What about Docker on NethServer 7?

Amongst the things that made me decide to run everything inside docker containers instead of a more hybrid setup (base os + services + containers) was the potential headache from the admin point of view. Also there is the fact that I wanted to do test deployments of home made monstrosities that could appear stable if I had two of them running and answering to requests so at least one would be up at any point in time (yup, they were ungodly things and quite prompt to crashes too).

For nethserver it seems that integrating with the new kids on the block (docker in this case) is going to require some planning and deep thought by the people who know the system best. One of the things that appeal to me is how easy NS is to setup. Working right out of the box, nice UI, etc
 I can see how being too hasty while integrating new things (yay, let’s do docker, docker is cool! gimme the nail gun, some tape and hot glue! wait what about micro services running the internet of things? MOAR NAILS) could result in a net loss in maintanability.

Potential solution

I wonder how feasible a “walled courtyard” would be. One could have a reverse proxy running on nethserver that would be aware of all the web apps it should proxy, one docker network with a standard name that the users could connect to to make their containers reachable from the RP.

That way there are minimal requirements (if you want to be reachable for http trafic, hook to this net) and most of the work is on the user’s end if they want to implement something fancy (you can create a complicated interwoven set of docker networks but that won’t change anything from NS’s point of view).

Dockergen container could be of tremendous help, since it already provides the “listen to docker socket and update nginx” functionality, I reckon there wouldn’t be anything to modify to get it to work with a RP running on the base OS (one would just mount the folder rather than use a volumes-from instruction). Same thing with letsencrypt.

And yet


With all my words of caution I’m already asking for the nail gun and tape

Maybe something worth considering is whether having docker on NS is desirable at all.

One of the big selling points of docker is the ability to run anything (almost) anywhere easily without having to bother with such trivialities as a dependency graph.

Is NS meant to do that? To offer a platform where you can just pop any software and have it work(ish)? Or is it about providing some much desired functionality (samba, collaboration software and so on) out of the box to users without any strings attached? Because if the main goal is to provide a tightly packed feature rich yet stable experience, then the costs in maintenance, usability and stability of adding docker on top might not be worth it.

Or maybe make it optional with a big red label saying “use at your own risk, by opening you lose your warranty, any hope for a better tomorrow and perhaps your immortal soul to the Great Devourer behind the Veil”

7 Likes

If Discourse would allow to give 10 likes, you would have gotten them from me. Truly enlightening and IMO you ask the correct questions.
Looking forward to @dev_team comments on this
 :slight_smile:

3 Likes

Agree. Problem is that discourse is distributed as a docker instance :slight_smile:

10 likes for this one as @robb said!

And also thank you for your great tips!
IMHO docker is now a must have, but for now I think it will not be the core of Nethserver.

Would be quite funny to exactly state this in the warning
 :smiley:

3 Likes

nethserver-portainer is on the grill

7 Likes

I’m quite concerned about Docker release cycle sustainability

Starting with Docker 17.03, Docker uses a time-based release schedule.

  • Docker EE releases generally happen twice per year, with patch releases as needed.
  • Docker CE Stable releases generally happen quarterly, with patch releases as needed.

Updates/Patch releases

  • A given Docker EE release receives patches and updates for at least one year after it is released.
  • A given Docker CE Stable release receives patches and updates for one month after the next Docker CE Stable release.

[source Get Docker | Docker Docs]

This becomes another upstream project to track for us and it evolves rapidly. It does not seem designed to be stable (even the Enterprise version) as I’m used to, because the schedule is really fast, much faster than the 10 years lifecycle of RHEL.

If we run some NethServer applications as Docker containers we must take into account the need of recreating the containers quite often (they’re designed for that) to follow the docker-ce package updates.

1 Like