
Brief thoughts on Docker - craigkerstiens
http://gorsuch.github.io/2013/08/04/brief-thoughts-on-the-dockerfile/
======
WestCoastJustin
There are a bunch of cool and exciting things about Docker and containers in
general. Docker just automates many manual tasks, essentially creating an
abstraction layer above many manual and tricky steps. Similar to how Vagrant
abstracted away many tasks with automating virtual machine deployment.

There are a couple really cool things though, such as the Docker push/pull
functionality, giving you access to Docker images, Vagrant does something
similar to Vagrant boxes, but dockers goes a little further. But the killer
idea, is that you do not need an OS in these Docker containers. You can
basically have a statically linked binary, or a rails app, or sshd daemon, and
that's it. You can then use cgroups to finely tune your resource levels (cpu,
memory, bandwidth, etc) on this container.

These concepts have been around since at least 2008 (LXC [1], was released
into 2.6.24 [2]), Docker just streamlines the process greatly. As a side note,
it looks like Google has been heavily using Linux containers for years! There
is a Wired article [3], which talks about the orchestration engine they use to
deploy containers across their cells. Google's John Wilkes even does a talk,
entitle "Cluster management at Google" [4], where he discusses the next
generation of the orchestration engine.

p.s. It looks like there might even be "live container migration" in the
pipeline [5]. This would allow you to move a container from machineA to
machineB without any downtime, similar to Xen migrate or VMware live motion.

[1] [http://en.wikipedia.org/wiki/LXC](http://en.wikipedia.org/wiki/LXC)

[2]
[http://kernelnewbies.org/Linux_2_6_24](http://kernelnewbies.org/Linux_2_6_24)

[3] [http://www.wired.com/wiredenterprise/2013/03/google-borg-
twi...](http://www.wired.com/wiredenterprise/2013/03/google-borg-twitter-
mesos/all/)

[4]
[http://www.youtube.com/watch?v=0ZFMlO98Jkc](http://www.youtube.com/watch?v=0ZFMlO98Jkc)

[5]
[https://www.youtube.com/watch?feature=player_detailpage&v=LD...](https://www.youtube.com/watch?feature=player_detailpage&v=LDhrDpz8JQw&t=3624)

~~~
eikenberry

      But the killer idea, is that you do not need an OS in these  
      Docker containers. You can basically have a statically 
      linked binary, or a rails app, or sshd daemon, and that's it.
    

Is there documentation of this somewhere? I thought docker relied on having an
operating system installed, even if just a minimal busybox based system.

~~~
andrewflnr
A docker container runs in an operating system, but doesn't contain one.

~~~
FooBarWidget
Well, that depends on your definition of "operating system".

Is an OS just the kernel? Then yes, Docker doesn't contain an OS.

Is the OS the userland? E.g. the init process + the shell + the C library +
other runtimes? Then most Docker containers actually do contain an OS. Yes you
can get rid of most of them by making static binaries, but why would you want
to? Making static binaries with anything besides Go is a pain, and good luck
trying to statically link MySQL or Redis into your binary.

~~~
WestCoastJustin
You are totally correct.

Lets take sshd for example, you would need to create a skeleton directory
structure, /bin, /dev, /lib, etc in your rootfs container, have /bin/bash, a
whack of /libs, some /dev devices, and then your sshd application. So an
extremely minimalistic rootfs with only the sshd requirements. You could find
these my running 'lsof -p `pidof sshd`' , maybe 'ldd /usr/sbin/sshd' (and all
their dependencies) too, which quickly snowballs.

Hopefully this explains where I was going with that. Also, this is not a
simple task to try and strip off these services into self contained entities.
There are lots of hidden issues, like how do we handle logging? Should the
container have syslog too? So, there is work that needs to happen, I just like
the idea of not running a full fledged OS in a container.

~~~
mgurlitz
This is solved by the union-based filesystem (AUFS) that Docker uses. You
start with one minimal rootfs like you describe, given in the "base" image,
then when you install sshd you get copy-on-write semantics. So the sshd
container gets its own syslog files separate from any other container.

Your original comment talks about how long LXC has existed but AUFS is one key
component of Docker that became part of mainline Linux much more recently.

