
Docker for Mac Beta Review - ingve
https://medium.com/@nzoschke/docker-for-mac-beta-review-b91692289eb5
======
STRML
I'm also in the beta, and I like it a lot. It's functionally equivalent to
`dlite`, which Nathan LaFreniere has done an _extremely_ good job on. He
deserves massive credit for making OSX Docker dev bearable and for providing
the inspiration for "Docker for Mac".

A few issues I've seen:

1\. I cannot believe they are using `docker.local`. This hostname will cause
nothing but trouble for years to come. DON'T USE `.local`! Apple has decided
that `.local` belongs to Bonjour, and due to a longstanding bug with their
IPv6 integration, you can expect to see a 5-10s random delay in your
applications as Bonjour searches your local network to try to resolve
`docker.local`. Yeah, you put it in your `/etc/hosts`? Doesn't matter. Still
screws up. Use `docker.dev` or `local.docker`.
[[http://superuser.com/questions/370559/10-second-delay-for-
lo...](http://superuser.com/questions/370559/10-second-delay-for-local-tld-in-
mac-os-x-lion)]

2\. -beta8 is screwed up. It won't bind to its local ip anymore. The only
option is to port forward from localhost. Unfortunately, Docker isn't offering
a download of beta7. Thankfully, I still had the DMG around. 3\. The polish is
still lacking. Most menu bar items ask you to open up something else. 4\. Why
"Docker for Mac"? Couldn't the team think of a less confusing name? Now I have
"Docker" running "docker".

Otherwise - great projects, and again, much credit to @nlf for `dlite`. If
you're not part of the beta, check out dlite
([https://github.com/nlf/dlite](https://github.com/nlf/dlite)). It's at least
as good as Docker for Mac.

~~~
avsm
> I cannot believe they are using `docker.local`. This hostname will cause
> nothing but trouble for years to come.

We are indeed moving away from `docker.local` in Docker for Mac. There have
actually been two networking modes in there since the early betas: the first
one uses the OSX vmnet framework to give your container a bridged DHCP lease
('nat' mode), and the second one dynamically translates Linux container
traffic into OSX socket calls ('hostnet' or VPN compatibility mode).

Try to give hostnet mode a try by selecting "VPN compatibility" from the UI.
This will bind containers to `localhost` on your Mac instead of `docker.local`
and also let you publish your ports to the external network. One of our design
goals has been to run Docker for Mac as sandboxed as possible, and so we
cannot just modify the /etc/resolv.conf to introduce new system domains such
as ".dev".

We've been iterating on the networking modes in the early betas to get this
right, so beta9 should hopefully strike a good balance with its defaults. It's
also why we've been holding a private beta, so that we can make these kinds of
changes without disrupting huge numbers of users' workflows. Your feedback as
we figure it out is very much appreciated!

~~~
djs55
A minor addition: to use 'localhost' in beta 8 you may need to also run the
internal debug command:

    
    
      pinata set native/port-forwarding true
    

In previous betas this setting was implied by "VPN compatibility" mode, but in
beta 8 it was made an independent setting.

In beta 9 using localhost will be the default -- as avsm says we've been
iterating on the network configuration trying to find the most compatible /
least surprising defaults. Hopefully after beta 9 it will be stable on
"localhost".

------
jdub
Same experience here, both on Mac and Windows. They've done a great job making
it "just work". The user interface pieces are a bit raw -- perhaps
"minimalist" or "unobtrusive" would put that in a better light! -- but clearly
most of the work has gone into the lower level integration, where it shines.

Docker for Mac/Windows, once released, will nuke the ick factor on those
platforms from orbit, which can only lead to even more adoption.

~~~
m_mueller
I hope there's going to be an easy way to package this with your own docker
image in order to have a new way to distribute applications. My usecase is
running a server locally so you can use a webapp with local network speed and
offline access and lots of local storage.

