Docker Turns 1: What's the Future For Open Source Container Tech?

darthcamaro (735685) writes "Docker has become one of the most hyped open-source projects in recent years, making it hard to believe the project only started one year ago. In that one year, Docker has now gained the support of Red Hat and other major Linux vendors. What does the future hold for Docker? Will it overtake other forms of virtualization or will it just be a curiosity?"

Container tech

Isn't docker just a wrapper around real container techs? (union filesystems, cgroups/namespaces/containers (lxc basically), etc) with a cloud-init style deployment script?

Re:Container tech

Yes, but it makes it much easier to use. It also adds and API and event model as well as the ability to push and pull container images into a public or private registry. Add to that a growing ecosystem and you have a very interesting building block.

Re:Container tech

Sounds like libvirt then... with vendor-lockin for VM images?

Re:Container tech

If by vendor lock in, you mean using the containerization supported by the linux kernel through an open source user space (lxc) managed by another open source project that you use to build and deploy those containers, then yes, it's vendor lock-in. But Docker is pretty much the definition of full cooperation with the Linux community. Can you be "locked-in" if all code is released under either the GPLv2 or Apache license?

The main difference that I see between Docker and libvirt seems to be that libvirt is focused on managing the lifecycle of what it calls domains...once it's started, you're on your own. Docker is focused on both managing the lifecycles of containers and packaging/distributing those containers. So if you took libvirt, limited it to lxc rather than allowing full virtualization, added a configuration layer like a limited chef or puppet for configuring images and added a distribution mechanism for the resulting images, you'd have something that looks pretty close to Docker. In fact you could probably argue that libvirt + Packer could be a reasonable Docker replacement.

Re:Container tech

Actually, it sounds like the docker people "invented" jail.

Re:Container tech

[smittyoneeach]

Can you be "locked-in" if all code is released under either the GPLv2 or Apache license?

You can certainly be bound in the sense of committed to a toolset, the way, say, Django binds you to Python. Not such a bad tradeoff.

Re:Container tech

[visualight]

Yes it is. I would be more sympathetic to Docker if they presented themselves as such, but even then I think people are better off understanding these tools directly.

What?

[drinkypoo]

Docker has become one of the most hyped open-source projects in recent years

The pants? Yeah, those are OK. They don't last that well.

If I've heard of Docker once before, I don't remember it.

Re:What?

It's been making big pushes in the dev communities primarily, and of course doing the convention tours.

From a systems standpoint it's really not that gamechanging, just brings containers to the masses. I don't really have a use for it right now.

Re:What?

[rmdingler]

If I've heard of Docker once before, I don't remember it.

That's what I'd say if Docker was a moped girl.

Re:What?

[drinkypoo]

That's what I'd say if Docker was a moped girl.

I'd ride a moped and I'd fuck a fat girl, or whatever it is that makes them a moped to you. But in this case, this is what I said because I don't want to make the mistake of claiming I've never heard of it when I may have left a snarky comment in a thread about it here on Slashdot.

Re:What?

[rmdingler]

I'd ride a moped and I'd fuck a fat girl, or whatever it is that makes them a moped to you.

I see what you did there... now I'm the shallow mother-fucker.

Well played.

Re:What?

[Anubis+IV]

Glad I'm not the only one that thought "pants". Having not read the article(s) yet, I still have no idea what we're talking about, though I'm guessing it's not pants.

Clearly the hype is failing to live up to its hype.

Re:What?

[ShieldW0lf]

I'd ride a moped and I'd fuck a fat girl, or whatever it is that makes them a moped to you.

I see what you did there... now I'm the shallow mother-fucker.

Well played.

It's just that he's fat too, that's all. Probably a pervert as well. A fat pervert with small feet. Who rides around on a moped.

Re: What?

I thought it was the thing on Mac OS X that had all the programs... And sorry if this is offensive but your does name really means drinking poo? (Sorry not native speaker! It sounds really dirty for me)

Re: What?

[drinkypoo]

And sorry if this is offensive but your does name really means drinking poo?

No, it's something my father used to say, along with a lot of other alcoholics. Just one little drinkypoo. I normally go by drink, I even have a dim memory of maybe registering that here and losing the password and who knows what email address. I know I had an older account once, but maybe I forgot the username, too. I'm pretty sure I'm the first 'drink' posting to the interwebs, I started in 1991 or -2. But that and six bucks will get you a small coffee at starbucks, or something.

Re:What?

[cerberusss]

That's pretty damn funny

slashvertisment

slashvertisment

The idea of docker is cool but...

