
How is Docker.io different from a normal virtual machine? - jaynate
http://stackoverflow.com/questions/16047306/how-is-docker-io-different-from-a-normal-virtual-machine
======
bobf
Docker doesn't add a whole lot over what basic Linux containers (lxc and
vserver) have offered for years. Having said that, the main benefit to Docker
is a change in viewpoint from "virtual machine" to "application". Docker aims
to make applications portably deployable to any Docker-machine. Since Docker
uses lxc (aka Linux containers), it helps to understand a little how
containers are different from other virtualization.

Conceptually, they are similar to Linux's chroots or FreeBSD's jails, which
offer process isolation. Basically, they work with a lightweight virtual
machine instead of a single process. Containers have lower overhead - they are
virtualizing on the operating system level. Other virtualization technologies
like Xen and KVM work on the CPU level, and provide a fully virtualized
hardware setup to the virtual machine[s].

~~~
FreeBSD-user
To be honest I've never worked out why Docker gets so much press. If you use
the Ezjail utility to configure and manage FreeBSD jails you have been able to
do most of the things Docker does for years (stacked fs using unionfs,
templates/flavours, snapshots, export/import etc) and this seems like a much
simpler and more stable solution. The networking stuff is also easy using pf.

~~~
danieldk
There's also Solaris Containers, which leverages ZFS snapshots, etc.:

[http://en.wikipedia.org/wiki/Solaris_Containers](http://en.wikipedia.org/wiki/Solaris_Containers)

Of course, Solaris is even more despised by some people since they changed
hands.

I think Docker appeals more to people, because:

\- It's on Linux, which is more popular than FreeBSD or Solaris.

\- It's very easy to set up and configure.

\- Integration with Puppet et al.

\- The have great marketing :).

~~~
dmpk2k
Just a small reminder that you don't need to touch Solaris specifically.
There's a heavily-developed OSS fork named illumos out there too. Some of
illumos' distros are nicer than Solaris ever was.

------
dhaivatpandya
I recently wrote an article that covers some of this ground:
[http://www.sitepoint.com/docker-for-
rubyists/](http://www.sitepoint.com/docker-for-rubyists/)

The basic idea behind Docker is that you don't have to create another
operating system in order to just separate your processes from each other.
This leads to containers being much more lightweight than virtual machines but
also significantly less powerful (i.e. powerful as in ability to do something,
not in terms of performance) in some areas.

~~~
jaynate
Any chance you can elaborate on:

"(i.e. powerful as in ability to do something, not in terms of performance)"

Do you mean smaller units of functionality which perform at good levels? For
example, I wouldn't want to deploy a large, monolithic service this way?

~~~
derefr
One thing that occurs to me: containers don't get their own network stacks, so
you can't use a transport-level protocol (e.g. SCTP) in a Docker "guest" if it
isn't programmed into the Docker host kernel. Whereas VMs are routed to at the
network level, so they can do whatever they want with the packets they
receive.

------
csense
I've been having trouble figuring out the value-add of using Docker over
Ubuntu's built-in LXC functionality [1].

[1]
[https://help.ubuntu.com/12.04/serverguide/lxc.html](https://help.ubuntu.com/12.04/serverguide/lxc.html)

~~~
jaytaylor
I also found myself asking this same question, and after careful consideration
I ended up choosing LXC over Docker, and here are some reasons why:

    
    
        - LXC works fine on it's own.
    
        - Docker has it's own bugs, so you get all of the
          Docker bugs in addition to potential LXC bugs.
    
        - IPTables routing for containers to the outside
          world isn't that hard to manage.
    
        - LXC is simple and straightforward, and by
          comparison Docker is a convoluted confusing
          mess of additional layers of complexity.
    
        - LXC is already used in many real-world
          applications for operational software
          everyday.
    

If you want to know anything else about real-world usage of LXC, please feel
free to contact me (jay at jaytaylor com), or check out my relevant project:
ShipBuilder [1].