~~~
derefr
Oh sure, there's all sorts of integration possibilities. Docker Applets,
ActiveDocker, Docker Web Start... ;)

~~~
clessg
DockerScript™

------
bryanh
I've noticed some pretty extreme performance penalties with Docker for Mac.
Wherein VirtualBox would spin <60% CPU idling a bunch of services (MySQL,
RabbitMQ, Redis, Elasticsearch, Memcached, several Python daemons) - Docker
for Mac's driver hovers around 100% (spiking often to 200/300%) with another
20-30% (spiking to 50-80%) on the osxfs.

I'm going to guess it'll get better in time. It would be nice to get some
insight into just what is burning CPU cycles. The experience besides that was
really top notch IMO.

~~~
avsm
[I work on Docker for Mac]

The early betas focussed on feature completeness rather than performance for
filesystem sharing. In particular, we have implemented a new "osxfs" that
implements bidirectional translation between Linux and OSX filesystems,
including inotify/FSEvents and uid/guid mapping between the host and the
container. Getting the semantics right took a while, and all the recent betas
have been steadily gaining in performance as we implement more optimisations
in the data paths.

If you do spot any pathological "spinning cases" where a particular container
operation appears to spiking the CPU more than it should be in, we'd like to
know about it so we can fix it. Reproducible Dockerfiles on the Hub are
particularly appreciated so that we can add them to the regression tests.

~~~
chamoda
Previously I had permission issues (Only root can write to host) when mounted
a folder with OSX filesystem. Hope this would fix those issues. I'm talking
about this issue
[https://github.com/boot2docker/boot2docker/issues/581](https://github.com/boot2docker/boot2docker/issues/581)

~~~
bryanh
It does fix those issues.

------
mwcampbell
Sounds promising. But I'd like to see Docker work with Microsoft to produce
something even better for Windows, using the new Windows Subsystem for Linux
(WSL). With WSL, Docker and Microsoft should be able to bring Linux-based
Docker containers to Windows, _without_ the performance hit and resource
fragmentation that inevitably come with virtualization. True, WSL doesn't
support namespaces and cgroups, but IIUC, Windows itself has equivalent
features. So the Docker daemon would run under Windows, and would use a native
Windows API to create containers, each of which would use a separate WSL
environment to run Linux binaries. I don't know how layered images would be
supported; Microsoft might have to implement a union filesystem.

~~~
zxcvcxz
What is the use case though? What would be even better is if MS created a
"windows container" that could run under Linux, then you could just ditch
windows all together.

I don't see big companies using something this hackish for containers that are
running on servers anyway. For working on the desktop this might come in handy
for devs, but honestly I think MS should focus their energy on something else.

~~~
ihsw
I would use it for development.

Running Linux on Windows without a VM would be a godsend. And no, Cygwin
doesn't count.

~~~
ithkuil
It has been recently announced by Microsoft and Ubuntu and marketed as Ubuntu
for Windows.

It's actually on a windows subsystem that can run linux ELF64 executables
natively on windows:

[https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-
subs...](https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-
for-linux-overview/)

------
Matt3o12_
Why do people value that so much? I really don't care if a tiny VMis running
in the background. Also, running that VM gives me more confidence that it will
also run on the production machine (since they use the same kernel and the
same docker version).

The only problem I had with docker was that I did not use to support shared
volumes that are outside the home folder on Mac (I think they changed that
now, but I'm not sure).

~~~
xienze
Running a VM means you have to allocate X amount of RAM regardless if how much
is actually needed by the containerized processes.

~~~
JonathonW
You're still running a VM with this, just via xhyve and the OSX Hypervisor
framework, rather than via Virtualbox or VMWare.

Which actually makes me wonder how they're managing memory for the VM hosting
Docker here. Are they specifying a set fixed allocation? Is memory usage
configurable somewhere?

~~~
jdub
Not quite configurable yet, but it appears that's the intention. (I wouldn't
be surprised if they'll try to make that a bit more dynamic, if the hypervisor
framework allows it.)

[https://twitter.com/jdub/status/724724422574104576](https://twitter.com/jdub/status/724724422574104576)

------
rzimmerman
I've been using the Mac Beta for a few weeks and I can also say it's great.
Install is easy and it just works. It's such a relief being able to do dev
work directly on my machine without docker-machine/VirtualBox. I've been
hitting it with a variety of Ubuntu-based containers without any issues.

