
Ask HN: Why Docker in Addition to Ansible onto VMs? - kqr
(In this discussion, I&#x27;m going to say &quot;Ansible&quot; a lot, but what I really mean by that is &quot;your favourite deployment and configuration tool&quot;. I just use Ansible as an example of the broader category.)<p>To begin with, I&#x27;ll clarify what I think is the sort of scenario where this question becomes relevant. If I have to run a bunch of services, some continuously, and others as cron jobs, I imagine my options are to either<p>a) Deploy them onto separate virtual machines using Ansible, or<p>b) Create Docker images of them, which I then deploy onto a machine, again using Ansible.<p>I can&#x27;t imagine a scenario where it would not be useful to know Ansible. This is where I feel the primary cost of Docker is incurred: it is an <i>additional</i> layer of abstraction that has to be learned, taught to new admins, troubleshot, and kept in sync. Troubleshooting any Unix system including a VM is the same, but a Docker container has to be troubleshot differently.<p>----<p>Due to the submission character count limit, I have submitted the most common arguments I have heard in a comment. Please read that first.<p>-----<p>In summary, this is my picture of the situation:<p>- Docker cannot replace regular configuration management tools like Ansible. Docker, being an additional layer of abstraction, comes at a maintenance cost.<p>- Performance is not enough of a reason to offset the maintenance cost.<p>- File system management is not enough of a reason to offset the maintenance cost.<p>- Upgrade handling is not enough of a reason to offset the maintenance cost.<p>I get the sense that it&#x27;s a wash, and the deciding factor is whether you are more experienced with Docker administration or Unix administration.<p>But there are very experienced Unix sysadmins who have switched to Docker and never looked back. I just haven&#x27;t heard a satisfying explanation as to why.<p>It&#x27;d make my day if any of you guys could do that. Thanks!
======
kqr
So some reasons people bring up for using Docker:

" _A full virtualized system gets its own set of resources allocated to it,
and does minimal sharing. You get more isolation, but it is much heavier
(requires more resources)._ "

Is that really true? The few recent-ish comparisons I find between Docker and
VMs indicate that services running under both perform comparably, thanks to
modern advances in hardware-assisted virtualisation. (I also get the sense
that people frequently use Docker on top of virtual machines.)

But _if_ VMs do not use resources efficiently for your purposes, you can use
the exact same Ansible scripts you installed the VM with to install your
services onto a dedicated physical machine instead. No need to change
anything.

" _AuFS is a layered file system, so you can have a read only part and a write
part which are merged together. One could have the common parts of the
operating system as read only (and shared amongst all of your containers) and
then give each container its own mount for writing._ "

Am I misunderstanding something if I think this is exactly how regular mount
works? It's literally a layering of disks (or disk images.)

If you mount / as read-only (which is not a bad idea in general either) then
you can have multiple virtual machines sharing the same base disk image.

" _Regarding consistency, Docker images are immutable. It should be self-
evident that it is easier to maintain something that does not change. Your
config won 't suddenly break because the OS updated itself._"

Sure, freezing software in points of time is very easy to deal with. But what
about security updates? If you are going to do updates anyway, you still have
to have workflows in place to deal with changing images.

I'd also argue that if your config breaks all the time for OS update reasons,
you should probably consider running a different OS in your production
environment.

" _the following is a speed comparison of start and stop times for the two
different technologies:_ "

Yes, I recognise that Virtual Machines can take up to several minutes to
provision, while Docker containers can be spun up in seconds. I do see how
Docker is a huge deal if, at the core of your problem domain, you find
"needing to spin up new instances of services in seconds but no ability to run
hot spares". That sounds like a very limited domain, though.

