multiple namespaces under a single host.<p><i>But then something interesting happened. Web applications got large enough that they started to need to scale.</i><p>The whole portion of the essay about web applications and distributed systems operates under a broken causal chain and continuity. That assumptions break down and new use cases arise with scale is obvious, though here it&#x27;s presented like some recently attained enlightenment, and moreover that every J. Random Hacker should be thinking about distribution and high scalability right from the conception of their CRUD app. Not the case. Dumb setups work for the commons.<p><i>Instead of dealing with simple things like web frameworks, databases, and operating systems, we are now presented with tools like Swarm and Weave and Kubernetes and etcd, tools that don’t pretend that everything is simple, and that actually require us to step up our game to not only solve problems, but to understand deeply the problems that we are solving.</i><p>This paragraph makes no sense. The author is listing completely orthogonal tools.<p>------<p>On to the allegedly solved problems:<p><i>Which is ludicrous because the application relies on the machine and the OS as well as the code, and thinking of them separately makes no sense. Containers unify the OS and the app within the developer’s toolkit.</i><p>Depends on your domain. Plenty of applications are built to be self-contained. The unikernel&#x2F;libOS approach is one that treats the OS as an implementation detail, ironically taking us straight back to the 1950s where all code had to independently initialize the machine, though in a good and reusable way.<p><i>Up until now, we’ve been running our service-oriented architectures on AWS and Heroku and other IaaSes and PaaSes that lack any real tools for managing service-oriented architectures. Kubernetes and Swarm manage and orchestrate these services.</i><p>Those are all different deployment strategies and application environments you&#x27;re mixing up here. It may not be that you&#x27;ve lacked tools so much as you&#x27;ve had no need for them in your use case.<p><i>Up until now, we have used entire operating systems to deploy our applications, with all of the security footprint that they entail, rather than the absolute minimal thing which we could deploy. Containers allow you to expose a very minimal application, with only the ports you need, which can even be as small as a single static binary.</i><p>And it does so by cloning the various subsystems of the host OS into their own namespaces. You don&#x27;t get around using the whole OS, you just work around it because your host OS can&#x27;t handle multi-tenant properly and the dynamic linking quagmire has become a maintenance burden.<p><i>Up until now, we have been using languages and frameworks that are largely designed for single applications on a single machine. The equivalent of Rails’ routes for service-oriented architectures hasn’t really existed before. Now Kubernetes and Compose allow you to specify topologies that cross services.</i><p>This hasn&#x27;t changed. You still need to bolt on lots of heterogenous components. Seamless multi-node distribution is beyond the scope of nearly all language runtimes, or frameworks, though then again nor is there any obligation to support this. At sufficient scale, you will be doing lots of homegrown integration work.<p><i>We couldn’t say “I want 0.1 of a CPU and 200MB of RAM”.</i><p>Pretty sure you could. I&#x27;m assume you&#x27;re referring to the likes of Mesos, in which case I can name at least HTCondor, which is a cluster manager and scheduler not unlike Mesos, intended for HPC. It&#x27;s been around since 1989. Then there&#x27;s the much smaller scale things you could always do to limit resource utilization. It&#x27;s not like this was discovered yesterday.<p><i>Up until now, we’ve been deploying applications and services using multi-tenant operating systems. Unix was built to have dozens of users running on it simultaneously, sharing binaries and databases and filesystems and services.</i><p>Author confuses multi-user with multi-tenant. Unix is the former.<p><i>As an example, how many protocols had to die before we got REST? ... Yet, we still haven’t got the same level of tooling for REST-based APIs that we had for SOAP a decade ago, and SOAP in particular has yet to fully die.</i><p>REST isn&#x27;t even a clear protocol suite like SOAP or CORBA. It&#x27;s more of a design philosophy than a formal definition.<p><i>And the same thing has been going on with programming languages since we escaped Java a decade ago.</i><p>We did?<p><i>If you’re looking for me, I’ll be in the future.</i><p>Damn, it looks an awful lot like the past.

Docker is the present - given we don&#x27;t have jails on linux.<p>Docker COULD be the future, but I frankly hope it&#x27;s not. Despite the idea being good, there are better designed alternatives.<p>Like rkt.

