But what characterizes Docker and why has the world been doing so since 2013, as if the team around Co Founder Solomon Hykes and CEO Ben Golub had found the philosopher’s stone? As a preliminary conclusion, it can be stated that Docker Inc. was in the right place at the right time. In addition, the usability of containers through their own container formats and APIs is practically standardized. In the end, using Docker containers is much easier and faster than using LCX or OpenVZ.
Docker is also safer than Virtuozzo or OpenVZ. Technologies from the Linux kernels such as “cgroups” and “namespaces” play a large part in this. Docker uses these properties to isolate resources such as the processor, memory network, or block devices that are provided by the same kernel. True isolation in the sense of protection, on the other hand, is only achieved with “SELinux” or “AppArmor”.
Containers are by no means as safe as VMs, even if it is sometimes claimed by container manufacturers. For example, while attack paths with VMs “only” have to find and exploit vulnerabilities in one of 32 kernel syscalls (hypervisor interface), containers (ie, processes in principle) have more than 300 syscalls, one of which must be vulnerable.
Safe or not
Nevertheless, containers allow applications in principle to completely separate from their environment, including processes, file systems, and the network. You can use it autonomously. However, cgroups can only limit or prioritize the resources that a process / container uses, but it does not help with the so-called “Noisy Neighbor problem”.
The term describes the problem known in cloud computing infrastructures that theoretically any co-tenant can cannibalize the available network bandwidths, disk I / O, or CPU resources at the expense of other tenants. Namespaces, on the other hand, reduce the visibility of components or OS objects. Thus, a container only “sees itself” and no other processes of the host.
In the early releases, Docker was essentially based directly on LXC. Docker now has its own container engine. By contrast, LXC or Virtuozzo have never gained comparable popularity and distribution outside of the hosting environment.
The right ecosystem
Docker also appeared on the scene at a time when it became apparent that the usability of containers, as a foundation for cloud-native apps, goes far beyond the hosting environment. The Docker developers also recognized early on that not only can they make money by providing the technology, but also by establishing an ecosystem of tools and frameworks with a container marketplace in the center.
Docker himself does not tire of emphasizing that he has made the use of containers much easier with his standardization efforts. A container standard of any kind makes it easier for companies to pass on once-laced containers across operating system and cloud boundaries.
But that’s only half the story. In fact, Docker is not a tuned standard, but rather a defacto standard that Docker would like to pretend to be a company. By contrast, a container standard in which numerous companies work across the board is the Open Container Initiative (OCI).
Many questions remain unanswered in Docker’s vision. For example, to run productive business workloads, the ability to provide support must be guaranteed. If, for example, an operating system A from manufacturer B is inserted in an image, manufacturer B must also provide his support release for operation on Z.
And portability also has its practical limits. Theoretically, although only one Docker engine needs to be present on the target platform, which is the case with almost every Linux system, Docker itself is still changing very much with each Docker version. The target system therefore requires a matching Docker version. Nonetheless, portability is one of the key features and, in addition to the ecosystem of container management tools and container marketplace, is one of the key factors for deployment, provided portability and support / certification go hand in hand for enterprise customers.