The idea of docker is cool but the implementation needs works. It's pretty complicated to understand compared to say VMware or VirtualBox. Especially the versioning stuff, it's really annoying. It's like combining git or svn and virtual machines. You get the obscure weird architecture of a version control system combined with the configuration complexity of a VM. It's pretty confusing even for seasoned professionals.

Re:The idea of docker is cool but...

[visualight]

Well, you can read the help files for lxc-create lxc-start lxc-stop and lxc-console. Zero to having a container running should take anyone about an hour and as a bonus, you'll understand what you're doing. Or use Docker which makes it really easy to understand create stop and start.

Re:The idea of docker is cool but...

Docker isn't VMWare or Virtualbox, and isn't intended to replace or even act like VMWare or Virtualbox, so thinking about it in terms of VMWare or Virtualbox is probably why you're having such a hard time understanding it.

The classic use case for Docker is testing: you're writing some code and you need to test it. Static analysis will only get you so far. So you spin up a new lightweight container on your workstation, load the code into it and test it inside that. Docker helps with the "spin up a lightweight container" part by wrapping LXC and dealing with things like fetching the correct image ("I need to test this on both Ubuntu 12.04-LTS and FreeBSD 9.0", for example), which is where the versioning comes into it. It deals with customising the VM (so those images work on different workstations) and it deals with providing hooks and stuff so you can get the code into the container, get it running and then actually test it and get meaningful results.

Re:The idea of docker is cool but...

[Lennie]

I thought the classic use case is to have the same environment in dev, test, qa, production, wherever. Anywhere you can run a modern Linux kernel.

Re:The idea of docker is cool but...

[qpqp]

I need to test this on both Ubuntu 12.04-LTS and FreeBSD 9.0

That's not how containers work. You're bound to using the kernel of your host.

Re:Docker cured my herpes!

My wife says my ass looks good in Dockers.

Subjects suck.

[aardvarkjoe]

Since nobody else is commenting, I guess that I'm not the only one that had never heard of Docker.

The story doesn't bother to summarize what Docker is. Or even give a link to an explanation. That may not be completely unreasonable, because it's hard to find any understandable information on the main website either. Apparently a "container" is a method of delivering an application that is geared towards VMs and cloud computing, but that's about all I got out of it.

Re:Subjects suck.

[bill_mcgonigle]

The story doesn't bother to summarize what Docker is. Or even give a link to an explanation.

Hey, it's new within the last year and it's got lots of hype, so obviously it's got a .io domain. Everybody knows that open source projects that aren't .io by now are complete shit. (hey, I'm just trying to get on the hype wagon)

Re:Subjects suck.

From what I can see, it looks like some fancy name for a prepackaged chroot?

Re:Subjects suck.

[MadMaverick9]

Yeah - when I first read the subject line, I thought this was about containers.

Re:Subjects suck.

[Ambvai]

As did I. And I think that would actually be far more interesting.

Re:Subjects suck.

[ArsonSmith]

I haven't used it but the jist I get is that your build system, rather than just outputting an application package that then has to be installed on an OS outputs a complete container that can then be run with zero other dependencies in all your QA/test environments right up until deployed to production.

Re:Subjects suck.

[Bill,+Shooter+of+Bul]

No, its a fancy name for a super fancy, much improved chroot.

Re:Subjects suck.

Is it more or less amazing than 3D printing? I've got future fatigue.

Re:Subjects suck.

[subreality]

It's a high-level interface to LXC (similar to Solaris Containers, or FreeBSD Jails). If you're not familiar with those, think of it as a combination of:
  chroot (virtualized filesystem root)
  git (version control where a hash-id guarantees an exact environment)
  virtual machines (virtualized networking, process tables)
  make (you make a config file describing an image to start from, then all the things to do to set up your application / build environment / whatever)

If you are building a complex product you can write a short Dockerfile which will:
  Start with 8dbd9e392a96 - a bare-bones Ubuntu 12.04 image
  apt-get install git gcc make libc6-dev

You now have a completely reproducible build machine - Docker builds it and gives you back a hashref. You run it with the right arguments (basically: a path to where your source code is, plus a command to run) and it builds your project reliably (you always have a clean container exactly the way it was when you built it) and quickly (unlike a snapshotted VM there's no need to boot it - in a split second the container comes up and it's running your makefile). More importantly, everyone else working on your project can clone that tag and get /exactly/ your environment, and two years from now people won't be scratching their heads trying to reproduce the build server.

