Stories
Slash Boxes
Comments

SoylentNews is people

When Not to Use Docker: Understanding the Limitations of Containers

posted by Fnord666 on Saturday August 26 2017, @04:16AM   Printer-friendly
from the not-just-for-clothing-any-more dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Docker is a great tool. But Docker containers are not a cure-all. If you really want to understand how Docker is impacting the channel, you have to understand its limitations.

Docker containers have become massively popular over the past several years because they start faster, scale more easily and consume fewer resources than virtual machines.

But that doesn't mean that Docker containers are the perfect solution for every type of workload. Here are examples of things Docker can't do or can't do well:

  • Run applications as fast as a bare-metal server.
  • Provide cross-platform compatibility.
  • Run applications with graphical interfaces.
  • Solve all your security problems.

I kinda miss just running services directly on physical servers. Guess I'm getting old.

Source: http://thevarguy.com/open-source/when-not-use-docker-understanding-limitations-containers

Original Submission

 
This discussion has been archived. No new comments can be posted.
When Not to Use Docker: Understanding the Limitations of Containers | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by higuita on Saturday August 26 2017, @04:24PM

    by higuita (2465) on Saturday August 26 2017, @04:24PM (#559485)

    That is only half true... in recent kernels and dockers, the root inside the docker is a normal user in the host machine... but many people uses older dockers, old kernels or both... and then complain. for docker, you MUST use the most recent kernel and docker version you can get.

    But even for recent kernel and docker, most people still run the docker with the "fake root" user, because they do not care or know how to change it

    you can define what user the all will run via the "User" config in dockerfile or the "docker run --user" when starting it up
    if you do not specify it, it will run as root, so you should ALWAYS set it up to some other user.
    sometimes the dockerfile needs to be updated to change the permissions of some folders for that user, as you are not using root anymore, you may not be able to write on some folders.

    You should also drop all the docker capabilities in all containers and add then back only when they are really needed. again, many software do not any capability and many of those that might need can be removed after fine-tune the dockerfile (to create files empty and directories, change permissions and ownership, change port, disable change-user as you are already running as that user). only a few more complex or special programs really need capabilities.

    So a bad, outdated, setup for docker, you have a special chroot with namespaces, running as root with all the power.
    So a bad, updated, setup for docker, you have a special chroot with namespaces, running as "fake root" with many power, via the capabilities.
    a good setup for a updated docker, you get a special chroot with namespaces, running as a normal user, without any power.
    With this last setup, your security is very good already. you can even improve it more using app-armor, selinux and likes, but updating a kernel, docker and finetune a dockerfile/ docker run are simply enough tasks that you can apply to all your containers

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   2