SaveTheTree – Docker in enterprises

By | October 2, 2015

First up…. this has nothing to do with saving trees – at least of the botanical variety. This has everything to do with Docker in the enterprise!

Background

So… I spun up some new Docker hosts the other day… and it wasn’t long before I needed my trusty old friend `docker images –tree`. Well what was my horror when I got bitch-slapped with this:

npoulton@ip-10-0-0-90:/home/ubuntu$ sudo docker images --tree
 flag provided but not defined: --tree
 See 'docker images --help'.

Basically the `–tree` flag’s been pulled from the code! And yes, I know it’s been throwing “Warning: ‘–tree’ is deprecated” warnings at me since forever. I just never thought they’d actually go through with it.

And you know what right… I know it’s just a piece of software we’re talking about here.. but I’m seriously mortified by this. I don’t think I’ve ever had a more poignant lesson that it’s the litle things that make a big difference. Such a tiny command, that was so insanely powerful for Docker image management.

Enterprise Impact

Anyway…. what’s this all got to do with Docker in the enterprise?

Well…. I’ve spent enough time working big enterprises and financial services orgs that I know the odd ting about what gets signed off into production in these organizations and what doesn’t. So stick with me for a sec here…

Traditional enterprises – especially government, financial services etc – are as anal as the best of them when it comes to signing off code and services into production. Hell some of them still roll their own Linux kernels, not to mention still run stuff on AIX and pay through the teeth for EMC storage coz it makes them feel warm and fuzzy. Bottom line…. they soil their pants over every new thing they allow in to production.

So what I’m saying is….. if I was still at one of these types of orgs lobbying to get Docker signed off into production… I’d have taken the removal of `docker images –tree` as a steel-toe-capped kick in the old meat and two veg!

Why? Because now my ability to perform basic and vital image management tasks has become a whole lot harder. And the idea of running the folloing instead is just insane!

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock nate/dockviz images -t

Now I’ve no personal issue with Nate Jones and his actually quite cool little image. But the thought that I might be able to run code like that – spin up a random container from some guy called Nate who I’ve never met – on production systems is just mind blowing!

I’m sure doing this kind of stuff is done all the time in cool hipster companies and the likes – and I’m totally cool with that. But it’s absolutely not done in rusty old enterprises with the kind of big fat wallets that I’m sure Docker would love to help thin out.

So what I’m saying to Docker is….. and I say this with the deepest respect to those involved with the Docker project (props to you all for the genuinely awesome work you do)…. but please add the `–tree` option back. And keep good image and container management capabilities within the trusted core Docker codebase. The code that folks like me are no doubt trying to champion into production environments all over the world!

#SaveTheTree πŸ˜€

10 thoughts on “SaveTheTree – Docker in enterprises

  1. Rob

    > not to mention still run stuff on AIX and pay through the teeth for EMC storage coz it makes them feel warm and fuzzy

    I can tell you’ve done some Enterprise because you are mentioning some of the kit you typically see. I’ve actually been part of a discussion back in the day where the EMC folks pointed out that storage the customer was thinking about going with “has 3 support engineers nationwide.” They went with it, it didn’t end well for other reasons, the guy that made the decision was suddenly shopping resumes (didn’t end well for him either). The point here is Enterprise goes big for most things because they want that Platinum support (in many cases) so the engineer phone they are calling answers and when he goes on vacation they have a formal handoff to another engineer, etc. Sure someday this is all going to be SDN everything with whitebox everything but there will be Platinum engineers answering the phone when dialed-up. The chuckleheads that think they are going to experiment with cheap kit today…. not so much as the division business owners won’t let them. The risk isn’t worth it in most cases.

  2. Nigel Poulton Post author

    Thanks for your input Rob.

    At the end of the day…. enterprises want to work with technology partners that understand them. Partners that have enterprise DNA.

    I had a storage array go dark once. A rival incumbent vendor had gone to great lengths to tell us this type of array wasn’t enterprise class. We (including myself) disagreed and deployed them to production. Anyway…. one of these arrays lost a PSU and was running on one PSU. Engineer arrives on site and sticks his hand inside the unit to replace the failed PSU. Whilst doing so he knocks the rocker switch on the remaining PSU (inside the array beyond the batteries). Array goes down, dirty. Bad situation. Rival vendor that had insisted this type of array wasn’t enterprise class was at pains to point out that their competing product had recessed rocker switches with little plastic covers over them to prevent exactly that same thing happening.

    Moral of the story…. little things make a big difference. And “enterprise class” is often a long list of small things!

    Just my penny’s worth.

  3. Lennie

    Could the answer be as simple as ?:
    Nate’s dockviz is on github just check the code and build it yourself if you don’t want to download and run an untrusted Docker container ?

  4. Nigel Poulton Post author

    In this instance yes.

    But the idea of moving functionality like this out of the daemon and then what….? Implement all nice to have functions as separate containers?

    Not viable for me.

    I’m starting to think there’s a need for a docker-tools or docker-admin-tools pack/binary/container. Something from Docker Inc. that implements important management and reporting etc.

    That’s what the enterprise expect and need IMHO.

  5. Lennie

    Maybe it’s just early days.

    It always takes time to make things enterprise ready.

    Wouldn’t be surprised if a company like RedHat will make more tools. Where something like Project Atom will include tools (they already have a dashboard).

    Maybe I’m wrong, but the companies which are really strict about security and so on actually don’t allow admins to login (SSH) to the machine at all (all logs and statistics are send to other machines and configuration is push to the machines).

    My guess would be that application deployment will happen based on a definition files (just like fig, docker-compose, Terraform or whatever Kubernetes has again) of a set of containers and other information like networking or storage drivers, etc..

    I see the Docker Security guys building tools which seek out on machines what is running and if it’s running securely.

    Wouldn’t be surprised that even before you deploy the application in a test- or acceptance-environement you might be able look at the layers which will be downloaded and who signed them and maybe even where the code came from and how/where they were build (CI). In production all you do is check if what is running is actually what was supposed to be running.

    Let me know if that makes any sense to you. πŸ™‚

  6. Nigel Poulton Post author

    Yes makes perfect sense!

    I’m thinking of starting an “Enterprise Docker” group or something on LinkedIn (if there isn’t one already) as I think there’s a lot of potential ground to cover on this topic…

  7. Lennie

    Well, I have been thinking about making a website listing the parts that are needed for a complete container platform.

    Showing which pieces of software are trying to provide solutions for each category.

    The most important part, in my mind, is maybe not showing what already exists but actually pointing out what are the missing pieces.

    Funny fact (?): while I do have a LinkedIn account somewhere I don’t use LinkedIn, probably because I’ve worked for the same company for close to 15 years. Always seems LinkedIn is most used by people that are looking for new jobs πŸ˜‰

  8. Nigel Poulton Post author

    I’ve just created the Enterprise Docker group on Linkedin.

    BTW I hear what you;re saying about LinkedIn… and it’s not a perfect paltform. But I think it has a use for things like this where you want to discuss things with fellow professionals. I manage the In Tech We Trust Podcast LinkedIn group and some of our threads/conversations have had nearly 100 comments. So it’s not bad as a discussion platform.

  9. Pingback: Deploying Java EE Microservices on OpenShift – OpenShift Blog

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You can add images to your comment by clicking here.