------
viglesiasce
I've been using the following docker-machine plugin and found it to be great:
[https://github.com/zchee/docker-machine-driver-
xhyve](https://github.com/zchee/docker-machine-driver-xhyve)

~~~
nzoschke
Author here. I was using that prior to getting in the beta. Tremendous work
went into that driver, so I'm happy to see the techniques get picked up
elsewhere.

------
dotmpe
The touted "native" is not what it is all cracked up to be. Maybe windows is a
plus that brings a few souls into the fold, but I've been looking for OSX
performance ratings and only found some comments here and there that are like
my experience.

At my El Capitano, the exact same setup in Docker Beta takes roughly ten times
to do its thing than my more flexible vbox setup did. A java stack (Jenkins)
starts in about 1.5 minutes, but with Docker Beta it takes 15 minutes or
about!

So, my docker-machine setup lets me see my hosts with vbox, manage them with
docker-machine, and get the NFS tweaked with docker-machine-nfs. boot2docker
OS is nice and small and works.

So for me this is quite a contrast with the 'native' Alpine images based Beta.
Which in my 5-hour stint with it did not show much way to overview or inspect
it without getting new/more gear.

------
partiallypro
I have Docker for Windows Beta, but when I've installed it on my Surface Pro
3, it immediately caused the device to get stuck in a BSOD loop. I think it
has something to do with Hyper-V and connnected standby but I'm not 100% sure.
Wasn't able to find an answer because it's so early on. I really want to get
into Docker, but that bug has killed any possibility of me adopting it as of
right now. I did install it on a desktop (which I lightly use) and it worked
fine. With the new Windows 10 Insider build on that desktop though, Docker
constantly is asking permission to run.

Anyhow, I really hope someone does a good overview of Docker for Windows beta,
as well as the Ubuntu environment within Windows 10 now...Seems like OSX gets
all of the dev love, so I'm wish and hoping for a really nice Windows
overview. As I am currently having a hard time with both. Neither, as of right
now, work well.

~~~
so0k
if you want a more technical review of the Windows beta, read this:
[http://docker-saigon.github.io/post/Docker-Beta/](http://docker-
saigon.github.io/post/Docker-Beta/) But note that beta 8 was released a few
days after that review and already introduced some changes. Also, for the
Windows beta, it very much is still a beta.

------
mnutt
I started playing around with Docker for Mac in an attempt to get my whole dev
environment set up in Docker. It was really slick, especially being
(re-)introduced to docker-compose which makes connecting containers very easy.

There is a ton of potential there. My biggest challenge is that the
documentation hasn't quite caught up to all of the interesting stuff that is
going on. I'd certainly welcome some more opinionated answers for how to
develop on Docker. Specifically: how to not run apps as root, as almost all
examples use root and permissions are annoying if you don't do so; how to use
docker containers for both dev and prod; best practices for getting ssh key
access into a container during the build phase.

But much of it Just Works at this point, I'm pretty confident that the best
practices will catch up in time.

------
Osiris
I'm a node.js developer. I understand the benefit of using docker for
deployments or CI testing, but I have yet to be convinced of the benefits of
using it for development on my local machine.

I install node, postgres, and redis natively and it all works fine. What
benefits does docker provide to my workflow?

~~~
accounthere
You might need different node/postgres versions for different projects.

~~~
blowski
Or indeed for testing the same project against different versions or in
different environments.

------
beaker52
For anyone wanting to use all this cool stuff without waiting for the release,
check out nlf/dlite
[https://github.com/nlf/dlite](https://github.com/nlf/dlite) which has the
xhyve implementation already.

------
joeblau
Whoa! When did OS X add the The Hypervisor Framework? This looks really
promising; I need to check this out.

~~~
bobwaycott
I believe OS X 10.10 is the earliest availability.

