Richard Bucker

Frustrated by docker swarm

Posted at — Aug 5, 2018

My complaint is as much a community issue as it is docker swarm. There are a few things that I like about docker and docker swarm and plenty to hate.

  • Dockerfile is very much like a makefile creating the same instance each time
  • with enough nodes the swarm has some survivability
  • the docker networks can be encrypted for additional security
  • the docker networks can be segmented stitching the systems that are permitted to communicate
  • when combined with traefik there is some dynamic deploy that I like including let’s encrypt and SSL
  • in recent history it has been reported that there are some bad actors creating fake containers and there is no curated container services that are not stupid expensive. This is a common problem for open source.
  • deploying docker services and stacks can relocate them anywhere in the swarm, however, if you use persistent volumes they do not follow and so you need a distributed filesystem, NAS, or SAN. All of which have their own risks and costs.
  • repairing a damaged cluster means rebuilding it all. This is typical but seriously tricky to be consistent as well as keeping the docs up to date. For example I had to push my swarm source outside of my network so I could deploy it differently if there was a major failure in the lab.
Right now the network filesystem is a problem without a solution.