Slashdot Mirror

← Back to Stories (view on slashdot.org)

Docker and CoreOS Join Together For Open Container Project At Linux Foundation

Posted by samzenpus on from the working-together dept.

darthcamaro writes: The great schism in the container world is now at an end. Today, Docker and CoreOS, announced along with Amazon Web Services, Apcera, Cisco, EMC, Fujitsu, Goldman Sachs, Google, HP, Huawei, IBM, Intel, Joyent, the Linux Foundation, Mesosphere, Microsoft, Pivotal, Rancher Labs, Red Hat and VMware the Open Container Project, as a Linux Foundation Collaborative Project. The new effort will focus specifically on libcontainer — providing a baseline for a container runtime. "By participating with Docker and all the other folks in the OCP, we're getting the best of all worlds," Alex Polvi, CEO of CoreOS told eWEEK. "We're getting the contributions from Docker with the format and runtime that underpin container usage, and then we're also getting the shared standard and vendor neutrality aspects that we've designed with app container."

10 of 48 comments (clear)

  1. I have 20 years of experience with containers by Anonymous Coward · · Score: 4, Funny

    and let me tell you that an open container is a bad idea. No one will want them because they'll collect rain which will ruin the merchandise inside.

    1. Re:I have 20 years of experience with containers by sconeu · · Score: 2

      The cops don't like it if you have an Open Container either... at least in CA.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  2. Re:Nothing says open source like stylish pants by lhowaf · · Score: 3, Funny

    Dockers (the pants) must be designed and made by women. Angry women. Maybe nuns. The zippers are way too short to be useful to anybody who owns a penis.

  3. Re:I feel like Rip van Winkle by hummassa · · Score: 4, Informative

    I will assume your question is serious. Posix never isolated processes. One process can see other processes' files, ports, and even the processes themselves. That is what containers are about: your web browser cannot see your email client's files and vice-versa (so a vulnerability in one process cannot give you access to the content of the other).

    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
  4. Containers can be VMs *or* apps, Docker. by allquixotic · · Score: 5, Interesting

    Unless this unified "Open Container Project" supports both the unprivileged, isolated "machine" concept of a container AND the trusted, shared "app" concept of a container, it's going nowhere fast for me.

    Solaris Zones. linux-vserver containers. Now Canonical's lxd. Few of the participants in the container effort, except these three, seem to understand the value of having containers as *machines*. Give each machine its own static IP, isolate all its resources (memory, processes, users and groups, files, networking, etc.) from the other containers on the system, and you have what's basically a traditional VM (in the early 2000s sense of the word), but with a lot less overhead, because no hypervisor and only one centralized kernel.

    Docker seems to pretend like VM-style containers don't (or shouldn't) exist. I disagree fundamentally with that. I dislike that Docker pushes containers so hard while ignoring this very important use case. I hope the rest of the Linux Foundation is smart enough to recognize the value of this use case and support it.

    If not, I'll just have to hope that Canonical's lxd continues to mature and improve.

  5. Re:I feel like Rip van Winkle by firewrought · · Score: 2

    I'll extend your answer with the "big picture" view: Docker (and it's Google-backed competitor, Rocket) provide isolation that's stronger than the traditional process model but weaker (and less resource-intensive) than the VM model.

    It also introduces yet another packaging system (called "images") that has its own public repository of contributions that you (and any other malware author) can contribute to. For developers, the appeal is being able to bundle up an OS (sans kernel, operationally speaking) with their app and all of its dependencies into one file they push back up to this public repository (or a private one like Quay.io) without having to document an installation procedure for sys-admins. For sys-admins, the pipe dream is to push workloads around to whatever machines have the capacity without delving into the mess of individual apps. Of course, this requires a whole extra layer of additional tooling that doesn't come for free. :O

    All that said... don't use it for security. It's not the same as a dedicated VM.

    --
    -1, Too Many Layers Of Abstraction
  6. Different from Jails? by 0100010001010011 · · Score: 3, Interesting

    Can someone break it down how this is different from Jails? I have almost a dozen different jails on my FreeNAS machine serving everything from nginx to iPython.

    1. Re:Different from Jails? by lgw · · Score: 2

      It's designed to solve a deployment problem, not a security problem. People really like VMs for managing deployments - everything together in one image, no conflicts to resolve, very easy. Images can be shared internally or in an open-source way. Docker gives you that with far less overhead, so if you have a lot of very small "servers", you can cram them together in a VM (just like with jails), but without the security of VMs or jails.

      For a single server, jails just seem better, but for managing a fleet, especially in the cloud, Docker has the infrastructure built.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Different from Jails? by rycamor · · Score: 2

      I mean insanely more complicated than jails, not insanely more complicated than other standard VMs. Have you used jails? I was on a project to deploy Docker instances on a large scale, and it took me 6 months to create an infrastructure that could have been done in 1 month with jails. I will agree that Docker has some nice abstractions, but the details and special cases and workarounds were endless. And I still don't see the actual advantages over FreeBSD. There's simply nothing stopping one from creating a few shell scripts to spin up thousands of BSD jails, mapping drive storage and networking however you want. A lot of this stuff the Linux guys are thumping their chests over now was in mass deployment over a decade ago in certain BSD hosting companies.

  7. Re:I feel like Rip van Winkle by kosmosik · · Score: 2

    > so a vulnerability in one process cannot give you access to the content of the other

    Unless it is a kernel vulnerability in LXC that allows you to escape the container.

    But you are right about POSIX.

    IMO containers are not about security - if you wanted security you would go with designs that were built with it in mind from hardware to software.

    Containers and microservice architecture allow faster and better managed deployments of services in large distributed scale (aka the cloud) and this is the main selling point.