TLDR; A frank retraction of the sentiment expressed sarcastically in the previous post is summarized under <i>Real problems solved</i>. However, each of these points is dubious...<p>1. <i>Up until now, we’ve been running our service-oriented architectures on AWS and Heroku and other IaaSes and PaaSes that lack any real tools for managing service-oriented architectures. Kubernetes and Swarm manage and orchestrate these services.</i><p>While some options for managing large groups of services running on one type of infrastructure do indeed now exist, and this is one step further in automation and therefore a good-thing(tm), it is by no means the end-game and in fact at this stage may not even be desirable as it is in effect simply shifting the basic scope of service-oriented infrastructure comprehension and management from a single service to a group of services, and likewise the units of deployment and management of infrastructure a cluster rather than a host, while making certain (and not safely universal) assumptions about how the service(s) will need to be managed in future.<p>2. <i>Up until now, we have used entire operating systems to deploy our applications, with all of the security footprint that they entail, rather than the absolute minimal thing which we could deploy. Containers allow you to expose a very minimal application, with only the ports you need, which can even be as small as a single static binary.</i><p>Yes but this rarely happens in practice. It&#x27;s like saying &quot;now we use Linux, we get the benefits of NSA SEL&quot;. No, you don&#x27;t. You have to put a lot of effort in to get that far, and it&#x27;s highly unlikely to be used. So this is basically a moot point right now.<p>3. <i>Up until now, we have been fiddling with machines after they went live, either using “configuration management” tools or by redeploying an application to the same machine multiple times. Since containers are scaled up and down by orchestration frameworks, only immutable images are started, and running machines are never reused, removing potential points of failure.</i><p>Yes, immutable infrastructure is good, but we have 100 ways to do this without docker. Docker is like an overpriced gardener who comes to your door, knocks around the garden for half an hour, flashes a thousand dollar smile - ie. put a cute process convention over the top of what&#x27;s there already - and tell you all smells sweet in the rose garden (PS. here&#x27;s your fat invoice). Never trust a workman with an invoice, and never trust abstraction to solve a fundamental problem.<p>4. <i>Up until now, we have been using languages and frameworks that are largely designed for single applications on a single machine. The equivalent of Rails’ routes for service-oriented architectures hasn’t really existed before. Now Kubernetes and Compose allow you to specify topologies that cross services.</i><p>Well that&#x27;s cute, but actually bullshit. We&#x27;ve had TCP&#x2F;IP and DNS for decades. To &quot;specify topologies that cross services&quot; you just go <i>host</i>:<i>port</i>. What&#x27;s more, the standard approach and protocols actually have deployment, documentation, and are known to work pretty well on real world infrastructure. Their drawbacks are known. Now, I&#x27;m not saying there&#x27;s zero improvement to be made, but the way this is phrased is ridiculous.<p>5. <i>Up until now, we’ve been deploying heavy-weight virtualized servers in sizes that AWS provides. We couldn’t say “I want 0.1 of a CPU and 200MB of RAM”. We’ve been wasting both virtualization overhead as well as using more resources than our applications need. Containers can be deployed with much smaller requirements, and do a better job of sharing.</i><p>Sure, we&#x27;ve known that container-based virtualization was far more efficient than paravirtualization for decades. Docker has not actually provided either, nor made it measurably easier to mix and match them as required, so this claim seems bogus.<p>6. <i>Up until now, we’ve been deploying applications and services using multi-user operating systems. Unix was built to have dozens of users running on it simultaneously, sharing binaries and databases and filesystems and services. This is a complete mismatch for what we do when we build web services. Again, containers can hold just simple binaries instead of entire OSes, which results in a lot less to think about in your application or service.</i><p>What kool-aid is this? The implication is that unix and its security model are going to go away as a basis for service deployment because... docker. What? Frankly, I would assert that many application programmers can barely <i>chmod</i> their <i>htdocs&#x2F;</i> if pushed, let alone understand a process security model including socket properties, process state, threads, resource limits and so forth. Basically, the current system exists because <i>it is simple enough to mostly work most of the time</i>. While it may not be perfect, it&#x27;s a whole lot better than throwing the baby out with the bathwater and attempting to rewrite every goddamn tool to use a new security model. The mystical single binary services that docker enthusiasts seem to hold up as their <i>raison d&#x27;être</i> are likely therefore to either tend to be huge, complex, existing processes allowing almost anything (like scripting language interpreter VMs) or nonexistant. By contrast, the &#x27;previous&#x27; unix model of multi-process services with disparate per-process UIDs&#x2F;GIDs, filesystem and resource limitations seems positively elegant.<p>All in all, this post&#x27;s argument doesn&#x27;t hold that much water in my view. However, I applaud CircleCI for working on workflow processes ... I think ultimately these are the bigger picture, and docker is merely one step in that direction.

Excellent article.

I want to like Docker. I just don&#x27;t have the time to learn the tooling and keep up with all the changes. Maybe in a year or two when things stabilize.