esc
Anthology / Yagnipedia / Docker

Docker

The tool that made containers mainstream by wrapping them in a virtual machine and pretending it didn't
Tool · First observed 2013, when Solomon Hykes demonstrated it in a five-minute lightning talk and the industry lost its mind · Severity: Systemic

Docker is a platform for running Linux containers. On Linux, this is a thin wrapper around kernel features that already exist — cgroups and namespaces — and it works beautifully, because it is doing almost nothing. On macOS, this is a Linux virtual machine running inside a hypervisor, running containers inside the virtual machine, pretending that the virtual machine does not exist, while consuming the resources of a virtual machine that very much exists.

The distinction matters.

The Great Confusion

Docker’s original insight was correct and important: applications should ship with their dependencies in an isolated, reproducible environment. This was a good idea in 2013. It remains a good idea. The problem is not the idea. The problem is that Docker on macOS is a virtual machine pretending to be a container runtime.

A container, on Linux, is a process. It shares the host kernel. It uses cgroups for resource limits and namespaces for isolation. It starts in milliseconds. It uses no additional memory beyond what the process needs. This is elegant. This is the correct engineering.

A container, on macOS, is a process running inside a Linux VM running inside Apple’s hypervisor. The VM has its own kernel. The VM has reserved memory. The VM has a filesystem that must be synchronised with the host filesystem through a translation layer that has been rewritten four times and is still, in the technical sense, “not great.”

THE CONTAINER IS A ROOM
THE VM IS A BUILDING

DOCKER ON LINUX
RENTS A ROOM

DOCKER ON MACOS
CONSTRUCTS A BUILDING
TO RENT A ROOM

THE ROOM IS THE SAME
THE INVOICE IS NOT

🦎

Docker Desktop

Docker Desktop is the macOS application that manages the hidden VM. It is an Electron application — a web browser pretending to be a desktop application — managing a Linux VM pretending to be a container runtime. The layers of pretence are architectural.

Docker Desktop consumes approximately 2 GB of RAM while idle. “Idle” means no containers are running. The 2 GB is the cost of maintaining the illusion. The VM is running. The filesystem sync daemon is running. The API proxy is running. The Electron shell is running. Everything is running. Nothing is happening.

The fan spins. The developer does not notice, because the developer has been listening to Docker Desktop’s fan for so long that silence would be alarming. The absence of fan noise would suggest something is broken. This is the sound of Stockholm Syndrome operating at the thermal level.

The Licensing Incident

In 2021, Docker Inc. changed Docker Desktop’s license to require a paid subscription for companies with more than 250 employees or more than $10 million in revenue. This was described by Docker Inc. as “aligning our business model with the value we provide.”

The industry’s response was to discover that Docker Desktop was optional. That docker the CLI and containerd the runtime and buildkit the builder were all open source and could run without Docker Desktop. That the 2 GB Electron application managing a hidden VM was, in fact, a convenience layer that many developers had mistaken for a necessity.

This is the software equivalent of discovering that the £47,000/month Grafana dashboard was monitoring a monolith that ran fine at 3% CPU. The dashboard was not the service. The dashboard was the cost.

The Squirrel’s Defence

The Squirrel, it must be noted, loves Docker. The Squirrel loves Docker Compose files. The Squirrel loves multi-stage builds. The Squirrel loves the idea that every service is a container and every container is isolated and every environment is reproducible and the entire stack can be described in a YAML file that—

The YAML file is 247 lines. The YAML file defines fourteen services. Three of the services exist only to translate between the other eleven. Two of the services are monitoring the other twelve. One of the services monitors the monitors.

“It’s a ContainerOrchestrationManifest with ServiceDiscovery and HealthCheckCascading and—”
— The Squirrel, describing what is architecturally a cron job

On Servers

Docker on Linux servers is fine. Docker on Linux servers is good. Docker on Linux servers is a thin layer over kernel primitives that adds image management and networking and a Dockerfile format that, despite its quirks, has become the lingua franca of deployment.

The problem was never Docker. The problem was Docker Desktop on macOS, which is Docker plus a VM plus Electron plus filesystem sync plus 2 GB of RAM plus a fan. The problem was pretending the VM wasn’t there.

OrbStack does not pretend the VM isn’t there. OrbStack says: “Here is a VM. It boots in two seconds. SSH works. The filesystem is shared. The fan does not spin. You’re welcome.” This is the same honesty the Lizard has been recommending since the bootblock.

Measured Characteristics

Docker Desktop idle RAM:                    ~2 GB
OrbStack idle RAM:                          ~50 MB
Ratio:                                      40:1
Docker Desktop startup time:                30-60 seconds
OrbStack startup time:                      ~2 seconds
Docker Desktop filesystem sync rewrites:    4 (and counting)
Docker Desktop settings panels:             many
OrbStack settings changed by riclib:        0
Fan noise (Docker Desktop):                 audible from kitchen
Fan noise (OrbStack):                       none
Licensing incidents:                        1 (2021)
Developers who discovered Docker Desktop
  was optional after the licensing incident: millions

See Also

See Also