Now let's say you're shipping your product - you're a web company, so you have to package it up for the operations guys to deploy. It used to be you would give a long list of dependencies (unreliable, and kind of a pain for the user); more recently you'd ship a VM image (big, resource-heavy, but at least it escapes dependency hell); with Docker you build an image, publish it on an internal server and give the hashref to the ops guys. They clone it (moderate-sized, resource-friendly) and they get your app with everything required to run it correctly exactly the way QA was running it.

As it's being run they can periodically checkpoint the filesystem state, much like snapshotting a VM. If something goes wrong it's easy to roll back and start up the previous version.

It's a young project and there are still some rough edges, but the benefits are significant. I think in a few years doing builds without a container will be looked at the same way as coding without source control.

Re:Subjects suck.

I specialize in virtualization integration and cloud computing. Never heard of it.

Re:Subjects suck.

[nschubach]

Thanks for the review and examples. I think, as of writing this, there may be a grand total of 2 relevant posts in this tread of 16... shit's gone down hill around here.

Re:Subjects suck.

[gweihir]

Never heard of it and I do follow the virtualization market.

Re:Subjects suck.

[Lawrence_Bird]

and lets not forget that it was 'overhyped' so much so that nobody has a clue what it is/was/does.

Re:Subjects suck.

[jon3k]

That's so you'll look it up and then be "in the know" by having "discovered it yourself". It's just a thinly veiled spam story.

Re:Subjects suck.

Which will never work well with the OpenBSD OS or un-patched OpenSSH based applications, because Theo de Raadt doesn' t like chroot cages and has been religously rejecting the patches to support it for OpenSSH environments for..... a very long time.

Re:Subjects suck.

[Hal_Porter]

Theo de Raadt doesn' t like chroot cages and has been religously rejecting the patches to support it for OpenSSH environments for..... a very long time.

Look at it this way. Being able to test your code on OpenBSD vs pissing off Theo. One of these things is worth doing, and one is not.

Re:Subjects suck.

There was only a 15 M$ funding:
http://blog.docker.io/2014/01/docker-closes-15-m-series-b-funding/

And mainstream linux flavour decided, to support the kernel modification so Docker could work on every distro (http://tech.slashdot.org/story/13/11/26/2317252/docker-07-runs-on-all-linux-distributions) .

Come on, get out of your cave/basement.

Re:Subjects suck.

Then you may want to rethink your career choice. Whether you like Docker or not is irrelevant, if you're in that industry and haven't heard of it you're not doing your job.

Re:Subjects suck.

[Bill,+Shooter+of+Bul]

Uhm, it relies on kernel level features inside linux. So, I agree, Theo won't like it.

As far as I know, it doesn't need any openssh patches to work with it. But I've only done really simple things with docker.

Re:Docker cured my herpes!

She's probably just comparing it to what it looks like out of Dockers.

Not replacing virtualization...

[gmuslera]

... but rationalizing it. Sometimes you just need to run more or less isolated single apps, not for a full blown OS. In a lot of usage scenarios is far more efficient, (both in disk/memory/cpu usage and app density) and probably more flexible. In others full OS virtualization or running on dedicated hardware may be the best option.

It also brings a virtualization-like approach for apps in the cloud. You can have cointainerized apps in aws, google apps and many others, something like having a vm inside a vm.

Is not the only solution of its kind. Google is heavily using containers in Omega (you can try their container stack with lmctfy), you can use openvz, lxc, or solaris zones or bsd jails. But the way that docker mixes containers (not just lxc by 0.9) with union fs, making them portable and to have inheritance, is a touch of genius.

The missing pieces are being added by different projects. CoreOS as a dedicated OS for containers (that coupled with etcd and fleet could become a big player in a near future), OpenStack/OpenShift bringing manageability, and maybe someone could bring to the table what Omega does with google containers.

Re:Not replacing virtualization...

[jon3k]

Your comment was more interesting than the article, can you just write posts instead of timothy posting things?

Subjects suck.

[Evildonald]

But.. but.. aren't you amazed?!? It's only been a year since that thing you never heard of did something you aren't being told?!?!! Who says journalism is dead?

WTF does it do?

[pla]

Link 1: Wow, look how much uses Docker!
Link 2: Okay, docker works as some sort of VMy thing, oh and hype hype hype in case you missed link #1.

I rarely complain about FPs, even blatant Slashvertisements... But seriously? Yay, something wildly successful (that I've never heard of) has lasted a year. Woo-hoo! Pass me a beer.

Open-mosix

Is this some kind of user-space open-mosix?

is hype a good thing now?

Advertising a program as "one of the most hyped" seems contradictory to me (in addition to factually incorrect, as most people have never heard of it). If something is hyped, doesn't that mean it's not worth its publicuty?

Hand over production systems to your devs.