[1]
[https://github.com/sendhub/shipbuilder](https://github.com/sendhub/shipbuilder)

~~~
pestaa
Looks like ShipBuilder has overlap with Docker, if not a direct competitor. A
disclaimer wouldn't have hurt in my opinion.

~~~
jaytaylor
I don't follow. ShipBuilder uses LXC and is a complete open-source self-hosted
PaaS; a Heroku-clone. How is it a Docker competitor?

I cite it merely as an example of the sorts of cool things which are possible
with LXC.

~~~
xnxn
Truthfully, you plug ShipBuilder more frequently than I am comfortable with.
It makes your related comments seem disingenuous.

~~~
crashoverdrive
Truthfully then by your own moral high bar, Shykes plugging of Docker should
make you really uncomfortable. If you however allow yourself to take a step
back and realize these threads are directed at real people trying to help each
other with real problems, (Though arguably some do it for money) Then you can
allow yourself to see it as helpfulness.

Because in reality, What is personal gain of plugging an open source free
product that helps people?

~~~
zapt02
Fully agree!!

------
ailox
I Would love to migrate 50+ KVM VMs to LXC-Containers, but there seem to be
some problems left with security[1][2]. I cant wait to get my hands on Docker,
but I lack the SELinux knowledge to secure everything the 'proper' way.

Is LXC (and therefore Docker) really ready for Production yet?

Edit: Formatting.

\---

[1] [http://mattoncloud.org/2012/07/16/are-lxc-containers-
enough/](http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/)

[2] [https://blog.flameeyes.eu/2010/06/lxc-and-why-it-s-not-
prime...](https://blog.flameeyes.eu/2010/06/lxc-and-why-it-s-not-prime-time-
yet)

~~~
jaytaylor
It depends on how you are using containers. If you control what code is run in
them and who has access to the containers and their hosts, then production use
should be fine as far as security goes.

However, if you're trying to run something which lets untrusted people login
to the containers or run arbitrary untrusted code in the containers, then I
certainly wouldn't recommend doing that with containers in a production
environment.

One project you might like to keep an eye on is CoreOS [1]. As I understand
it, their goal is to create an OS which will come configured to safely run
containers. Once it is ready I would expect it will be suitable for use in a
production environment.

[1] [http://coreos.com/](http://coreos.com/)

------
rdl
I really don't like giving up the isolation of modern hypervisors,
particularly those with Intel virtualization extensions. Docker (and LXC)
seems like a huge step backwards for security. I'm sure there are use cases,
but I'd never multi-tenant with it.

~~~
sarnowski
> Docker (and LXC) seems like a huge step backwards for security.

Sry but link says it all. No further comment from me:
[http://marc.info/?l=openbsd-
misc&m=119318909016582&w=2](http://marc.info/?l=openbsd-
misc&m=119318909016582&w=2)

~~~
rdl
VT-d, VT-x. 2007 != 2013. The number of hypervisor exploits is far fewer than
the number of local root exploits on various shitty OSes (including OpenBSD).

~~~
sarnowski
Do you have a link for this statistic? Since I don't know of a local root
privilege escalation since several years in OpenBSD, this is a quite high
mark.

Edit: this is not a os-or-vm problem. You will have local problems and now, in
addition, rooting a server may give you access to even more servers that run
on your hyp.

------
est
I always wanted to ask a question about docker, if the local devel machine is
ubuntu 12.04, I can not deploy my docker image build to a 10.04 ubuntu server,
right? (Unless you run a 12.04 virtual machine or something.)

~~~
nl
Yes you can do that, but it only supports 64bit operating systems at the
moment and you need a kernel that supports linux containers & union file
systems.

I doubt there are packages for 10.04 so you'd be on your own getting it
working

~~~
shykes
There are no official images for Ubuntu 10.04, but you can create your own
with:

    
    
        debootstrap lucid ./rootfs && tar -C ./rootfs -c . | docker import nl/ubuntu-lucid
    

You can then run 10.04 containers with:

    
    
        docker run -i -t nl/ubuntu-lucid bash

~~~
nl
That's really useful - I've often wondered how to do it, and I've never seen
it put so succinctly.

