If you have an interest in Linux containers...

[Markbnj]

We've been deploying almost all of our production services as Docker containers for over six months now, with great results. This paper from IBM Research compares container performance with that of traditional VMs (not surprisingly concluding that containers fare better). Section 2.3 is a great look at the internals of Linux containers and how they work. Note this is a PDF download.

IBM Research Report

 

[MrDudeMan]

Dude... thank you for posting this. I've been wanting to understand this for quite a while and I couldn't figure out the name container.

These are awesome features:

For example, each filesystem namespace has its own root directory and mount table, similar to chroot() but more powerful.

Securing containers tends to be simpler than managing Unix permissions because the container cannot access what it cannot see and thus the potential for accidentally over-broad permissions is greatly reduced. When using user namespaces, the root user inside the container is not treated as root outside the container, adding additional security. The primary type of security vulnerability in containers is system calls that are not namespace-aware and thus can introduce accidental leakage between containers. Because the Linux system call API set is huge, the process of auditing every system call for namespace-related bugs is still ongoing. Such bugs can be mitigated (at the cost of potential application incompatibility) by whitelisting system calls using seccomp [6].

I also like the ability to share resources between containers. I see a lot of use for this even in my own organization.

 

[KillerBee]

I've only read about Docker and never really used it
can you explain your own before and after Docker environment and benefits?

 

[Markbnj]

I've only read about Docker and never really used it
can you explain your own before and after Docker environment and benefits?

There are two main benefits: 1) dependency isolation; and 2) repeatable environment builds.

The best way to explain the first benefit is with a scenario: last week I wanted to test a geocoder called twofishes. It requires java and a bunch of other shit to run. Since I have base docker image with Ubuntu 14.04 + the JDK I was able to start that up literally as fast as I can start Sublime Text and load a file:

sudo docker run -i -t --name="twofishes" -h="twofishes" markbnj/saucy-jdk /bin/bash

Hit enter on that and I have a prompt:

root@twofishes#

Anything I do while in that shell is isolated from my base system. For all intents and purposes it looks and feels like a fresh install of saucy with the JDK. Now I can install twofishes, write some commands to start the server and expose the right port to the host.

When I have it all working I can commit the container to an image:

sudo docker commit twofishes markbnj/twofishes-test

Now using the run command given above I can launch the twofishes-test container at any time, again literally as fast as I can start a text editor. Because of the way that kernel namespaces and cgroups work there is almost no additional overhead to any of this (not quite true for the network, but it's very low).

So you can see that for a lot of scenarios in which you might spin up a vm, or create a new virtualenv environment, spinning up a docker container is both faster and in the case of virtualenv cleaner, since it's not just a packaged python environment.

The second benefit comes from dockerfiles, which are a declarative way to specify the commands that need to be run to initialize an environment from a base image. We have a couple of base images and then we have dockerfiles that specify how to build an elasticsearch node, an haproxy node, a logstash node, a redis node, etc. These files are checked into git and manageable like any other source file.

There are other tools to automate environment builds and deployment: chef, ansible, cloudinit, etc. I don't have a ton of experience with any of them so I can't really compare. What we like about docker is it's blazing fast, very lightweight, very stable, and the actual runtime performance is basically native.

 

[KillerBee]

Was looking at boot2docker - is it just for running Linux under Windows or does it do same for a Windows only environment?

 

[Leros]

We use Xen in our operations managed environments and Vagrant/VirtualBox in developer managed environments. We're currently in the process of testing Docker for both. I'm fairly excited for the switch.

 

[mundane]

..

 

[Markbnj]

Was looking at boot2docker - is it just for running Linux under Windows or does it do same for a Windows only environment?

Windows lacks the kernel support for namespaces and cgroups, so there is no native docker for windows. Running it on windows requires the use of a VM to boot a linux distro, and docker can then be run on that.

 

[KillerBee]

It almost seems like Parallels Virtuozzo Containers sort of does the same thing for Windows servers from reading there ads