Docker has DevOps community buzzing. If you're considering adopting Docker, but have doubts, keep reading.
What Docker Isn't
Docker isn't a configuration management tool. Configuration management entails keeping system libraries, and application configuration consistent across many hosts. Configuration management tools also have the responsibility of keeping your secrets secret.
Dockerfiles cannot capture the complexity of a production system. Unfortunately, There's no simple way to manage secrets with containers. While Dockerfiles help keep system libraries consistent, they don't support secrets or application configuration.
Secret management options for Docker are sub-optimal. You have the option to distribute secrets with the image, but then they're no longer secret. You can also mount a shared filesystem with the secrets, or introduce another layer of secrecy.
Consider a configuration management tool such as Ansible a prerequisite for Docker.
The Hidden Cost of Docker
Docker comes with hidden baggage; it requires you to adopt new technology and methodologies.
To run Docker in a safe and robust manner requires setting up at least three new services:
- Docker distribution, to keep track of containers,
- docker-gc to clean up old containers,
- and a service discovery tool like consul or etcd so containers can find other services, e.g. redis, postgresql.
Docker containers aren't built with ssh access either. You can not ssh into a machine and immediately start debugging a production issue. Every dockerized service adds extra steps to your workflow. After logging into the host, you also have to identify the container with the offending process, and then attach a terminal to the instance.
Every new service, every new step introduces more complexity and new points of failure.
There are are better ways to improve your infrastructure. Docker comes at a high cost and the complexity it introduces is a risk to a well functioning system. And remember the words of Edsger Dijkstra:
'Simplicity is prerequisite for reliability'