Redpill me on Docker

No, your just mentally ill.

It's a way to make a virtual operating system that uses very few resources. It's a step above a chroot, but a similar concept.

You properly separate the software from the host environment, which means the environment is the same for everyone and stops problems caused by different versions, distributors and installed packages. It also helps security. Malicious software would need a serious exploit to affect the host or other containers. There have been exploits like that in the past.

Docker is arguably overhyped/overused, but it's useful.

Alan Kay talked about passing around VMs on the Alto in the 1970s. Or at least the idea was around then and it was supposed to be implemented in SmallTalk. JSON is another idea implemented on the Alto in the 70s. Alto applications were apps written in a VM and sent objects over the network. JSON is just a textual representation of an object in a file. Everything in UNIX is a file. If you study the ALTO and simply implemnt the missing features on our UNIX based paradigm of computing you will have a billion $+ company and escape NEETdom and masturbation.

Yeah and ive run into both missing and differing library issues moving an application from ubuntu to centos or the other way around multiple times, because i run both depending on the client.
youre arguing apples vs oranges.

Arguably docker is more of a windows based model. One machine/vm per service, same shit windows admins do.
Thats not to knock it, where i cant use it i do miss it just for ease of reproducibility alone, but its mainly a failing in multiple aspects depending on what you use it for. In some cases it could be exclusively characterized as a bazaar ecosystem failure. In others it could be characterized as a failure in decent deployment/orchestration tools. Or a lack of good separation or security enforcement in the Linux ecosystem.
All depends, but it does fill a need.

Not fully implemented by most distros. Even Debian gave up on following all of it. It also doesn't cover enough to make software portable to the extent Docker does.
Language-specific.
That's already enough to hinder portable packaging.

It's true that you can make a killing with forgotten ideas from the 70s (sad state of affairs, really) but I'm not sure how that is relevant to the thread. In practise, Docker is used because environment setup has turned into an incomprehensible mess. Something similar can be seen among Ruby people, but there it is the build process which is so terminally fucked that the developers resort to passing around Docker images.

That is a misunderstanding by the way. In Unix, "everything is a file" because everything uses the file API (or is supposed to). That notion is unrelated to JSON objects (which are really just Javascript objects, why did they get their own name?).

JSON is its own thing because it's so often used without javascript. I regularly fetch JSON built by PHP to process with a tool written in C for use in a shell script. No javascript involved there.

And its specification is separate from and slightly incompatible with javascript. It's not a strict subset because it allows some unescaped characters javascript doesn't.

I see, it makes sense if it's incompatible. But it makes me question the competence of its designer.

Not on my machine, apparently.

[email protected]/* */:~$ docker run -it --link db:db postgres --name repl python3Unable to find image 'postgres:latest' locallyTrying to pull repository docker.io/library/postgres ... latest: Pulling from docker.io/library/postgres357ea8c3d80b: Pull complete c2c7a60f64c5: Pull complete 41ae9dccaf61: Pull complete f97dc66893de: Pull complete ff0ae6b27f85: Pull complete 0ad5d181a0a1: Pull complete 6861d8947ef1: Pull complete 344507bd6890: Pull complete c99d65d740b7: Pull complete 5feaa8590d3d: Pull complete a0f3af5df7fc: Pull complete Digest: sha256:49beb9182d0107fec18e5bbac962bffb887092563964d5ba2f4d9614c590c4bfStatus: Downloaded newer image for docker.io/postgres:latestdocker: Error response from daemon: Could not get container for db.See 'docker run --help'.

also what

said.

It's irrelevant unless you have a specific usage case for it. It won't replace your current workflow with chef/puppet and VMs and it makes sense only in massive deployment of services.

What comments like miss is that containers (and their wife's son) aren't really supposed to be touched again. Interaction bits adds spaghettis to a solution that was designed against spaghettis. Containers provide a service and you're not supposed to interact with it from an administrative PoV. They just "run".

Containers are not a security-wise solution. An hardened dedicated KVM in the same openstack won't be replaced by this shit. It's just a collaborative and eventually a massive-deployment solution.
Chances are you don't have a specific usage case for it so don't wrap your head too hard with this.

oy vey

If you ever say to yourself I should run a VM, you should ask if it can be done in a container, you have much higher performance than a VM and much more visibility about what each of your "VMs" are doing.

That is not the container way that is the docker container way, docker wants a container to be stateless but there is nothing about containers that say so, chef/puppet can boot up containers just like VMs.

Containers have been around for ages and with devops focused tools like docker they will become much more widely used, hosting providers like Joyent and Springs will give you containers at a much cheaper price than a VM, economics will dictate it.