~~~
joeblau
Ah okay. One of my co-workers who worked at Apple told me:

    
    
      > It was a prerequisite for any VM stuff being sold in the App Store

------
joshvm
VMWare Fusion does a few extremely useful things that Docker doesn't - for
instance it can hook into an existing Boot Camp install and load it as a VM.
It may be a bit heavy for the (Linux) applications Docker excels at, but for
me it's worth the money just for the Windows VM support.

------
vhiremath4
Anybody know if there is a full guide for the migration from toolbox to Mac
beta? I've installed the beta, but I'm wondering if there's old cruft that
I'll need to uninstall to be completely on the new.

------
tmaly
I signed up for the Beta, but I have not gotten access yet. I was hoping to
see a walk through of an example on your review so I could gauge how easy it
is compared to the old docker setup on osx.

------
dchuk
So if I'm using dlite now, and I want to transition to Docker for Mac once I
get into the Beta...what do I need to do? Fully uninstall dlite? Can they be
run side by side? (assuming no)

~~~
justincormack
I am not sure if they conflict, there may be an issue with them both trying to
use the same docker socket though, but you can probably just start one after
you stop the other.

------
justinhj
Good review. One thing mentioned is that the author was able to remove
Kitematic amongst other things. Kitematic is a GUI for Docker. There is
currently no replacement for it.

~~~
gschrader
I was under the assumption that Kitematic wouldn't work with the beta but low
and behold it does. I'm not sure what it will do if you have the old Docker
toolbox installed at the same time however.

~~~
justinhj
I had an older version of Docker installed as well as the beta, so when I
installed Kitematic nothing worked correctly until I reverted everything.

------
fpoling
I got an impression that this is not that useful for development due to very
weak networking support.

For example I use a single docker installation in a VM to test several
unrelated projects with all of them providing a web server on a port 80/443\.
I do not want to remap ports not to deviate from the production config.
Instead I added several IP to the VM and exposed relevant containers on own IP
addresses. Then for testing I use a custom /etc/hosts that overwrites
production names with VM's IP addresses. This works very nicely.

But I do not see that something like this is possible with "Docker for Mac".

------
nerdwaller
My only issues so far have been: 1) the docker.local issue on mac (as a fee
others have mentioned) and 2) I still get some vpn issues with Cisco
Anyconnect

------
yeahk
Docker 4 Mac is awesome - however running into some issues with running `npm
install`, with the container not completing I think due to CPU issues.

------
hbogert
The only downside of using virtualization I keep running into is diskspace
usage, which only grows for the VM, and it never shrinks.

------
gtrubetskoy
The interesting bit here is that in this scenario Docker creates and runs an
actual VM, not so much a "container"?

------
smegel
So it uses xhyve...does this mean Docker runs up a full hypervisor per Docker
process you run? That seems a bit excessive.

~~~
friism
That's not the case - there's only one virtual machine shared by all
containers.

~~~
smegel
Oh...that's interesting. That would even be useful on Linux to enable greater
resource separation between processes...say being able to lock all Docker
processes down to 1-2 cores on a machine and with a hard memory limit they
can't exceed.

~~~
zenlikethat
What you mention is a major reason why Linux containers were invented, and is
already possible with Docker today. Take a look at the '\--mem-limit' or
'\--cpu-shares' flags for 'docker run', for instance.

------
FloNeu
Anyone has had a chance to try the windows beta? Would be interested to read
about that to. thanks in advance...

~~~
so0k
if you want a more technical review of the Windows beta, read this:
[http://docker-saigon.github.io/post/Docker-Beta/](http://docker-
saigon.github.io/post/Docker-Beta/) But note that beta 8 was released a few
days after that review and already introduced some changes.

------
trollian
I don't get it. Why is Docker for Mac running Linux containers? Shouldn't it
be for OSX containers?

~~~
dguaraglia
Not really, unless you are going to be running OS X in your server. You want
the container in your development machine to be as close to the one that'll
run in production as possible to minimize "Works on my Machine" issues.

------
landmark2
I think docker for Mac is the way to go but, until disk performance is not up
to scratch, I suggest you have a look at dinghy
([https://github.com/codekitchen/dinghy](https://github.com/codekitchen/dinghy))
it just works too and it's 10x faster than docker-machine with
vmware/virtualbox shares (uses NFS).

------
shuzchen
Can anybody in HN provide a quickpath into the beta? I signed up when it was
first announced (seems to be over 30 days ago:
[https://news.ycombinator.com/item?id=11352389](https://news.ycombinator.com/item?id=11352389))
but haven't heard anything back yet.

~~~
shykes
If you're comfortable sharing your Docker ID, feel free to share it here and
we'll fast-track you!

Generally anyone who cares enough to ask directly, we'll automatically add to
the top of the list.

EDIT: or, feel free to contact us privately with a few details on your
configuration and use case: feedback+hn@docker.com

~~~
chrisbuchholz
We are using docker for developing and testing services in the same
environment they are put in production in: Debian.

My personal docker ID is chrisbuchholz.

~~~
WestCoastJustin
Hey, I don't see you on the beta list as having signed up. You'll need to have
signed up at [https://beta.docker.com/](https://beta.docker.com/) first.

~~~
chrisbuchholz
Yeah, I dunno why I thought I was. I am now, though, so if you don't mind,
please go ahead and fast-tract me through the waiting list :)

------
wichsen
Question: Is this compatible with OS X 10.9.x or earlier? Or is it only for
the latest pieces of shit that are 10.10/10.11?

 _edit_ thanks for the correction netheril96!

I'm curious about the state of compatibility because I've drawn a line in the
sand -- and refuse to upgrade from 10.9 (since many things seem to be getting
only worse and less stable in MAC OS land :).

~~~
netheril96
The latest piece is 10.11.

~~~
kawera
I'm running the latest (build: 6072) on 10.10.5.

------
tacos
This "review" is the technical equivalent of a YouTube unboxing video.
Screenshot, screenshot, something I already knew from reading the press
release, screenshot, platitude, one big technical error in the conclusion, and
done.

If it really worked (especially on Windows) Docker would post the binaries
instead of treating this like Wonka Golden Tickets. Love Docker, am actually
waiting to be approved so I can get to building something, but posts like this
are a symptom of a larger problem.

~~~
shykes
Disclaimer: I work at Docker.

The reason we are keeping the beta private is because we don't believe the
quality is good enough yet to "open the floodgates". We are sending as many
invites as the engineers are comfortable with - currently that's several
thousands per day. As we hit more and more edge cases (performance, stability,
support for unusual configurations...) we are expanding the pool as fast as we
can.

~~~
tacos
I appreciate this but in that case you should collect configuration data as
part of requesting the bits. If I'm on a machine that's known borked, I'll
wait. If not, gimme and I'll help you fix. Otherwise it feels like you're just
using this as a marketing trick to build buzz.

------
mschuster91
Until Dockrap (and its various predecessors and friends) are compatible with
IT depts setting their VPN config to disallow local network access, fuck all
that hipster stuff and use good old self-configured services. Hipster bullshit
that can't be used in any org that remotely takes care of their network (hint:
any big corporation will mandate this by contracts with huge liability figures
in the contracts).

To the users: if you can't configure a simple local web server for
development, you should not be qualified to develop a web service. Period.
(Hint: Apache and PHP is included in OS X, but a bit outdated to be fair - but
you can install/upgrade to a OAMP stack using MacPorts in MINUTES)

~~~
bel_marinaio
Bigco needs to get with it or get out of the way. Whenever a bloated,
antiquated dinosaur is replaced by a newer, smarter company the sun shines a
little brighter in my world.

~~~
mschuster91
> Whenever a bloated, antiquated dinosaur is replaced by a newer, smarter
> company the sun shines a little brighter in my world.

And whenever a "newer, smarter company" disregards fundamental IT security
practices and gets hacked, the sun shines a little brighter in my world.

Security is an afterthought (if a thought at all) in many hipster operations,
and it's about time someone fucks up so badly that IT security is priority #1
from the beginning.

~~~
brodsky
Might want to ease up on the chili peppers: the butthurt is unbearable.

