Re: [Userops] Why is it hard to move from one machine to another? An analysis.

[Christopher Allan Webber]

So btw, this thread was not intended to be a pro-container or
anti-container thread, though I think the conversation has been
interesting.  I also think some people in this thread think I am
anti-container.  I'm not anti-containers: I am anti "predeployed,
unreproducible containers".  Clarity below.

Dave Crossland writes:

> On 9 April 2015 at 11:58, Bob Mottram <address@hidden> wrote:
>
>> The distros we use
>> > > should provide a package manager that allow us to do this kind of
>> > > dependency isolation with all packages, not just Ruby/Python/JavaScript
>> > > stuff, while at the same de-duplicating the files used in multiple
>> > > "bundles" throughout the system.  Then we'd only need one package
>> > > manager.
>> >
>> > That exists, it's called Docker :)
>>
>> Maybe Docker and containers are the way to go, but  I have some concerns.
>> Installing initially from a Dockerfile, or equivalent, might be ok but
>> there
>> is then the problem of keeping the container up to date with security
>> patches, application upgrades and wotnot.
>
>
> I think this is bare-metal mindset. You don't update the container; you
> create a new one, and you throw throw the old one away after its no longer
> in use.

Right, so if you want a new container and to throw it away, that's fine!
Here's a question though:

How did you get that container in the first place?  Was it:
 - You downloaded it off of the internet from... somewhere!  You don't
   know how they built it, or building it yourself would be hard.
   But they built it for you and that simplified things for you, great!
 - It was off of some easily reproducible system.

If it's the former, I think you are in trouble the next time a security
vulnerability comes around (read: all the time).  You will have to hope
that the people who built your container update it for you!  But what if
they go AWOL?  You're pretty screwed!

Furthermore, if you can't reproduce it, I'd assume there's a high chance
that someone put something nasty in it, and you don't know.
Reproducibility or death!

But okay, let's assume you're in the latter camp.  Great!  You can
reproduce that container, presumably you can rebuild it based off of the
information used to originally reproduce it.  Awesome.  At that point,
you probably have something that *looks* a lot like puppet, salt, or
something that was used to build that container.  So why not use a more
generic system to build it?

(And if it turns out that you can rebuild your container using that
system, it turns out you can rebuild most of the system...)

*That's* the thing I was pointing out at the very root of this thread.
Not that containers can't be a useful tool, but that they aren't the
universal solution to things.  The things happening with containers will
probably play a huge part though.

 - cwebb

PS: And maybe this reopens that can of worms, but it's an exercise to
  the reader to figure out: in what way are the hype around containers
  today a lot like the hype around NOSQL a few years ago?  And before
  you think that means I'm attacking "NOSQL" or containers entirely, I
  think that postgres getting jsonb was a good result of all the NOSQL
  hype!