> root user inside docker container is equal to root in the host! > one process per container > no persistence of storage inside the container, unless you commit the container to a new image or add volumes which are slow bullshit too > docker images are based on overlayfs which is slow dogshit in exchange for muh git like capabilities > docker images are bloatware, it's basically a complete linux distro plus your app. It's basically the same attack surface as the host! > bloatware internetworking between services, want unix sockets? fuck you!
Docker is the Microsoft of containers, it's horseshit and ran by incompetent hacks, Docker sets stupid conventions for years to come for containers just like Microsoft did with operating systems. It's a yet another example that retards can prevail
> root user inside docker container is equal to root in the host! but container can't access anything on host, can it? > one process per container wtf is this for real? > no persistence of storage inside the container how do people run database servers in it? > docker images are bloatware, it's basically a complete linux distro plus your app can't you run something like IncludeOS? >complete linux distro plus your app that's why container distros started to appear, also not Docker's fault that linux distros are bloated >It's basically the same attack surface as the host! it's less attack surface than full VM hypervisor, looks like stronger isolation then chroot, not all containers are exposed to outer network and have pretty strict per-container firewalling rules
Jaxon Hall
>expecting good design from meme software built to exploit buzzword culture cloud and everything related to it is a meme if we kept treating "clouds" as servers, remote services or remote machines instead of trying to move the entire known universe into the cloud we'd be fine, but the modern trend of having to dress everything up in easy to digest buzzwords and the tendency for using 20383 layers of fancy software just so you can claim your shit is complex and uses modern solutions is what got us into this mess we live in really shitty times when simplicity is considered stupid and complexity is considered genius, making a simple solution to a complex problem is what takes genius, not the other way around
Logan Lopez
Containers were devs and projects and admins saying "Patching VMs is a bother, can't we abstract all this away somehow?" Well, no, actually you can't, but they built it anyway. And now we just have the same problems only they're harder to solve now because of the extra crap.
Michael Morgan
What's better alternative?
Julian Lewis
>Dockerfile to start with a bloated image of UBANTO, apt-get install some shit, copy some config files and scripts then never ever be updated >Instead of defining your entire OS environment through a single configuration file (if you prefer) including all services, networking, users, hardware config and whatever containers you like and easily being able to update or roll back effortlessly
NixOS (or GuixSD for RMS autists) are the real good shit.
Congratulations you have no idea what you're doing.
William Myers
>but container can't access anything on host, can it? It's not supposed to be able to, but there are a series of gaps in this if the application is running as root. The argument of course is "don't run as root" but the point is it's not as good as a VM. >wtf is this for real? Yes and no. The design goal of docker is one process per container. You can technically run as a many as you want. >can't you run something like IncludeOS? This is a fair point. People are starting to use Alpine based images that only burn a few MB.
Julian Price
do you think posting a comment like that will make you look smart?
Evan Turner
>> root user inside docker container is equal to root in the host! Not exactly, but the docker daemon does run as root, so...
>> one process per container Run a supervisor like s6.
>> no persistence of storage inside the container, unless you commit the container to a new image or add volumes which are slow bullshit too If you're also using Kubernetes you can have per-node persistence. And better options with volumes.
>> docker images are bloatware, it's basically a complete linux distro plus your app. It's basically the same attack surface as the host! No worse than a chrooted environment.
Owen Martinez
root inside docker is similar to a chrooted root to be more precise. It's able to do anything to do anything unless prohibited by the parent process
Jacob Murphy
>the point is it's not as good as a VM but VM hypervisors are notoriously buggy and get escapes from ridiculous things like floppy controller, containers have far less attack surface >process per container do at least multi-threading inside container translates to threads in host or something like that?
Jeremiah Mitchell
Docker = chroot + cgroups + overlayfs.
Anthony Brooks
It's funny how much Docker rectally reks old sysadmins.
Lincoln Foster
Docker is leaky abstraction AIDS
Christian Powell
None atm. OP makes Docker looks like a meme whereas in reality it's solid af to have consistent environment in one command on any machine.
> LE HUUR DUUUR DOCKER SUCKS maymay
t. brainlet who doesn't know the basics of Docker.
It made my job way easier, but keep hating on it, while some people are easily scaling on any host with seamless deployment on every OS, making more many than you NEET.
I'm tired Jow Forums. You make everything good IT things look like meme whereas you're shilling for the worst REAL memes like Javascript.
>Docker Did you mean rkt? >What you guys are referring to as rkt, is in fact, systemd-nspawn/rkt, or as I've recently taken to calling it, systemd-nspawn plus rkt.
the simple fact that you did not refute any of my arguments show that YOU are the one that doesn't know shit about Docker. You're merely a brainlet devops who uses it without understanding the foundations upon which Docker is based like namespaces, cgorups and capabilities.
