Clever Geek Handbook

Confession of docker hater

I have to confess. I hate docker. With all my soul. This is the worst software I've seen in the last 10 years.







On the one hand, I really respect the company of the same name. The guys from Docker Inc. really popularized containerization. Now only the lazy does not know about her. On the other hand, they didn’t invent anything fundamentally new β€” containerization had existed for more than 30 years at the time Docker β€œfired” (starting from chroot, let's recall jails and zones, and finally namespaces & cgroups).







Cool that docker really speeds up development many times over. If you conduct it correctly, then even without loss of quality. In any case, docker is here, you can’t get away from it and you have to use it.







But why do I have this product with the whale logo evokes so diverse emotions? Below I will list those moments from which they bomb. It is possible that the reader will disagree or, on the contrary, will find some things that he did not know about and would find interesting.







Disclaimer: everything written below is the personal opinion of the author and may either reflect reality or not reflect reality. The material is strictly provocative in nature and the main goal is not to humiliate or offend anyone, but rather to make people turn on their heads and realize the depths (c).







docker and firewall



When creating containers on bridged networks, docker adds its own firewall rules on the system. This leads to very interesting effects. Firstly, it just becomes impossible to reset the netfilter chains (this can happen when you reapply your rules), because after that, the docker containers are broken and the docker daemon has to be restarted. Also, the meaning in iptables-save / restore utilities is lost, because in fact, they save the rules, but not the ones that need to - you have to filter their output. Another very interesting task is to combine docker and anything that tries to independently manage the firewall - be it a VPN client / server or a configuration management system that vigilantly ensures that the rules correspond to what the system administrator described.







Until recently, there was no way to reliably and repeatably control network access to the container through the firewall, but the developers added a separate DOCKER-USER chain, but to be honest, there is no sense in it.







: , , β€” . , INPUT , NAT ( CentOS docker run ... -p XX:YY



)







, , , β€” docker- , , . , , .. docker'.







docker



docker- docker-bridge docker0, , - . (!) DNS . ( docker network create



docker-compose). . 172.16.0.0/12. , , . β€” . , bip , docker-compose , .. .







-p --publish, network host mode β€” 5% , … :-) - , docker NAT.







docker β€”



, , ? . β€” "" aufs, overlay2, .. . β€” . volume image, - . , overlay2 . docker info .







β€” ! - -. ( ) β€” . , -.







docker hub β€”



Docker Inc. β€” Docker Hub. , . , ( ). , ? , , - . β€” root' . , , . β€” , , .







β€” . , β€” . , - ( , ). β€” , . β€” β€” python, ruby, node.js. golang java β€” .







? β€” , β€” β€” registry -. ( , , , , k8s).









registry vs repository, bind mount vs volume ( docker run ... -v



, ), tag vs image name, EXPOSE vs expose vs ports, volumes (, ...). . , , .. . , , .. , .









β€” docker . . . . . systemd unit' (, β€” - ), bash.







, docker-compose. , . depends_on, β€” , .. ( docker-compose up) , . , ( 2.4 docker-compose).







docker-compose



docker-compose β€” 2.*



3.*



. . 3.* docker swarm . .









100500 docker docker-compose. . , - docker, Docker Inc. . "" docker.io docker-ce. , , , . Docker







, , docker Ubuntu snap. - . . , docker .







docker-compose β€” pip β€” . -, docker-compose ( ). -, python (! ), docker-compose (, β€” , , ). β€” β€” . ( β€” md5sum).







docker



docker β€” , . , docker agile- : . , . β€” , - root . , :







docker run --rm -it -v /:/rootfs ubuntu bash









, . , . (), .







, , bind mount ( -), . , , , , hot reload' . , β€” bind mount docker run ... -v ...



root . bind mount (docker run ... --mount ...



), , . ? , :-) β€” volume ( /var/lib/docker/volumes









, docker . , , CVE .







docker -



linux-kind . , .. docker namespaces cgroups . ? , Mac Windows docker Docker Desktop , volume ( , .. ). , .







docker



100% . iops, . , , β€” , . , , . β€” dentry







docker



docker json-file . /var/lib/containers/<hash>/<hash>-json.log



. , ? . " "

β€” journald, docker logs ( !?). β€” , Docker-EE, ?

β€” ? . , , .







docker



. , docker . , systemd-nspawn. β€” , Vagrant, VirtualBox lxc/lxd, . docker , kubernetes β€” containerd, .









: docker-compose β€” YAML docker-compose- ? docker swarm (kubernetes ) β€” . Docker Inc. ( ), (*) , . .







The END



? β€” docker β€” . , . . docker β€” . , , cri-o/podman/buildah, . FireCracker, ( ) ( ).







, .







(*) β€” docker-template, multi-stage docker build, buildkit , β€” .







More articles:


All Articles