Docker Rocks

Geoffrey Brimhall

I have been using virtualization since 2009, when I virtualized my desktop system into a qemu image so I could run the much more usable Linux as the host OS underneath, then run my desktop or other development VM as guests on top of the host OS. Even in 2009 virtualization was considered an “old” technology: the first job where I ever saw it was in 2001 where the company I worked for ran a virtualized windows 95 using vmware so that we could access company email in Outlook with the host OS being Linux.

Around 2013 is when I started hearing about the next evolution in virtualization: application containers specifically implemented by docker. The main difference between a virtual machine and a docker container is that the container should just hold  the application and it’s dependent libraries, not the entire Operating System. A docker image can be much smaller than a virtual machine, say 1GB versus a virtual machine’s 8GB image. From a DevOps standpoint, this is a huge savings in deployment time and backup especially if the image has to be blasted out to hundreds of machines. Docker containers also simplify the SDLC process because at each phase, only the docker image needs be pushed out instead of the application with all of its dependent library packages – these should all be nicely wrapped up within the docker container.  Finally, a docker container has minimal performance penalties because it is using the same kernel as the host OS.

The downside of a docker container is the all important security. Docker containers by default run as the “root” user, and there are known hacks where applications within the container could take control of the host system, or vice-versa. The solution to this is “double wrapping“, where a docker container runs within a virtual machine which provides much cleaner security isolation. While this might seem odd, remember that a docker container has minimal performance impact, so double wrapping just takes the hit of the virtual machine, which most Operations had already considered acceptable compared to be benefits of virtualization.