If I hadn’t been hearing enough about docker, OSCON was replete with docker. Then I go two days of Dan Walsh on docker. So I think I finally got it. Docker that is.
Now let me be clear, at the $OLDDAYJOB I used Solaris zones to build dev / test environments at a fairly decent scale. So I get containers qua containers, the missing bit was what docker brought to the table. Turning to the internet was less than helpful because docker is in the midst of a massive hype cycle. That, and research on the web is painful.
“Doing research on the Web is like using a library assembled piecemeal by pack rats and vandalized nightly.” – Roger Ebert
But I now get it, at least I understand enough to start rambling. Docker exists because building containers in Linux is hard. Docker creates read-only layers that ultimately end in your app running on a read-write layer in an isolated space on a shared host. That’s excellent for encapsulating the application and it’s specific dependencies away from the OS. An encapsulated application is one that is easy to deploy, update, and deliver to multiple platforms. But isolated and shared are key for understanding things like security and application management.
I won’t tackle the security thing because other folks are doing a better job than I can.
The application management is the big one, because a lot of the bad information on the web is around starting and stopping applications inside the container. And for that matter, what’s the right way to interact with the “OS” inside the container.
If you think about the design of a container, the “walls” are intended to be opaque. The processes inside the box can’t see out. But from the host point of view, it’s more like a one-way mirror. We can see and hear everything that’s happening without the containers knowledge. That’s the point where we can and should be doing introspection and control. But making folks log into the host and use the docker CLI to manage things breaks the model of being able to seamlessly ship just your app to any compatible hosting environment.
Enter gearD and kubernetes. I missed the OSCON talk about kubernetes, so I’m going to look at gearD. And systemd is container aware (can the inside systemd pass messages to the external journald? does it matter?) so that’s another interesting beast to look at.
I’ll be posting my digging here, so if you have questions that I might be able to investigate or signposts to point me at, post in the comments.