Open Stack

On Tue, Aug 26, 2014 at 3:35 PM, Martinx - ジェームズ <thiagocmartinsc at gmail.com>
wrote:

> Hey Stackers! Wait!   =)
>
> Let me ask something...
>
> Why are you guys using Docker within a VM?!?! What is the point of doing
> such thing?!
>
> I thought Docker was here to entirely replace the virtualization layer,
> bringing a "bare metal-cloud", am I right?!
>
>
>
Although this is getting somewhat off-topic, but it's something the
containers service seeks to support... so perhaps it's a worthy discussion.
It's also a surprisingly common sentiment, so I'd like to address it:

The advantages of Docker are not simply as a lightweight alternative to
virtualization, but to provide portability, transport, and process-level
isolation across hosts (physical, or not). All of those advantages are seen
with virtualization just as well as without. Ostensibly, those that seek to
use Docker to replace virtualization are those that never needed
virtualization in the first place, but needed better systems management
tools. That's fine, because Docker seeks to be that better management tool.

Still, there plenty of valid reasons for virtualization, including, but not
least, the need for multi-tenant isolation, where using virtual or physical
machine boundaries to provide isolation between tenants is highly
advisable. The combined use  of Docker with VMs is an important part of the
Docker security story.

Years ago, I had founded an IaaS service. We had been running a PaaS-like
service and had been trying to move customers to IaaS. We were offloading
the problem of maintaining various application stacks. We had just gone
through the MVC framework hype-cycle and were tired of trying to "pick
winners" to provide support for. Instead, we wanted to simply provide the
hardware, the architecture, and let customers run their own software. It
was great in practice, but users didn't want to do Ops. They wanted to do
Dev. A very small minority ran Puppet of CfEngine.  Ultimately, we found
there was a large gap between users that knew what to do with a server and
those that knew how to build applications. What we needed then was Docker.

Providing hardware, physical or virtual, isn't enough.  A barrier of entry
exists. DevOps works for some, but it's a culture and one that requires
tooling; tooling which often wedges the divide that DevOps seeks to bridge.
That might be fine for a San Francisco infrastructure startup or the
mega-corp, but it's not fine for the sort of users that go to Heroku or
Engineyard. As an industry, we cannot tell new Django developers they must
also learn Chef if they wish to deploy their applications to the cloud. We
also shouldn't teach them to build to some specific, proprietary PaaS.
Lowering the barrier of entry and leveling the field helps everyone, even
those that have always paid the previous price of admission.

What I'm really saying is that much of the value that Docker adds to the
ecosystem has little to do with performance, and performance is the primary
reason for moving away from virtualization. Deciding to trade security for
performance is a decision users might wish to make, but that's only
indicative of the flexibility that Docker offers, not a requirement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140827/9d305d5f/attachment.html>