Heroku is dead – no-one uses it anymore. You need to use Docker now

Because it's the future!



  • modern devops is complicated 6 levels deep
  • curse of knowledge
  • one size does not fit all
  • new and shiny doesn't always make for good engineering


Simple Country Tech Arch's picture

Docker needs 5 more yrs before it can be trusted for anything internet-facing besides cat photo hosting.

Internet security cannot be "claimed." We've learned this over time by bogus security claims made by marketing companies over and over.

Even solid solutions with a history of being considered secure have been found to contain issues which could be used to gain complete access and control.

Marketing security is much easier than actually producing a secure solution.  Docker is proof that an ok technical solution with great marketing will be chosen.

This isn't to say that Docker isn't fantastic for development teams and for deploying internal-use services. It is.  I've read about 10x greater density for enterprise clients than full VMs allow through container-based Linux options, like Docker.  Sadly, most vocal Docker users come from a development background and often don't have much of a clue about system and network security. Ignorance (which we all have) isn't a reason to believe all the hype.

Many thanks to people on the bleeding edge for testing all this container stuff on the internet. I'll happily wait a few more years as true best practices (like never deploying a container with ssh-server) are hammered out. Containers need to be treated like zombies - if it doesn't do everything you need, shoot it in the head and build a new one with all new, fresh, inputs from all the support libs and tools.

Nothing against or for Heroku. Never liked the running business critical apps on "someone elses' computer/network/storage" myself. Just too many legal issues with that.


Liraz Siri's picture

Agreed on all counts. I've been reading up a lot on security issues related to Docker recently and this seems to be the number one concern with users.

For very good reasons. There's no question that the isolation between containers sharing a kernel is much weaker than the isolation between VMs running on a proper hypervisor or better yet physically separate computers.

The attack surface for the kernel is huge, the kernel is a hassle to upgrade on a production system, and if this year's PWN2Own contest is any indication, there's a seeming endless supply of 0 days to exploit.

Then again, Docker is a tool, not a silver bullet. If you use it wisely you can actually get some pretty significant security benefits relative to systems with a monolithic architecture. Running apps as an unprivileged user in chroot has always been a security best practice, and with containers you get better isolation then that. I still wouldn't trust the isolation to host anything really sensitive, but again - you can architect apps such that only the sensitive parts need to run on your own hardware. The rest can run cheaply in an untrusted computing environment. For example, content addressable distributed storage systems such as IPFS don't rely on the security of the nodes storing the data at all.

For my money's worth, trust minimization is where it's at, not trust maximization.

Luis A Espinal's picture

It is safe to say that any post with such an attention-grabbing (and false) headline is one that can be easily ignore without missing anything of importance. 

I like Docker, but c'mon, the argument is unsubstantiated (and juvenile.)  We can (and should) do better than this.

Liraz Siri's picture

The headline is ironic, though you won't pick up on that if you're so disgusted that you don't read past it to the post itself.

VladGets's picture

I think its fake

What the side of the page?

Jeremy Davis's picture

Did you read the article? It's hilarious in my opinion!


Add new comment