Docker is being hyped by developers because they think it will let them route around system administators.

Go ahead, deploy cloned images of your junk code, with its hotch-potch mix of ruby gems and java libraries, all dragged down from pre-alpha github repositories and deploy it straight to production from Jenkins.

Let's see how far you get recompiling your code when the only security fixes available for that obscure library you decided to use against the advice of your sysadmins, are from HEAD and introduce several backwards incompatible changes to the API.

It's time to collectively make developers pull their heads in. Develop only using libraries packaged for your OS (be it debs, rpms, whatever) with good security support. If they need libraries outside those, they need to justify it, and produce good OS packages and have the ability to backport security fixes to them, to prevent breaking APIs.

Re:Hand over production systems to your devs.

[Lennie]

On the other hand, it's good that most Docker deployments would only be running a single process and have an easy way to deploy an updated version. As you mentioned lots of people using Docker also use Jenkins for doing automated unit tests. So at least when they've created an updated version they can subject it to testing.

I wouldn't dismiss it from the start, we'll have to see how this plays out.

This was very sucessful in the (recent) past

[davecb]

Sun, when it still shone, used containers heavily, because they made "dedicate a machine" trivial.

You could give a product or product suite a dedicated machine, and have netstat or vnstat report on just the behavior of the one program. You could clone a copy of production for the developers to base their next release on, you could hand a release to QA to test hand have them hand it back, and finally you could hand a tested machine to production to start exposure testing.

This allowed a much more agile cycle than having to re-install a product for development, install it again for test, then fail to reproduce a problem and have tor reinstall both, and finally reinstall the "fixed" config on prod and have the bug come back! Far better quality, and far less work.

I'm a capacity planner, so I liked it because I could give a "machine" a minimum guarantee of 20% of a 64-cpu machine, and know that it it would give back the capacity it didn't use, something that "hard" LPARS can't do.

It's not hyped at all

[ArcadeMan]

I had never heard of "Docker" before today, nor heard any hype about it.

Um

[sgt+scrub]

You say that like its a bad thing.

Oh man?

[sgt+scrub]

Run a minimalistic Linux box? Check.
Put software on a virtual disk so I can chroot with a restriction to the device? Check.
Build software statically linked to the libraries in the build directory so they don't need access to the rest of the system? Check.
Know that it would be popular and might make monies? Doh!

Docker moving away from LXC

I just read this past week that Docker is moving away from LXC to implement its own driver (libcontainer).
Not sure whether or not this is a good thing or whether it will distract from the great work being done in LXC.

LXC 1.0 was "just" released and implements a multitude of great new features including "unprivileged" containers.

Re:Docker moving away from LXC

Also, I forgot to mention it but LXC 1.0 already makes it extremely easy to launch "application" containers or "system" (full os) containers. Virt-Manager also now supports LXC and this capability and with Virt-Manager you can deploy those LXC containers locally or remotely.

Although I've used Docker and think they have really interesting technology I am just not that sure that I couldn't do with LXC anything Docker does.
But its a big world and I am sure Docker will be a great tool for alot of people.

However, since the likes of Cloudstack, OpenStack, OpenQRM etc all support LXC as a virtualization capability you can use any of those to manage
an LXC container based "private cloud".

At one time, I'd even deployed the entire OpenStack (using LXC) onto one single AWS's AMI using one of the larger AWS VM types (cloud in a cloud).
It all worked ok and I was able to launch/manage various VM containers inside that single AWS instance. Backing up that entire "cloud" meant all I had to
do was clone that single AWS instance.

 

Re:Docker moving away from LXC

Stephan Graber's (a leading LXC developer) website has a series of 10 write-ups about LXC 1.0's capabilities.
https://www.stgraber.org/category/lxc/

New features

LXC 1.0 is the result of 10 months of development and over a thousand commits, including a major rework of the way LXC is structured. It's therefore near impossible to come up with a comprehensive list of changes in this release, however here are some highlights:

        Support for fully unprivileged containers
        Public stable API (liblxc1)
        Official API bindings for lua and python3 (in tree)
        Official API bindings for Go and ruby (out of tree)
        Flexible backingstore system with support for:
                standard directories (default)
                btrfs
                zfs
                lvm
                loop devices
                aufs
                overlayfs
        Support for cloning and snapshotting containers
        A reduced but more complete set of command line tools
        Updated, more complete documentation
        A new way of creating containers based on centrally generated images
        Templates letting you create containers running most popular distributions

A series of blog posts introducing you to LXC and highlighting some of LXC 1.0's new features may be found here.

Re:Docker moving away from LXC

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/