Untitled-11329813208

We are Docker geeks, and we have implemented it in some of the toughest environments. But there is a bit of honesty required.

Docker is the future — at some point in the not-too-distant future, we will refer to apps as containers, not code.

However, the lack of operational tools, and security, are the two biggest issues facing enterprises implementing Docker. That’s not to say it’s not being done (a ridiculously large number of enterprises are planning to use Docker), but there are challenges.

There are some key areas where Docker falls flat.

Audit-trail — post-provisioning, it is difficult to get a history of what is happening on your container.

Docker Hub free-for-all — the Docker Hub is key to why Docker has been successful. These are pre-built images that have anything you might need, with containers providing everything to your choice of databases, to load balancers. It’s awesome.

It also suffers from theoretical insecurities. We’ve been lucky so far, but it’s only a matter of time when we get “rogue containers”.

Docker attempts to provide a provenance on a container, through Docker Notary. But this is a pale attempt to handle a far more difficult problem. When you’re bringing in images through the Hub, you don’t really know what’s inside of them.

There are mitigating ways to handle this — you can do a lot in terms of monitoring the container, network traffic, etc. You should also sandbox containers before using them. But at some point, there will need to a stronger security model.

Visibility — you can have a 1,000 containers on a host, and have zero idea as to what is actually happening with them. There could be resource waste (garbage), rogue containers, sprawl, and so on.

Limits of Docker NetworkDocker Network is a great feature which allows one to network containers on a host; and you can use an overlay to network between hosts. However, configuration is limited, and it’s manual. Look for a smart startup (or Docker itself) to fix this problem (OpenShift Origin, btw, might be one place to look — it takes Kubernetes to the next level).

So those are the warts.

But the other side of the equation is that Docker is incredibly powerful and will bring dramatic gains to any organizations implementing it.

Apart from the efficiency of a microservices architecture (which is held in high regard, but is not actually being implemented much — the majority of Docker use cases is encasing monolothic apps), Docker scales wonderfully. Furthermore, the gains in efficiency of Docker vs. VMs is dramatic — since you don’t need to have a host operating system in every VM (along with the hypervisor), you can quite possibly see an order of magnitude increase in efficiency — in other words, a server which can hold 50 VMs can now hold, perhaps, 500 containers. It really is extraordinary.

But there’s work to be done, and that’s a major part of why we started Meros. We are creating tools and practices to make Docker a reality for the enterprise.

Alex Eckelberry
(h/t)