top | item 32949333

(no title)

macns | 3 years ago

Why do I need Docker for such a simple task? From their blog:

> The proxy is extremely lightweight. An inexpensive and tiny VPS can easily handle hundreds of concurrent users. Here’s how to make it work:

    SSH into the server.
    Install Docker, Docker Compose, and git:

I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.

discuss

tecleandor|3 years ago

It's a simple way of running something quickly and without touching the rest of your system (if you already have Docker installed)

Anyway, the proxy is just an nginx with a custom config file. You can check that file and just add it yourself to an nginx you manage, probably with little changes.

https://github.com/signalapp/Signal-TLS-Proxy/blob/main/data...

e12e|3 years ago

It's a bit odd to use a custom docker image, rather than the one maintained by nginx Inc though:

https://github.com/signalapp/Signal-TLS-Proxy/blob/main/ngin...

https://github.com/nginxinc/docker-nginx

For one, this is 5 versions behind (1.18 vs 1.23).

In general seems caddy or haproxy might be a better fit - but nginx is a perfectly fine choice I suppose.

sooyoo|3 years ago

> It's a simple way of running something quickly and without touching the rest of your system

Providing a statically linked binary is even simpler, without all that extra complexity that comes with docker.

Caligatio|3 years ago

I'm also confused about the Docker hate here. The daemon itself is lightweight and the Docker-ized process(es), once running, have negligible overhead compared to running them natively.

I didn't look at the image size but you might be paying a ~100 MB storage penalty to bundle dependencies.

pooper|3 years ago

For my fedora people,I just want to remind them that whenever anyone says docker, you can safely use podman (or at least that is the goal).

It won't be rootless in this case as far as I know because you will need privileged ports 80 and 443 but good habit in general.

metadat|3 years ago

It's actually more than negligible, docker containerization tends to impose limits, tracking, and network overhead on processes, which all have some overhead and penalty on performance.

On beefcake supreme machines it's just usually not significant enough to worry about, because the perceived benefits outweigh the downsides.

killingtime74|3 years ago

Docker images are just tarballs no? There’s almost no overhead at runtime. Of course you could fork it

masklinn|3 years ago

There is some performance overhead from the configuration Docker uses for the containers, as well as some of the historical behaviour (not sure if they still apply)

- if you use docker nat, it about doubles connection time, if you only have extremely short connections this can be quite visible.

- If you need FS access, this can come at a high cost depending on your usage pattern, docker’s layered FS is not cheap.

- Finally Docker enables features which don’t come for free and which you may not be enabling separately e.g. seccomp (this can result in a 15+% performance hit in the worst case)

kitd|3 years ago

I've put Docker onto small VPSes. It's no hassle. The heavy part is Nginx. Adding the container on top won't be making much difference to the size.

tsujamin|3 years ago

pretty sure you can run docker on a $5 vps with plenty of headroom left

could it be done leaner? sure

is it worth it if it raises the barrier of entry of getting people to run the proxy? doubtful

hosteur|3 years ago

A single statically linked binary would not raise the barrier of entry. Quite the opposite.

Bayart|3 years ago

> Why do I need Docker for such a simple task?

Containers are more consistent and have less side effects than packages.

> I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.

There's very little overhead and it takes a one liner[1] to install it.

[1]: curl -sSL https://get.docker.com/ | sh

tomohawk|3 years ago

Whenever I see a docker compose based install, it's clear that the installation wasn't thought through very well. Inevitably, these installs are more complicated and less reliable than a finished product.

cpach|3 years ago

Do you have any data to back up your claim about the overhead of using Docker?

peppermint_tea|3 years ago

just installed it in lxc without docker... works like a charm.

toomuchtodo|3 years ago

time > compute resources. Docker up/compose and on with your day.

7v3x3n3sem9vv|3 years ago

stood up a Signal proxy on a VM with the following specs:

- Single core 1GHz CPU - 640 MB RAM - 10 GB storage ( default size )

I'd say docker is pretty light.