I have nothing against containers in general, I just listed my arguments against Docker itself
Colton Fisher
Plus one
Eli Mitchell
> whereas in reality it's solid af KEK. thehftguy.com/2016/11/01/docker-in-production-an-history-of-failure/ Yes, it's 2016 and everybody moved to new kernels, it should have been improved. However, what I am worried about is immature Docker inc. team. Look at Postgres, it's possible to build at least 9.6 under Squeeze, released 7 years ago. Look at Zabbix, they still build Squeeze debs for some of their supported releases. This is what enterprise wants, support for both EOL and newest distros, Docker does not provide that and essentially the only way to use it is a "cloud" infrastructure, which is updated by the separate team and hardly supports legacy. Either way, Docker is good for startups which don't have to support legacy (yet). I'll stick to LXC and/or OpenVZ.
Angel Foster
>literally developed by pajeets
Isaac Edwards
LXC is clean and simple. I just don't like the way they deal with filesystems, it's basically a directory, if you mess with it, you're fucked unlike docker images.
Owen Martin
> Docker is good for startups which don't have to support legacy (yet). Agreed. Wouldn't work for big firm with a lot of legacy stuff. Depends on your job.
Currently working for a startup and I still find Docker very handy. Raw LXC can't be managed on other OS'es like Windows or Mac.
Is there anywhere a more sophisticated discussion on dockers pros and cons? I am actually curious.
Brody Lewis
It is a tool widely used and shilled by code artisans in the Bay Area. Guess where they run it.
Gabriel Morgan
docker is created by retarded macfags you can tell by how it needs hyper-v to work on windows.
Connor Sanchez
Come on, does not anyone of you faggots have a link to a serious discussion about this topic?
Lucas Morgan
>non .NET software development on windows
Shiggerydiggerydoo.
Noah Lewis
The RMS autists did a lot better than NixOS with this one as they have call-with-container and such. Guix is probably the best container tool yet and it can export to docker if your workmates are idiots.
Angel Torres
GUIX had the advantage of being rewritten from scratch with some of the nix devs, whereas the nix package manager is some rolling monstrosity that hasn't been refactored properly yet. Plus guile is super great in this particular scenario.
Brody Fisher
It's not just that. It's also the fact that everything is a service, which lets you use things someone else has built quite easily.
Grayson Perez
Interesting opinion here. Never seen things that way before user. Looks like buzzwords first take over Ameritards, and then, as usual, the rest of the world followed blindly.
America is the bane of humanity and should be nuked clean.
Hudson Wilson
this is a serious discussion you idiot
Robert Wilson
Anyone who isn't a pajeet just uses deploy scripts with LXC or jails depending on platform. Prove me wrong protip you can't.
Ian Parker
Asian here. You're just as dumb as your ameritard counterparts.
Jose Perry
has anybody here used rkt before?
Joshua Hernandez
It’s not supposed to be a VM wojak.
Jace Wilson
Well, I think it was ok, but I feel like the use case is always strange.
The container almost always relies on apt/yum/whatever package manager to build itself. So it does not make my life any easier or harder.
I kinda get it that it is suppose to use for semi-complicate case but man, I'd rather use VM.
Ryan Martinez
>root user inside docker container is equal to root in the host! >one process per container
Yea....... agree here.
>no persistence of storage inside the container, unless you commit the container to a new image or add volumes which are slow bullshit too
What are you persisting?
The only time I've used this feature is for DB persistence in dev. I have yet to see volumes used in production.
>docker images are bloatware
We use both Go and Node docker images at my day job. Node image sizes are < 60 mb. Go image sizes are < 30 mb.
Ethan White
> root user inside docker container is equal to root in the host! so give your containers a secure user? > one process per container learn what a cgroup is my man. > no persistence of storage inside the container, unless you commit the container to a new image or add volumes which are slow bullshit too persistent storage inside a container is a retarded idea, this is why you mount data volumes. CONTAINERS SHOULD BE STATELESS. > docker images are based on overlayfs which is slow dogshit in exchange for muh git like capabilities i won't argue there > docker images are bloatware, it's basically a complete linux distro plus your app. It's basically the same attack surface as the host! go read why people are for localizing dependencies please. > bloatware internetworking between services, want unix sockets? fuck you! only you can use sockets FINE, AGAIN MOUNTED VOLUMES.
Listen, docker is programmers first container. it's good enough for most things. Are there better containers out there? Yes--Mesos. Do most people need a big ass data-center abstraction framework? No.
If you're going to start a docker hate thread at least show that you've used it for more than 5 minutes and have thoughful criticisms.
I hate docker because my company works from the mindset of 'how can we take X and jam it into a docker container?' instead of will x benefit being containerized.
Alexander Thompson
that's honestly the only real problem I have with docker is it's misuse. I ran into the same thing all the time with people wanting to do things like run a Solr cluster in docker. It makes no sense to store continually growing indexes in a container that's a recipe for disaster.
Henry Wood
regular ole vms >something goes wrong in one of the servers >ssh to it >find the problem >look for solution for 5 hours reading through every config and manuals, stackoverflow >fix the problem >download and reinstall something that went wrong >reconfigure it again
docker >something goes wrong in one of the servers >delete the fucking thing and put another new one up
lmao good luck keeping your job in the next 5 years. almost every big company is containerizing their systems and applications
