A decade of Docker containers

Original Article ↗ Hacker News Discussion ↗

Overall role and impact of Docker

  • Seen as a major cultural and operational shift: “ship your machine” made deployment faster and bypassed traditional ops bottlenecks.
  • Some argue Docker simply encoded pre-existing tribal deployment steps in a repeatable form (Dockerfile) rather than making deployment intrinsically “harder” or “easier.”
  • Others view it as a hacky but effective workaround for a broken Linux userspace and dependency model.

Containers vs traditional packaging / OS design

  • Debate over whether containers improve efficiency: they share the host kernel and can be lighter than VMs, but per-app userspaces duplicate libraries and tools.
  • Critics say this is bloat and that static linking or bundling deps beside binaries (as on Windows) is conceptually cleaner.
  • Defenders argue isolation and version pinning justify the duplication, especially in multi-tenant or fast-moving environments.
  • Some prefer traditional distro packaging + systemd units for single-tenant or small-scale setups.

Nix, Guix, and alternative paradigms

  • Nix/Guix praised for hermetic, reproducible builds, avoiding dependency conflicts and enabling fine-grained sharing.
  • Others note Nix has a learning curve, documentation gaps, and struggles with complex ecosystems like Python.
  • Discussion of more radical alternatives (Plan9/Inferno, unikernels) as ways to “fix the stack” instead of wrapping it.

Dockerfiles, build tooling, and reproducibility

  • Dockerfile’s flexibility and shell-based model seen as both its strength and its source of non-determinism and bad practices.
  • Some wish for declarative, language-neutral build tools; others point out those historically failed to gain adoption.
  • BuildKit, LLB, and third-party tools are used to improve caching, reproducibility, and layering; reproducible container builds remain nontrivial.

Performance, bloat, and ML workloads

  • Image sizes, especially for ML (e.g., multi-GB Torch/TensorFlow stacks), are a growing concern.
  • People experiment with distroless bases, hardened/minimal images, deduplicating registries, and Nix-based layering to tame size and startup time.

Networking, platforms, and tooling quirks

  • Historical use of SLIRP/VPN-like tricks to bypass corporate firewalls is widely discussed and admired as a clever hack.
  • Mac container networking and separate IPs remain awkward, often solved with WireGuard, third-party tools, or Tailscale.
  • Docker’s manipulation of iptables and ignoring host firewalls (e.g., ufw) is criticized as dangerous.