Cover photo
Jan Alexander Steffens (heftig)
Attends Hochschule Bonn Rhein-Sieg
315 followers|65,097 views


Docker: It works on my system - let's ship it!

Braindump at is commentable.

WOMS: It works on my system - let's ship it!

"If all you have is a container, everything looks like an encapsulation problem"

The current trend in system deployment at the moment seems to be containerization. Docker is one example of it, and Revisiting how we put together linux systems seems to be going into a similar direction.

What is containerization?

Typically you are looking at a file system with delta capabilties: BTRFS send/receive, AUFS2 and similar systems are able to do a variant of copy-on-write that is recording changes to an underlying base image, and create a layer on top of that. Apple's time machine is a very primitive way of doing a similar (but different) thing for purposes of backup instead of system execution.

Depending on the way these changes are being recorded, there are various ways in which the change recording is dependent on the underlying base image and how it can be recombined later with other images.

The main idea is to create layers of stacked file systems. The resulting image for execution can be composed of a base operating system, installed system components, a base configuration and additional customization. Optionally, the system has a capability to merge layers that are adjacent in the stack into a single composed layer ('merge the latest install with my additional changes' being the most enticing and problematic option here).

Containerization is sexy, because it allows us to run programs from inside the containers through the use of Linux Namespaces and Linux Cgroups. The namespaces provide the mechanism necessary to hide things from each other (separate system names, pid spaces, uid spaces, mount spaces, IPC spaces, and network name spaces). The cgroups provide the requires mechanism to limit ressource consumption of each container, and manage system ressources efficiently and in isolation.


Docker is a formalization of this as an execution model: Basically, each app is being run it ins own Linux environment, with its own libraries and other environmental dependencies provided as part of the image. A full container is being created to isolate the application, exposing only singular network ports to the outside in order to create a defined interfaces and access point for service delivery.

While the image is actually usually a full Linux image (it need not be, but the way docker containers are being made these days is pretty wasteful), starting an instance is not running a full Linux subsystem. Instead usually the actual application is being run in place of the system containers init process.

Due to the way Linux manages namespaces and cgroups, this provides very fast startup, very little overhead and zero dependencies on the host platform.

It looks like a really awesome concept. Docker even adds a central registry of images, with dependencies listed. You request a dockerized application, and it downloads itself from there, with dependent subimages, stacks everything together properly and then starts stuff.

Images are cached, and because everybody and their dog uses the Ubuntu 12.04 cloud image as a base, that's cached locally anyway and the download times are really tiny. Awesome!

The downside: Fake reproducibility

You create docker images using a Dockerfile. That's a small text file with build instructions for the image. These things are really simple, and can be understood with almost no explanation. 

Here is how to create a firefox in a box, useable via VNC:

FROM ubuntu
RUN apt-get update && apt-get install -y x11vnc xvfb firefox
RUN mkdir /.vnc
RUN x11vnc -storepasswd 1234 ~/.vnc/passwd
RUN bash -c 'echo "firefox" >> /.bashrc'
CMD    ["x11vnc", "-forever", "-usepw", "-create"]

This dockerfile is a good dockerfile: It downloads an Ubuntu base image, installs a minimum amount of additional software, via documented installation commands, exposes a single port for access and defines a startup command.

That's how dockerfiles work: They describe how an image has been built from other images, by adding files, and running commands to prepare it.

Only: this is not what is typically happens.

Look at this Google search: ssh into Docker

What people actually do is munging together a bunch of images, from unknown sources, created in an undocumented way, ssh into that, and then go on a customization spree through the container. 

Nobody downloaded the complete public registry of docker images, yet, to run some statistics on it. But I bet, if you do, and scan that, you'll find a lot of interesting things. Among things of interest, I expect:
.bash_history files, containing things that should have been part of the dockerfile instead.

- any amount of ssh and ssl private key material
- entire git repositories, or traces of them after deletion ("git clone myproject.git && cd myproject && make && make install && cd .. && rm -rf myproject")
- and a lot of other nasty surprises that are invisible if you look at dockerfiles

The difference between RPM spec files and a dockerfile

This is no accident. A dockerfile is fundamentally different from a spec file for a rpmbuild .

The spec file is build instructions but it is also a kind of documentation. It contains references to source file URLs, patches, and build dependencies. It then contains instructions on how to combine all that into an actually successful build, and then explains in detail what the deliverables are, which of them are the actual deliverables, config files or documentation, and finally spells out the full list of installation dependencies.

That is, it is a full description of how a certain result has been achieved, in order to make it reproducible by any interested third party. If that reads like the requirement list for the scientific method, that's because it is: A spec file contains only steps and ingredient source lists, no results, and the system has been built in a way to make manual intervention at any stage pretty hard, on purpose.

That's annoying, if you want just the results, hence things like checkinstall exist, and while they are sometimes handy, they are in no way a replacement for a proper spec file. You don't build distros based on that.

