Goodbye Docker: Purging is Such Sweet Sorrow
source link: https://www.tuicool.com/articles/eQvmi2M
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
After 6 years, I removed Docker from all my home servers.
apt purge -y docker-ce
Why?
This was triggered by a recurring incident I faced where the Docker daemon was using 100% CPU on multiple cores that made the host effectively unusable.
This had happened a few times before, and was likely due to a script that had got out of hand starting up too many containers. I’d never really got to the bottom of it, as I had to run a command to kill off all the containers and restart the daemon. This time, the daemon wouldn’t restart without a kill -9
, so I figured enough was enough.
Anyway, I didn’t necessarily blame Docker for it, but it did add force to an argument I’d heard before:
Why does Docker need a daemon at all?
Podman, Skopeo, and Buildah
These three tools are an effort mostly pushed by RedHat that do everything I need Docker to do. They don’t require a daemon or access to a group with root privileges.
Podman
Podman
replaces the Docker command for most of its sub-commands ( run
, push
, pull
etc). Because it doesn’t need a daemon, and uses user namespacing
to simulate root in the container, there’s no need to attach to a socket with root privileges, which was a long-standing concern with Docker.
Buildah
Buildah
builds OCI images. Confusingly, podman build
can also be used to build Docker images also, but it’s incredibly slow and used up a lot of disk space by using the vfs storage driver by default. buildah bud
(‘build using Dockerfile’) was much faster for me, and uses the overlay storage driver.
The user namespacing allowing rootless builds was the other killer feature that made me want to move. I wrote apiece about trying to get rootless builds going last year
, and now it comes out of the box
with /etc/subuid
and /etc/subgid
set up for you, on Ubuntu at least.
Skopeo
Skopeo is a tool that allows you to work with Docker and OCI images by pushing, pulling, and copying images.
Steps to Move
Installing these tools on Ubuntu was a lot easier than it was 6 months ago.
I did seem to have to install runc
independently of those instructions. Not sure why it wasn’t a pre-existing dependency.
First, I replaced all instances of docker
in my cron
and CI jobs with podman
. That was relatively easy as it’s all in my Ansible scripts, and anything else was a quick search through my GitHub repos.
That made me hit a gotcha as podman build
exists, but out of the box was excruciatingly slow and disk-space intensive, I reasoned due to it seeming to use the vfs storage driver. Replacing all docker build
s with buildah bud
s was the solution.
Once that was bedded in, I could see if anything else was calling docker
by using sysdig
to catch any references to it:
sysdig | grep -w docker
This may slow down your system considerably if you’re performance-sensitive.
Once happy that nothing was trying to run docker
, I could run:
apt remove -y docker-ce
I didn’t actually purge in case there was some config I needed.
Once everything was deemed stable, the final cleanup could take place:
-
Remove any left-over sources in
/etc/apt/*
that point to Docker apt repos -
Remove the docker group from the system with
delgroup docker
-
Remove any left-over files in
etc/docker
/*,/etc/default/docker
and/var/lib/docker
A few people asked what I did about Docker Compose, but I don’t use it, so that wasn’t an issue for me.
Differences?
So far, and aside from the ‘no daemon’ and ‘no sudo access required’, I haven’t found noticed many differences.
Builds are local to my user (in ~/.local/containers
) rather than global (in /var/lib/docker
), in keeping with the general philosophy of these tools as user-oriented rather than daemon-oriented. But since my home servers have only one user using Docker, that wasn’t much of an issue.
The other big difference I noticed was that podman pull
downloads get all layers in parallel, in contrast to Docker’s. I don’t know if this causes problems if too many images are being pulled at once, but that wasn’t a concern for me.
Recommend
-
7
Worry does not empty tomorrow of its sorrow, it empties today of its strength. Worry does not empty tomorrow of its sorrow, it empties today of its strength. Corrie ten Boom ...
-
9
Purging whole namespaces of pages in MediaWiki So, I was asked to
-
1
Facebook is purging face recognition. Here’s why I don’t trust it. For a decade, Facebook (now known as Meta) used facial recognition to ta...
-
4
Purging Deleted Azure Key Vaults February 27, 2023...
-
0
Purging Data When the Table Is Big and Has Children Tables March 3, 2023
-
0
Birchtree By Matt Birchler I've been writing here since 2010! Back when personal blogs were all the rage. Kids, a...
-
3
Imgur is banning porn and purging old anonymous uploads / The service says it’ll be removing ‘nudity, pornography, & sexually explicit content’ as a result of a new terms of service going into effect on May 15th.
-
5
Twitter Begins Purging Legacy Checkmarks ...
-
1
-
5
Robin Sharma – The #1 Way to Process Through Pain, Sorrow, and Other Challenging Emotions (The Daily Mastery Podcast) Monumental leaders not only work to improve their mindsets; they also do the emotional healing required to p...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK