Docker is not Enough

I headed up to the London PaaS User Group Meetup yesterday evening. There were two speakers on the agenda. First up was Jeff Hobbs, CTO & VP Engineering at ActiveState with a pitch entitled Docker is not Enough (pretty much this deck). The main tenet being that Docker is not enough in itself as it just addresses packaging and execution. You need a PaaS to provide all of those other niceties like load balancing, auto-scaling, monitoring, centralised logging, audit, … My main issue with this pitch was simply that I don’t think anyone has ever claimed that Docker is enough. That’s why there’s a wealth of ecosystem projects surrounding Docker. And why does stackato (ActiveState’s Cloud Foundry based PaaS) use Docker for containerisation? Jeff stated that this was because the ops team would feel more comfortable dealing with this technology on the back end.

Second up was a late breaking change, my colleague Julz Friedman had stepped in to give a re-run of his Building a Docker backend for Garden presentation from the Cloud Foundry Summit. It was perhaps no great surprise to discover that, when you swap in Docker behind the Garden API, you don’t really see any benefits over the existing implementation (and, indeed, there are significant disadvantages for a multi-tenant PaaS such as the current lack of user namespace support in Docker). The one potential benefit that Julz did highlight was an increase in security, given that there are more eyes on the Docker codebase than Garden.

So why do I make the five hour round-trip in to London for a couple of sessions that I could have got off the internet? Was it the free beer and pizza? Well, no, although welcome, I think the train fare would have more than covered those. It is, of course, to meet people and to hear the Q&A where perhaps much of the interesting information is exchanged (and I caught up on some reading on the train!). There was a lively debate on the relative merits of Docker. One point that Jeff and Julz agreed upon was that the use of Docker images was a retrograde step versus the application centric view of PaaS, letting things that should be the responsibility of ops (e.g. patching OS images) become a part of the developer’s domain (Jeff quoted a stat that some 70% of images on Docker Hub were subject to vulnerabilities).

Leave a Reply