A dockerfile is, by contrast, in its minimal form, a binary patch to a binary blob downloaded from a questionable non-original source.

We have had that before, back 25 years ago.

We have had that before, back 25 years ago, and we abondoned it for a reason. It was called Smalltalk back then, but has been reinvented or reproduced on other platforms after that, several times:

Smalltalk was a wonderful development system: on error it dropped not a message or a stacktrace, but dropped you into the dev environment, with the cursor positioned at the error and all variables and the stack set to proper current values. That was really great, for a developer. 

If something was broken or lacking, you could easily fix it. For example, if your system libraries did not support png format, because it wasn't invented yet, you could open the system bitmap image class,add a new subclass and patch it into the main class. Voila, everything in your system that used bitmap images now understands png format.

It makes "Hello, world!" a but unwieldy, though, if you wan to ship it. Actually, there never were any smalltalk applications. in order to ship, you froze the current state of the dev system and shipped that:

WOMS. Works on my system.

That's dev culture. It is very different from operations culture. That's because dev culture focuses on the creation of new features, and not on infrastructure, depdendencies, requirements and other nasty outside factors.

It creates results, but does not record the way we arrived at them - there are no instructions that document in a binding way how we arrived at that blob that actually delivers the intended result. There is also no binding between the executeable/deliverables and the sources, all sources and patches and build instructions necessary to reproduce.
That makes results hard to verify, makes dependencies invisible, and statistics close to impossible. Instead, dependencies are shippsed are part of the image.

Down the road, 5 years, we'll be in a world with a lot of cargo culting: "If you clone this image, it will be faster and more stable." "I have no idea why it works, but if you choose that other image, it won't." Great! We just got rid of that with rpm and puppet (or apt and Chef, or whatever makes your systems fly).

Anyway, Operations exist, and they have nasty little requirements: "What versions of which are you deploying and running in your systems?" "Can you guarantee the absence of the following code snippet in all versions of SSL in all of your boxes and subboxes?" "And, while you are at it, can you please replace all versions of SSL in all of your boxes and subboxes with this new, improved and more current versions, by tomorrow, because vulnerable?"

You could pessimize that even more, arguing that shared libraries make no sense in a dockerized environment at all. After all, if you look at the internals of, say a Sonos box, you'll see a Linux kernel booting as a shell for device drivers to access the hardware, and then, after setting up a network environment, starting one large static C++ blob that is the actual Sonos sound system software. In a dockerized environment it would make a lot of sense to structure your software in a similar way - if distributions and operating system environments no longer matter, you can tailor your environment completely to the needs of your application after all.

So where before an upgrade meant to replace a library and then restart all binaries using it, it now means waiting for a rebuild of something outside of our control that contains a static copy of it.

It might as well be Windows, using a Linux outer shell to host device drivers.
38 comments on original post
Add a comment...
My Little Pony comic book adventures worth over $165 in the My Little Pony Humble Comics Bundle!
Add a comment...
Vincent Schumaker's profile photoJan Alexander Steffens (heftig)'s profile photo
I'm pretty stoked for 1.0.  It'll mean I can finally start using Rust productively.
Add a comment...
"No-Rules NASCAR"

Had me giggling ten minutes straight.

#xkcd #humor
Prev · No-Rules NASCAR. If you stripped away all the rules of car racing and had a contest which was simply to get a human being around a track 200 times as fast as possible, what strategy would win? Let's say the racer has to survive. Hunter Freyer. About 90 minutes.
Add a comment...
[Global Notice] Earlier today the freenode infra team noticed an anomaly on a single IRC server. We have identified that this was indicative of the server being compromised by an unknown third party. We immediately started an investigation to map the extent of the problem and located similar issues with several other machines and have taken those offline. For now, we recommend that every change their NickServ password as a precaution. To do that, issue the command /msg NickServ set password YOURNEWPASSWORD (maximum length 79 characters), making sure / is the first character.

We'll issue more updates as WALLOPS and via social media!
1 comment on original post
Add a comment...
I'm there.
We're at #FrOSCon! Meet us in room C125.
2 comments on original post
Add a comment...
We're currently experiencing what appears to be a DOS attack against our servers.  Some servers are offline, and local IPs appear in the rotation, meaning that some connections will fail. |, addresses in DNS are for mitigation and will be removed when this passes.

