Docker, Docker, Docker! Easily one of the most popular topics at this year’s Flock (or in tech in general), Arun S A G of Yahoo gave a Friday morning talk on the state of Docker and Fedora, as well as a brief comparison between Docker and other Linux-based container technologies.
Arun started with some basics on what a container is, what Docker is, and a little coverage of the various types of kernel namespace isolation and cgroups. Arun’s overview was a bit breezy, given the time allowed for the talk (45 minutes). No doubt a speaker could fill a session with just that topic. For folks who want a deep dive, check out this post about containers and Docker security on the Docker blog. It may be slightly outdated, but serves as a reasonable overview.
Comparing Container Technologies in Fedora
Next, Arun discussed the status of container technologies in Fedora, touching on chroots, lxc, and Docker with a high-level overview of the pros and cons of each.
The chroot utility is very bare-bones and not really what most users would be looking for when you discuss containers. Arun noted that there’s little to no isolation for chroots, and that malicious processes may be able to break out of a chroot. In addition, chroots lack portability and much in the way of tools to make it easier to work with.
That’s not to say chroots are not useful, however. Arun pointed out that chroots work well for building RPMs, and are used by the Mock toolset to create packages.
Not quite as old as the chroot utility, you also have Linux Containers (LXC). LXC is built on top of cgroups, and has been around for quite a while. While several steps above chroot, LXC is not quite as full featured as Docker and lacks a comprehensive toolset for creating containers and lacks portability between hosts.
Arun spent the bulk of time on Docker, noting that it focuses on packaging portable applications, and has a number of advantages for users and developers. For instance, Docker has support for versioning so an application in a Docker container can have history showing how the container was assembled, ability to roll back to previous versions, and features incremental downloads.
Docker also allows for component re-use, so a container can be used as a base image for a new application – making it very easy to take something like the Fedora Docker image and create new images.
Arun noted that Yahoo has several teams that are responsible for specific parts of its infrastructure (one in charge of operating systems, another for Apache, etc.). He says that Yahoo doesn’t usually use “commodity stuff from repos” but puts together many of its own components/packages. Docker allows one group to create the base image, then for another group to add something like Apache, and then another to add its final application. “It’s like git for your operating system image!”
Docker, he says, has “outstanding” support on Fedora as a technology, and that images are publicly available. LXC, he says, is “another story” and he noted he’d be trying to work on improving that situation.
One question I had for Arun was about the comparision between Linux container technology and FreeBSD’s Jails. From my recollection, Yahoo had a great deal of FreeBSD in its infrastructure. Arun says that Yahoo had largely moved away from FreeBSD (though some still remains) and had standardized on Linux. As for the comparison between Linux and FreeBSD, Arun says that the container technology on Linux is “five to ten years ahead” of FreeBSD.
Overall, it was an interesting high-level overview, though I would have liked to have gotten a bit more detail on how Yahoo is packaging and managing its applications at scale.
Cory Hilliard
Nicely done.