[Swlug] Docker, containers, oh my!

David Goodwin david at codepoets.co.uk
Fri Apr 21 10:53:26 UTC 2017


>
> David - when you say in hindsight you chose the wrong technology with
> LXC, what do you mean?

( I chose over 2 years ago ).

Since then all the new products/development seems focussed around 
Docker; LXC looks like it's really only supported by Ubuntu, so I'm 
skeptical that it has a long term future.

I can't (for instance) run an LXC container within Kubernetes or AWS's 
EC2 Container service.

There aren't anywhere near the same number of pre-built images for LXC 
like there are for docker.

LXC doesn't have an equivalent to 'Dockerfile' - so it's not as easy to 
integrate it into a project.


In my current job we've been using Docker images a little (through 
kubernetes on Ec2) and they seem alright. Although they're not being 
used for anything mission critical yet.

>
> My reasons for the original questions are that, in looking for a new
> role, I’m finding Docker mentioned a lot and it gives me some pause. I
> don’t actually think there is a lot wrong with the 'traditional’
> packaging apps into an OS native format, using config management to set
> up a VM and deploy into that. I can see the theoretical benefits of
> Docker, but the extra overhead and complexity, security and storage
> matters seem like a time sink.


I'm sure people will continue using virtual machines.

The big 'win' from docker is the images - being able to quickly/easily 
deploy something in production and know it's identical to what you 
tested against.

Obviously you could use vagrant/kvm/whatever in the same way.


>
> ...but issues around patching of the base containers and general workflow seemed
> rather nebulous.

I used LXC as an attempt to isolate websites from each other. I can't 
trust the code random designers will upload / host. It was not economic 
to have a dedicated VM per site ... so LXC was a compromise.


I work around update deployment by having a 'master' container image on 
each host which I update through ansible every so often. Each LXC 
container is rebuilt from that btrfs snapshot on a weekly basis.


The problems were :

* Technology stack was too immature at the time - I spent a few months 
dealing with BTRFS kernel panics, realising BTRFS's quota support is 
rubbish, trying to get networking to work on EC2 etc, dealing with 
memory limits etc.... realising I'd be better off packaging my own 4.x 
kernel to use on Debian stable etc.

* Doesn't scale that well - while btrfs snapshots are very quick to 
create/run, there's no shared page cache between them, so you need quite 
a bit of memory ... something like OverlayFS should solves this - but I 
don't know how stable it is.


>  think https://thehftguy.com/2017/02/23/docker-in-production-an-update/ and
> the comments there after raise a lot of good points.

Yes. Nice post.


David.



More information about the Swlug mailing list