They are in everything but linux, Zones and Jails were built from the ground up to be every bit as secure as KVM, even more so as you don't have to do elder god code for emulating hardware devices.

Illumnos distributions already do docker support natively by running binaries in lx-branded zones, FreeBSD 11.0 will have 64bit linux binary compatibility(already there in CURRENT) which will allow you to do the same thing.
wiki.freebsd.org/Docker

Don't blame containers because Linux decided to nigger rig their solution with cgroups.

The J in JSON is one of Crockfords biggest regrets because he really meant it to be a universal way to represent and exchange data.

It got its name the same way, Javascript got its name, misguided marketing.

JSON is now part of the ECMAScript specification.

Correct, but this thread is about docker.
We got that. Nice for you.
Colour me surprised
to use the best tool for the job, and docker is a nice tool for some jobs. Any major company in the server business has delved into docker, just for its stateless usage cases. The same businesses have invested and continue to invest in other technologies if we are talking about VMs & deployment, where the trade-offs considered are probably different than the ones you consider.
Containers (and docker) have been around for quite a while already, and the businesses in this area pretty much made their choice.

"What if" discussions and pseudo-academic debates on the usage of "dynamic" containers over KVMs would deserve a separate, different thread (given that none of that intellectual onanism will ever have repercussions on docker itself)

I feel and felt the need to strongly underline that docker is not a security solution because I've seen some shit. Like, juniors trying to deploy services inside KVMs using docker "because their heard that it's secure since it's stateless" only to discover that 99% of the times they didn't want a stateless container. The same guys disabled other hardening techniques to get it running somehow. A total security nightmare. If you're using KVM and openstack, use KVM and openstack. Nigger.

There are apparently a lot of people ready to use docker for a fake sense of security, and I felt the need to underline that it's stupid.There's a ruby-alike community around these tools.

There's no fake sense of security, people just don't read the docker security page, and they're too fucking lazy to drop caps that are not needed.

This thread is about docker but it seemed like you addressed containers as whole, I believe it is valuable to differentiate the two.

Well yes, but I think it's worthwhile showing that containers and docker can be secure, in FreeBSD case it's security is putting docker in a jail.

There are retards who view it like the new way of not using unix on unix and it does have a hipster bullshit community around it, I do agree.

Unless you restrict the ever living fuck out of junior shenanigans then they will fuck shit up regardless of what they're on.

While containers have been around for a while they haven't really been visible unless you were a Sun customer or one of the 15 people on earth who used FreeBSD 10 years ago, linux is having teething issues due to NIHS.

Normal people are already using it more and more and the simple ability to have much higher tenancy per box will make VPS providers market it so they can be more profitable.

And, actually, after reading the docker security page (it seems to have changed since I last read it) you now have to whitelist capabilities beyond the limited subset. Which means you need a full-blown kernel exploit in addition to some sort of pivoting with the capabilities that are available within the container they've escalated in.
Hardly a wet paper bag.

So, to sum this shit up, docker is basically just hype and a few old tricks with templates and and a bit of CM thrown in.
Nothing to see here, move along.

A lot of "VPS" and hosting providers basically did the similar stuff years ago, with chroot.
Also, AIX WPARS and LPARS did everything Solaris zones could, but better.

Bro do you have any idea how good it feels to have a container set up for postgres BY the postgres guys?

It's pretty great.

Do you know how great it is to have a SPARC server running Oracle on top of a real Unix fully configured by the Oracle guys.
You know, the ones that actually get paid good money to do a good job and that you can sue.

The lazy person here is you.

Aw how cute.

Now back to the matter at hand, the Docker fanbois, and paid trolls, here bitch and whine about devs and distro maintainers not doing a good job of configuration management, then they turn to those same devs and distro maintainers for container images.
Dat circular logic.

I bet you compile your own distro using your very own kernel fork, don't tell me you use a package manager after calling containers lazy?

No, they complain that distro-specific environments are never going to be the same as other distro-specific environments. That's not the distro maintainer's fault, it's a problem caused by the whole distro model. It's not that there's something wrong with any distro-specific environment in particular, it's that you want everyone to use the same distro-specific environment for a particular piece of software, without a strong preference for which environment, because that saves everyone a lot of trouble.

Well then, the developer can develop on the distro the stuff will actually be deployed on, not on a fucking macbook.

Aww, ain't that cute, more asshurt from an obvious little paid shill.

What are you trying to say? Is this still a problem with Docker or is it a problem with a subset of its users?

Docking is a term for when two poofters rub the heads of their penises together and place one of the heads inside the other's foreskin somehow.

Sounds perfect for you guys.