(freenode is currently experiencing technical difficulties. We do not have further details or an ETA at this time.)
11 comments on original post
Add a comment...
In his circles
96 people
Have him in circles
315 people
Josh Sabboth's profile photo
thang le's profile photo
Arch Linux's profile photo
Mai Lê's profile photo
Achilleas Pipis's profile photo
Dai Viet Tech's profile photo
Gary van der Merwe's profile photo
René Probst's profile photo
Denis Falqueto's profile photo


17 communities
"Florian Müllner: A small note on window decorations"
If you have updated to the recently released GNOME development version, you may have noticed that some window decorations look slightly different. Of course it is quite normal for the theme to evolve with the rest of GNOME, but in this case the visual changes are actually the result of some ...
Add a comment...
Bash doesn't strike me as a very healthy project. +Chet Ramey seems to be the only one patching and maintaining it, via a file server and a mailing list. There's a Git repo, but it only contains the imported tarballs and patches and minimal commit messages.
As usual, I'm a month late, the big Bash bug known as Shellshock has come and gone, and the world was confused as to why this ever happened in the first place. It's been fixed for a few weeks now. The questions have started: Why has nobody spotted this earlier? Can we can prevent it?
Alexander Diana's profile photoClaire Farron's profile photoJim Donegan's profile photoAlexander Griesbaum's profile photo
Yeah... I never really looked into the actual management of bash, but man that's depressing.
I really think zsh should be default if possible, it seems to be a lot more active at least. 
Add a comment...
Cross spider on my garage wall.

Ran into its web while returning the lawn mower. For a phone camera it's not that bad of a photo, I think. I'm not an enthusiast.

#spider #photo
Add a comment...
"Emilio Pozuelo Monfort: Firefox and GTK+ 3"
Lately at Collabora I have been working on helping Mozilla with the GTK+ 3 port of Firefox. The problem. The issue we had to solve is that GTK+ 2 and GTK+ 3 cannot be loaded in the same address space. Moving Firefox from GTK+ 2 to GTK+ 3 isn't a problem, as only GTK+ 3 gets loaded in its address ...
Add a comment...
In his circles
96 people
Have him in circles
315 people
Josh Sabboth's profile photo
thang le's profile photo
Arch Linux's profile photo
Mai Lê's profile photo
Achilleas Pipis's profile photo
Dai Viet Tech's profile photo
Gary van der Merwe's profile photo
René Probst's profile photo
Denis Falqueto's profile photo
17 communities
Basic Information
  • Hochschule Bonn Rhein-Sieg
    Computer Science, 2010 - present
Jan Alexander Steffens (heftig)'s +1's are the things they like, agree with, or want to recommend.
My Little Pony Humble Comics Bundle

My Little Pony comic book adventures worth over $165 in the My Little Pony Humble Comics Bundle!


Port of the DOS game Tyrian - classical arcade-style vertical scrolling shooter.4 full episodes, ship upgrades, storyline, powerful enemies,


In Mondlicht" wird die zeitlose Geschichte eines Jungen erzählt, der unter den seltsamsten Umständen seinen Weg ins Erwachsensein findet. Se

Google Now Launcher

Upgrade the launcher on your device to make Google Now one swipe away. From your primary home screen, swipe right to access Google Now cards


IRC network for the cool

Tree of Life

Kaufen Sie bei Google Play im Web. Ihr Einkauf steht Ihnen sofort auf Ihrem Android-Gerät zur Verfügung – ganz ohne lästiges Synchronisieren

heise online

News, Hintergrundberichte, Foren, Tests, Downloads und mehr zu Computer, IT, Wissenschaft, Medien und Politik.

Google Text-to-Speech

Google Text-to-speech Engine powers applications to read the text on your screen aloud. For example, it can be used by: • Google Play Books

Pony Countdown - How long until the next episode of My Little Pony - Fri...

Countdown until the next episode of My Little Pony - Friendship is Magic. An easy way to know how long until you can get your pony fix! *Bro

Focal (Beta)

Focal is a fully featured camera app looking to provide the most features on the most phones possible, including device-specific features on

The Copyright Monopoly Was Created As A Censorship Instrument – And Is S...

Many proponents of the copyright monopoly falsely state that it was created in 1710. That's not true; it was merely re-enacted in that year.

How far the once mighty SourceForge has fallen… | Gluster Community Website

When i saw that the filezilla setup was ****ed i decided to download its portable version, unfortunately from SF itself :( [i actually downl


Explore new places, discover local favorites, and navigate your world with Google Maps. Available on Android phones and tablets with a simpl

Waze Social GPS Maps & Traffic

Waze is a fun, community based mapping, traffic & navigation app, 50 million strong. Join forces with other drivers nearby to outsmart traff

Arch Linux

A simple, lightweight GNU/Linux distribution

It’s Time To Go On The Offensive For Freedom Of Speech | TorrentFreak

This week's collective action against the PIPA and SOPA bills in the United States was unprecedented and mighty. But have you noticed that w

Google Nose BETA

The new scentsation in search. Coming to your senses: go beyond type, talk, and touch for a new notation of sensation. Your internet sommeli


Want a fast, smart, and safe mobile browser? Install Firefox for Android free!The Mozilla Firefox Web browser brings the best of desktop bro

Spitze Ramen, kam ich nur empfehlen!
Public - 6 months ago
reviewed 6 months ago
Wieder ein Subway.
Public - a year ago
reviewed a year ago
2 reviews