------
anoopelias
One of the issues I found with contributing to open source is the time it
takes to get a build environment up and running. Since different people face
different kind of issues and projects usually lack an exhaustive
documentation, I've always felt adding a light weight image of the build
environment could help. I hope in future Docker or similar projects pave the
way for it.

~~~
bpierre
Not sure if you are talking about production or only development environments,
but Vagrant seems to provide a good solution for that:
[http://www.vagrantup.com/](http://www.vagrantup.com/)

------
yalogin
I thought docker just makes creating, deploying and managing LXC "enabled"
applications easier. Do they add anything to the LXC ecosystem other than the
online sharing of containers?

~~~
seiji
Does github add anything to git other than a multi-tennant gitweb with a
prettier interface?

git: worth nothing.

github: worth a billion dollars.

~~~
goldfeld
I'm sorry but git is not "worth nothing," it's just that it's a public good
and doesn't belong to anyone to sell, hence it has no market value. But
consider how much software companies would pay not to have git taken away from
them and then consider how much they would pay not to hake github taken
away[1]. Which is harder to replace? I'm betting on git.

[1]: Imagine a hypothetical scenario where github had mercural as an
alternative (for the case git was taken away.)

------
general_failure
Compare this with vagrant

~~~
evilduck
Vagrant mostly just generates virtual machines (with the option of running a
provisioner), so it would basically be the same comparison.

Edit: I suppose you could be using Vagrant to provision VPSs and use your
provisioning tool to deploy an app in one fell swoop, but most people don't
reprovision a box every time they redeploy their software. Vagrant lets you
build a base box, Docker is for deployment on top of that box.

~~~
awongh
I also thought that another difference was that vagrant can also manage cpu-
level (hypervisor?) VMs (as opposed to just linux containers) - one of the
main use cases for vagrant would be running it on your local computer- a
laptop running osx or windows for example. Correct me if I'm wrong, but you
wouldn't be able to run docker on a windows laptop, b/c you're just
containerizing the parent os.... I would be curious to see how this could run
on osx.

~~~
evilduck
I've ran Docker on top of Linux, powered by a Vagrant VM just fine. It's
exactly what their tutorial walks you through:
[http://docs.docker.io/en/latest/installation/vagrant/](http://docs.docker.io/en/latest/installation/vagrant/)

I don't think OSX or Windows will run _linux containers_ ever though. Maybe
something conceptually similar, but I doubt it would be "Docker".

------
theatraine
I wonder how Microsoft's Drawbridge OS ([http://research.microsoft.com/en-
us/projects/drawbridge/](http://research.microsoft.com/en-
us/projects/drawbridge/)) will compare to LXC, and the Docker APIs? Currently
Drawbridge looks like it's lacking adoption, and doesn't seem to be widely
available. Regardless, the container model looks like it solves a lot of PaaS
security issues without the overhead of VMs (Iaas).

------
portmanteaufu
Ha! Crazy to see a question I asked 5 months ago pop up on Hacker News.

The docker.io team has said that they don't consider it to be production ready
[0]. Has anyone experienced any major problems? Anyone using it in production?

[0] [http://blog.docker.io/2013/08/getting-to-
docker-1-0/](http://blog.docker.io/2013/08/getting-to-docker-1-0/)

~~~
jaytaylor
I found myself asking the same question. See my related comment:
[https://news.ycombinator.com/item?id=6378823](https://news.ycombinator.com/item?id=6378823)

------
rralian
Holy cow, the unit test case is fantastic.

~~~
ams6110
It is a good example, but I wonder how licensing would treat it. If I'm
running hundreds of unit tests, each against a snapshot of my database, and my
database is Oracle, they would likely view that as hundreds of instances which
would each need a license.

~~~
travem
There are Oracle licensing options to do this per CPU rather than per
instance. That is what many people do who run Oracle farms on vSphere do to
take advantage of the consolidation to reduce overall license costs.

------
somberinad
How is this different from HPUX or Solaris Package managers? Asking to learn.