~~~
ash
> AUFS ... became part of mainline Linux much more recently

AUFS is not part of mainline kernel. Many distros include it (Debian, Ubuntu).
But some don't (Fedora).

[http://en.wikipedia.org/wiki/Aufs](http://en.wikipedia.org/wiki/Aufs)

------
FooBarWidget
Docker is great, but there is one security issue that it should solve. Right
now, any user can manipulate any Docker container. If you create a container
as root, then www-data can kill that container. The reason for this is because
container orchestration is done through the Docker daemon, which listens on a
TCP socket. Anybody on the local host can access that socket. They should, at
the very least, implement password protection.

Today I also found out that it's not possible to run Docker inside Docker. :(
I'm working on a Docker-based continuous integration system similar to Travis,
and it would be great if I can distribute the CI system as a Docker container.

~~~
icebraining
You can actually configure Docker to use an Unix socket instead of TCP[1]. It
seems it still opens it up to every user (it runs a chmod 777 on it), but you
can always enforce stricter controls (e.g. with SELinux).

[1]
[https://github.com/dotcloud/docker/pull/938](https://github.com/dotcloud/docker/pull/938)

------
ghayes
I've been reading about Docker, Flynn and CoreOS on HN for the last several
days. Would anyone care to venture how these technologies might work together?
That is, could Flynn load CoreOS VMs/AMIs on a cloud service which hosts
Docker containers? Does CoreOS etcd allow these VMs/containers to self-
configure?

~~~
kstaken
CoreOS is an operating system designed to run docker containers. You would use
it as lighter weight replacement for something like Ubuntu as the base os that
Docker runs on. When you install CoreOS you basically just get a kernel,
Docker and etcd plus a minimal number of other processes. Etcd is designed as
a way to allow a distributed set of containers to self-configure.

Flynn is an open source project to build a "platform as a service" platform on
top of Docker. In theory Flynn could run on top of CoreOS.

Docker is the core of everything.

------
boothead
Anyone looked at combining something like ansible and docker for building
images?

It's pretty straightforward to use ansible to build the host. This is one step
forward but I wonder if anyone's used it to create images and if so how?

Would you build on top a base that includes the ansible libraries, or somehow
run the ansible commands against a docker instance?

------
simlevesque
Could someone explain to me the difference between Docker and Vagrant ?

~~~
WestCoastJustin
Vagrant manages virtual machines. Docker uses linux containers, which is
essentially "chroot on steroids" [1]. A linux container is just an isolated
process (from which you run your code) on the host machine, like a FreeBSD
jail. The host machine can peer into the container, but the container cannot
see the host machine. Docker just helps to automate and manages the linux
container life-cycle.

p.s. I'm planning on doing a couple screencast episodes about linux containers
and docker on my website, which should be online in the next week or so @
[http://sysadmincasts.com/](http://sysadmincasts.com/)

[1] [http://lxc.sourceforge.net/](http://lxc.sourceforge.net/)

~~~
patrickaljord
Please post your screencasts here.

~~~
arms
Seconded. I'm looking for as much learning material on Docker as possible.

------
agumonkey
I don't know for memory usage (although I'd bet containers uses less) but a VM
take time to boot, with docker it's literally up in a second.

------
relaxitup
Are there any PaaS or VPS providers that are using Docker (other than
DotCloud) ? I'm actually eager to give openstack-docker a testdrive.

~~~
julien421
Hello Relaxitup,

There are several projects to build a PaaS around Docker: \- Deis:
[https://pypi.python.org/pypi/deis/0.0.4](https://pypi.python.org/pypi/deis/0.0.4)
\- Dokku:
[https://github.com/progrium/dokku](https://github.com/progrium/dokku) \-
Flynn: [https://flynn.io/](https://flynn.io/)

Also, have a look at this blog post for playing with openstack + docker:
[http://blog.docker.io/2013/06/openstack-docker-manage-
linux-...](http://blog.docker.io/2013/06/openstack-docker-manage-linux-
containers-with-nova/)

~~~
relaxitup
Thanks julien421 will check these out.

