42

Goodbye Docker: Purging is Such Sweet Sorrow

 4 years ago
source link: https://www.tuicool.com/articles/eQvmi2M
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

After 6 years, I removed Docker from all my home servers.

apt purge -y docker-ce

Why?

This was triggered by a recurring incident I faced where the Docker daemon was using 100% CPU on multiple cores that made the host effectively unusable.

This had happened a few times before, and was likely due to a script that had got out of hand starting up too many containers. I’d never really got to the bottom of it, as I had to run a command to kill off all the containers and restart the daemon. This time, the daemon wouldn’t restart without a kill -9 , so I figured enough was enough.

Anyway, I didn’t necessarily blame Docker for it, but it did add force to an argument I’d heard before:

Why does Docker need a daemon at all?

Podman, Skopeo, and Buildah

These three tools are an effort mostly pushed by RedHat that do everything I need Docker to do. They don’t require a daemon or access to a group with root privileges.

Podman

Podman replaces the Docker command for most of its sub-commands ( run , push , pull etc). Because it doesn’t need a daemon, and uses user namespacing to simulate root in the container, there’s no need to attach to a socket with root privileges, which was a long-standing concern with Docker.

Buildah

Buildah builds OCI images. Confusingly, podman build can also be used to build Docker images also, but it’s incredibly slow and used up a lot of disk space by using the vfs storage driver by default. buildah bud (‘build using Dockerfile’) was much faster for me, and uses the overlay storage driver.

The user namespacing allowing rootless builds was the other killer feature that made me want to move. I wrote apiece about trying to get rootless builds going last year , and now it comes out of the box with /etc/subuid and /etc/subgid set up for you, on Ubuntu at least.

Skopeo

Skopeo is a tool that allows you to work with Docker and OCI images by pushing, pulling, and copying images.

The code for these three are open source and available here:

Podman

Buildah

Skopeo

Buildah, Podman, and Skopeo

Buildah, Podman, and Skopeo

Steps to Move

Installing these tools on Ubuntu was a lot easier than it was 6 months ago.

I did seem to have to install runc independently of those instructions. Not sure why it wasn’t a pre-existing dependency.

First, I replaced all instances of docker in my cron and CI jobs with podman . That was relatively easy as it’s all in my Ansible scripts, and anything else was a quick search through my GitHub repos.

That made me hit a gotcha as podman build exists, but out of the box was excruciatingly slow and disk-space intensive, I reasoned due to it seeming to use the vfs storage driver. Replacing all docker build s with buildah bud s was the solution.

Once that was bedded in, I could see if anything else was calling docker by using sysdig to catch any references to it:

sysdig | grep -w docker

This may slow down your system considerably if you’re performance-sensitive.

Once happy that nothing was trying to run docker , I could run:

apt remove -y docker-ce

I didn’t actually purge in case there was some config I needed.

Once everything was deemed stable, the final cleanup could take place:

  • Remove any left-over sources in /etc/apt/* that point to Docker apt repos
  • Remove the docker group from the system with delgroup docker
  • Remove any left-over files in etc/docker /*, /etc/default/docker and /var/lib/docker

A few people asked what I did about Docker Compose, but I don’t use it, so that wasn’t an issue for me.

Differences?

So far, and aside from the ‘no daemon’ and ‘no sudo access required’, I haven’t found noticed many differences.

Builds are local to my user (in ~/.local/containers ) rather than global (in /var/lib/docker ), in keeping with the general philosophy of these tools as user-oriented rather than daemon-oriented. But since my home servers have only one user using Docker, that wasn’t much of an issue.

The other big difference I noticed was that podman pull downloads get all layers in parallel, in contrast to Docker’s. I don’t know if this causes problems if too many images are being pulled at once, but that wasn’t a concern for me.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK