In recent years, the name, ‘Docker’ has become a synonym for container technology. With its cross-platform, self-developed standard, the company has established an alternative to hypervisor-based hardware virtualization. With this, Docker has successfully revitalized basic Linux core functions for virtualization on the operating system level.
Read on for the most important extensions for the container platform and an overview of the most popular third-party projects, which develops Docker tools on an open-source basis.
Today, Docker is far more than just a sophisticated platform for managing software containers. Developers have created a range of diverse extensions and online services to make the deployment of applications via distributed infrastructure and cloud environments easier, faster, and more flexible. In addition to clustering and orchestration, these provide users with a central app marketplace and a toll for managing cloud resources.
When users talk of ‘Docker’, they are usually referring to the open source client-server application that underlies the container platform, which is actually called the ‘Docker engine’. Central components of the Docker engine are the Docker daemon, a REST API, and a CLI (command line interface) as the user interface. This design allows you to talk to the Docker engine through command line commands, and to manage images, Docker files, and containers conveniently from the terminal.
Find a detailed description of the Docker engine in our Docker tutorial for beginners.
The Docker node provides users with a cloud-based registry that allows Docker images to be downloaded, centrally managed, and shared with other Docker users. Registered users can file Docker images publicly or in private repositories. Downloading a public image (known as pulling in Docker terminology) does not require a user account. An integrated tag mechanism enables the versioning of images.
In addition to public repositories of other Docker users, there are also many node resources that are provided in official image archives by the Docker developer team and well-known open source projects. The most popular Docker images include the NGINX webserver, the Redis in-memory database, the BusyBox Unix tool kit, and the Ubuntu Linux distribution.
Organizations are another important Docker node feature , which allow users of the container platform to make private repositories, exclusively available to specific people. Access rights are managed within an organization using teams and memberships to groups.
The Docker machine enables Docker hosts to supply and manage Docker hosts on almost any infrastructure. The tool automates the implementation of Docker and makes it much easier to provide Docker hosts.
The developer team refer to a virtual host running the Docker engine as a ‘Docker host’ or a ‘Dockerized host’. While it is native to all Linux distributions, the use of Docker on macOS or Windows systems once required an abstracting layer in the form of a Docker machine. This has changed fundamentally with release v1.12. Today, Docker is available across all the most popular platforms, including Mac and Windows. The central application field of the Docker machine has thus shifted to remote scenarios and the management of Docker hosts in cloud environments.
If a large number of Docking nodes are being used in a network or on cloud infrastructures such as Amazon Web Services (AWS) or DigitalOcean, users will eventually return to the Docker machine. The tool reduces the effort required to create new hosts with a simple Docker machine create command and allows you to manage multiple Docker nodes from the terminal. The Docker machine takes on the task of creating an SSL PKI as well as the distribution of user authentication certificates. The software is used in combination with Docker swarm for the deployment of Docker clusters.
The Docker machine is generally used on the local system. The Docker tool automatically creates new hosts, installs the Docker engine, and configures the locally installed command line program for remote access. This allows you to respond to hosts in the cloud via a local system terminal to remotely carry out these Docker commands.
Since its 1.12 version, the Docker engine has contained a native function that enables its users to manage Docker hosts in clusters called swarms. The cluster management and orchestration capabilities built into the Docker engine are based on the Swarmkit Toolbox. If using an older version of the container platform, the Docker tool is available as a standalone application.
Clusters are made up of any number of Docker hosts and hosted on the infrastructure of an external IaaS provider or in their own data center.
As a native clustering tool, Swarm gathers a pool of Docker hosts into a single virtual host and serves the Socker, REST API. Thus, any Docker tool associated with the Docker daemon can access Swarm and scale across any number of Docker hosts. With the Docker engine, CLI, users can create swarms, distribute applications in the cluster, and manage the behavior of the swarm with no need for additional orchestration software.
Docker engines that have been combined into clusters run in swarm mode. Select this if you want to create a new cluster or add a Docker host to an existing swarm. Individual Docker hosts in a cluster are referred to as "nodes". The nodes of a cluster can run as virtual hosts on the same local system, but more often is a cloud-based design, where the individual nodes of the Docker swarm are distributed across different systems and infrastructures.
The software is based on master-slave architecture. When tasks are to be distributed in the swarm, users pass a service to the manager node, which acts as the cluster’s master. This master is then responsible for scheduling containers in the cluster and serves as a primary user interface for accessing swarm resources.
The manager node sends individual units, known as tasks, to the subordinating slaves, which in Docker terminology are referred to as ‘worker nodes’.
In addition to the management of cluster control and orchestration of containers, manager nodes by default also offer worker node functions – unless you restrict the tasks of such master nodes just to management.
An agent program runs on every worker node. This accepts tasks and provides the respective master node status reports on the progress of the transferred task. The following graphic shows a schematic representation of a Docker Swarm:
When implementing a Docker Swarm, users generally rely on the Docker machine.
Compose is Docker’s solution for multi-container applications. Originally developed as fig by the software developer Orchard, the lean orchestration tool now expands the Docker portfolio.
Docker Compose enables you to merge multiple containers and execute with a single commend. The open source tool is implemented in the Python script language. The basic element of Compose is the central control file based on the award-winning language YAML. The syntax of this compose file is similar to that of the open source Vagrant software, which is used when creating and provisioning virtual machines.
In the docker-compose.yml file, you define any number of software containers, including all dependencies, as well as their relationships with each other. Such multi-container applications are controlled according to the same pattern as individual software containers. Use the docker-compose commandin combination with the desired subcommand to manage the entire life cycle of the application.
The Docker tool can be easily integrated into a cluster based on Swarm. In this way, you can run multi-container applications created with Compose just as easily on distributed systems as on a single Docker host.
Another feature of Docker Compose is an integrated scaling mechanism. With the orchestration tool, you can comfortably use the command line program to define how many containers you would like to start for a particular service.
At the end of 2015, Docker took over the container deployment and management service Tutum and converted it to Docker Cloud. While the Docker hub serves as a central storage platform for images, the Docker Cloud provides you with a web-based platform that allows for you to create, test, monitor, and distribute Docker containers across a variety of infrastructures.
The Docker Cloud offers a native integration with all Docker services and is characterized by the support of several cloud providers, such as Microsoft Azure, Amazon Web Services, DigitalOcean, IBM Softlayer, Packet.net, or Google Container Engine. In addition, users have the opportunity to connect the Docker Cloud to their own infrastructure.
Please note: The Docker Cloud doesn’t provide hosting services. All resources for nodes, services, and stacks that you create via the deployment platform have to be deployed by external providers or their own data center.
A stack is a set of multiple Docker services that together create an application.
The native binding to established infrastructure-as-a-service providers (IaaS) allows you to distribute applications across various hosting platforms or realize them in combination with local node hybrid architectures. The management of Docker nodes via various infrastructures happens centrally via a graphical user interface, the Docker Cloud Dashboard. Using this, you can connect with a click to your data center or an external hosting provider and create individual Docker nodes or entire node clusters.
Node clusters can’t be implemented in the Docker Cloud via various external providers.
In addition to the cross-platform deployment and scaling of applications in the Cloud, the deployment platform offers interfaces for various registries such as the Docker Hub, as well as automated build and test functions. An overview of the core functions and the applications possibilities of the Docker Cloud is offered in the following video from the development team:
In order to protect your privacy, the video will not load until you click on it.
Since the release of v1.12, Docker is also available for newer macOS and Windows computers as a native desktop application. But users of older systems have to rely on the Docker toolbox to be able to install the container platform.
The Docker toolbox is an installer that automates the setup of a Docker environment on older Windows and macOS systems. The software contains the following components:
The core of the Docker toolbox is the open source software Kitematic. This integrates with the Docker machine to provide a virtual machine based on the Oracle VirtualBox for installing the container platform on Windows and Mac. Docker users have an available graphical user interface that allows containers to be created, started, and stopped with a click of the mouse. An interface to the Docker Hub also allows you to search the registry directly from the desktop app and download images.
In addition to the GUI, there is a preconfigured command line interface. All changes that users make via the one input path are also applied to the other mode. So users have the possibility to seamlessly switch between GUI and CLI for executing and controlling a container. In addition, Kitematic offers functions that automatically assign ports, define environmental variables, and configure drives (volumes).
Even if the Docker toolbox is marked in the Docker documentation as a legacy, the software is still supported. The development team still recommends use via the native desktop apps, Docker for Windows or Docker for Mac, provided that the system requirements are met.
In addition to the in-house development from Docker Inc., there are various software tools and platforms from external providers that provide interfaces for the Docker Engine or are specially developed for the popular container platform. The Docker ecosystem’s most popular open source projects include the orchestration tool Kubernetes, cluster management tool Shipyard, multi-container shipping solution Panamax, continuous integration platform Drone, Cloud-based operating system OpenStack, and the Mesosphere DC/OS datacenter operating system, based on the cluster manager Mesos.
It’s not always possible for Docker to come up with their own orchestration tools such as Swarm and Compose. For this reason, various companies have been investing in their own development work for years to create tailor-made tools designed to facilitate the operation of container platform in large, distributed infrastructures. Among the most popular solutions of this type, in addition to Spotify’s open source orchestration platform Helios, is the open source project Kubernetes.
Kubernetes is a cluster manager for container-based applications, mostly developed by Google and today under the patronage of the Cloud Native Computing Foundation (CNCF).
The Cloud Native Computing Foundation (CNCF) is a sub-organization of the Linux Foundation (LF). Crucial to the foundation of the organization in 2015 was a cooperation between the Linux Foundation and the software company Google, in which the Google project Kubernetes transferred as a donation to the CNCF. The goal of the organization is to promote the container technology in open source projects. Beside Google, the other members are Docker, Twitter, Huawei, Intel, Cisco, IBM, Univa, and VMware.
Since the middle of 2015, Kubernetes 1.0 has been released for use in production systems and is used, for example, in the Google Container Engine (GKE).
The goal of Kubernetes is to automate applications in a cluster. To do this, the orchestration tool uses a REST-API, the command line program, and agraphical web interface as controls interfaces, via which the automations can be triggered and status reports can be requested. Use Kubernetes to:
To this end, Kubernetes combines containers into logical parts – so-called pods. Pods represent the basic units of the cluster manager, which can be distributed in the cluster by scheduling.
Like Docker’s Swarm, Kubernetes is also based on a master-slave architecture. A cluster is composed of a Kubernetes master as well as a variety of slaves, s-called Kubernetes nodes (also workers or minions). The Kubernetes master functions as a central control plane in the cluster and subsists of four basic components, which make it possible to direct communication in the cluster and to distribute tasks. A Kubernetes master consists of an API server, the configuration memory etcd, a scheduler, and a controller manager.
The overall components of the Kubernetes master can be located on the same host or distributed over several master hosts within a high-availability cluster.
While the Kubernetes master is responsible for the orchestration, the pods distributed in the cluster are run on hosts, the Kubernetes nodes, which are subordinate to the master. To do this, a container engine needs to run on each Kubernetes node. Docker represents the de facto standard. But in principle, Kubernetes is not committed to a specific container engine.
In addition to the container engine, Kubernetes nodes cover the following components:
The following graphic shows a schematic representation of the master-slave architecture on which the orchestration platform Kubernetes is based:
In addition to the core project Kubernetes, there are numerous tools and extensions that make it possible to add additional functions to the orchestration platform. The most popular are the monitoring and error diagnosis tools Prometheus, Weave Scope, and sysdig, as well as the package manager Helm. Plugins also exist for Apache Maven and Gradle, as well as a java API for the remote control of Kubernetes.
Shipyard is one of the Docker user community-developed management solutions based on Swarm, which allows users to maintain Docker resources like containers, images, hosts, and private registries via a graphical user interface. This is available as a web application via the browser and so is different than the desktop app Kitematic.
The software is 100% compatible with the Docker remote APIa dn uses the open source noSQL database RethinkDB for data storage for user accounts, addresses, and occurrences.
Beside the cluster management functions via a central web interface, Shipyard also presents user authentication as well as role-based access control.
The software is based on the cluster management toolkit Citadel and subsists essentially of three main components: Controller, API, and UI.
Further information about Shipyard can be found on the official website of the open source project.
The developers of the open source software project Panamax have set themselves the goal of simplifying the deployment of multi-container apps. The free tool offers users a graphical user interface via which they can comfortably develop, deploy, and distribute complex applications based on Docker containers using drag-and-drop.
Panamax makes it possible to save complex multi-container applications as application templates, and distribute them in cluster architectures with just a click. Via an integrated app marketplace hosted by GitHub, templates for self-made applications can be stored in repositories and made available to other users. The following animation demonstrates the Panamax concept with the motto “Docker Management for Humans”:
In order to protect your privacy, the video will not load until you click on it.
Panamax is offered by CenturyLink as an open source software under the Apache 2 license. The basic components of the Panamax architecture are divided into two groups: the Panamax local client, and any number of remote deployment targets.
The Panamax local client is the core component of the Docker tool. This is executed on the local system and allows complex container-based applications to be created. The local client is comprised of the following components:
In addition, the Panamax API also enables interactions with various external APIs.
Each node in a Docker cluster without management tasks is called a remote deployment target in Panamax terminology. Deployment targets consist of a Docker host, which is configured to deploy Panamax templates with the help of the following components:
The following graphic shows the interplay between the individual Panamax components in a Docker cluster:
The CoreOS-based Panamax container management tool provides users with a variety of standard container orchestration technologies through a graphical user interface, as well as a comfortable option for managing complex multi-container applications in cluster architectures across any system (i.e. your own laptop).
With the public template repository, Panamax users have access to a public template library with various resources via GitHub.
Drone is a lean continuous integration platform with minimal requirements. Use the tool written in Go to automatically load builds (individual development stages of a new software) from Git repositories such as GitHub, GitLab, or Bitbucket, and run them in isolated Docker containers for test purposes. You can run any test suite and send reports and status messages via e-mail. For every software test, a new container based on images from the public Docker registry is created. So, any publicly available Docker image can be used as the environment for the code to be tested.
“Continuous Integration” (CI) refers to a process in software development, in which newly developed software components – builds – are merged and run in test environments at regular intervals (usually at least once a day). Complex applications are often developed by large teams. CI is a strategy to recognize and resolve integration errors early, which can occur during the collaboration of different developers. Drone offers software developers the possibility to realize different test environments with the help of Docker containers.
Drone is integrated in Docker and supported by various programming languages, such as PHP, Node.js, Ruby, Go, or Python. The container platform is the only true dependency. You can create your own personal continuous integration platform with Drone on any system on which Docker can be installed. Drone supports various version control repositories. You can find a guide for the standard installation with GitHub integration on the open source project’s website under readme.drone.io.
Control of the continuous integration platform takes place over a web interface. Here you can load software builds from any Git repository, merge them into applications, and run the result in a pre-defined test environment. For this, there is a .drone.yml file defined for each software test which specifies how to create and run the application.
In the following video, Drone co-developer Brad Rydzewski gives some insight into the open source continuous integration platform:
In order to protect your privacy, the video will not load until you click on it.
When it comes to building and operating open source-based cloud structures, OpenStack is the software solution of choice. The open source cloud operating system emerged in 2010 from a cooperation between the US web host Rackspace and the space agency NASA. The free software project found support under Apache licensing through companies such as AT&T, SUSE, Canonical, HP, Intel Red Hat, and IBM.
With OpenStack you can manage computer, storage, and network resources in a data center from a central dashboard and make them available to end users via a web interface.
The cloud operating system is based on a modular architecture that’s comprised of six core components:
Since the Havanna release in 2013, the core component Nova has offered a hypervisor driver for the Docker engine. This embeds an HTTP client in the OpenStack architecture with which the internal Docker API can be addressed via a Unix socket.
The Docker driver for Nova makes it possible to retrieve images from the image service Glance and load them directly into the Docker file system. In addition, files can be exported from the container platform via the Docker standard command (docker save) and stored in Glance. A step-by-step manual about how to integrate Docker into an existing OpenStack architecture is provided on the OpenStack wiki.
The OpenStack foundation also offers a 90-minute workshop for Docker integration on YouTube:
In order to protect your privacy, the video will not load until you click on it.
In addition to the six core components, the OpenStack architecture can be extended by various optional modules:
Because of the modular expandability, OpenStack has been established as one of the leading operating systems for the construction and operation of open source-based cloud structured. For Docker users, OpenStack and its Nova Docker driver are a powerful platform that allow containers to be run and managed professionally in complex distributed systems.
DC/OS (Data Center Operating System) is an open source software for the operation of distributed systems developed by Mesosphere Inc. The project is based on the open source cluster manager Apache Mesos and is an operating system for data centers. The source code is available to users under the Apache license Version 2 on GitHub. The developers also market an enterprise version of the software at mesosphere.com. Extensive project documentation can be found on dcos.io.
Consider DC/OS as a type of Mesos distribution that provides all the functions of the cluster manager via a central control interface, and also extends Mesos with a comprehensive infrastructure where various components make the operation of applications on distributed systems, in the cloud, or on in-house environments much easier. The following video from the development team contains a short demonstration of the DC/OS basic functions:
In order to protect your privacy, the video will not load until you click on it.
DC/OS uses the distributed system core of the Mesos platform. This makes it possible to bundle the resources of an entire data center and manage them in the form of an aggregated system like a single logical server. This way, you can control entire clusters of physical or virtual machines with the same ease with which you operate a single computer.
The software simplifies the installation and management of distributed applications and automates tasks such as resource management, scheduling, and inter-process communication. The management of a cluster based on Mesosphere DC/OS, as well as its included services, takes place over a central command line program (CLI) or web interface (GUI).
DC/OS isolates the resources of the cluster and provides shared services, such as service discovery or package management. The core components of the software run in a protected area – the core space. This includes the master and agent programs of the Mesos platform, which are responsible for resource allocation, process isolation, and security functions.
All other system components as well as applications run by the Mesos agents via executor run in the user space. The basic components of a standard DC/OS installation are the admin router, the Mesos DNS, a distributed DNS proxy, the load balancer Minuteman, the scheduler Marathon, Apache ZooKeeper, and Exhibitor.
On cluster resources aggregated via DC/OS, diverse workloads can be executed at the same time. For example, this enables parallel operation on the cluster operating system of big data systems, microservices, or container platforms such as Hadoop, Spark, and Docker.
With Mesosphere Universe, a public app catalog is available for DC/OS. With this, you can install applications like Spark, Cassandra, Chronos, Jenkins, or Kafka easily with a click on the graphical user interface.
Docker has successfully managed to revamp the IT industry from the ground up. If you take a look at the statistics of the open source project, it’s hard to believe that the first release of the container platform was only four years ago, on March 13, 2013.
Docker users have downloaded more than 8 billion container images since then, and around a half million different Docker apps are available to users in the registry. The project is based on a developer community of around 3,000 contributors. Today, the Docker ecosystem encompasses a vast array of tools, extensions, and software platforms that make work with Docker container ever more efficient. According to their data, the container technology developed by Docker is currently involved in more than 100,000 third-party projects. But what is the success of the Docker platform and its side projects based on?
In times when more and more software users are being drawn into the cloud, the value of an application increases with its degree of networking and distribution. This trend is also reflect in the type and manner of software development, testing, and execution today. Cloud infrastructure offers the attractive option for companies to centrally manage IT resources and provide location-independent access. Concepts like infrastructure-as-a-service (IaaS) make business processes independent from the hardware resources of their own server rooms, and so offer maximum flexibility and scalability through on-demand billing models.
Professionally operated data centers or large hosting providers also offer strategies for failure safety, high availability, and business continuity, which small and medium-sized companies can rarely implement in their own facilities. Against this backdrop, a lightweight virtualization technology that allows applications with minimal overhead to be transferred to a portable, platform-independent format and distributed with a single command line directive in cloud infrastructures and hybrid environments really hits the mark.
Docker uses the “Digital Infrastructure Platform” trend, infrastructure as a cloud-based service, like no other technology. The Docker ecosystem makes it possible to break up complex applications into microservices, which can then be distributed via APIs over various nodes in a cluster. Companies can now secure themselves not just agility and flexibility, but also stability. Multi-container apps whose processes run on various hosts in a distributed system can be scaled horizontally and enjoy fail-safe operation thanks to redundancies. The extensive independence of containers in encapsulated microservices also ensures that updates and patches are only applied to parts of an application, and never interfere with the application as a whole. Software errors can be resolved with much less effort as a result.
Even when changing from traditional infrastructures to a digital infrastructure platform, container technology can still play a key role: Most of all, the ability to pack applications and all of their dependencies into a portable container and distribute them across platforms (deployment) helps administrators to transfer old systems (i.e. legacy applications) from static IT to dynamic IT.
IT environments can be divided into two basic areas, based on the increasing popularity of cloud-based infrastructures: Static IT includes enterprise and backend applications that operate on classic infrastructures in on-premise environments or on a private cloud. If companies create new applications and systems, these are more and more often implemented directly on public cloud infrastructure platforms in order to ensure maximum scalability, flexibility, and location independence. For this area, the term dynamic IT was established.
The use of a container platform like Docker also offers the chance to optimize applications in regard to speed, performance, and change management. But there are still concerns about the security of container technology.
Given that you have the container engine installed, you can run container-based applications on any system. Containers include not only the code of the actual application, but also all binary files and libraries required for the runtime of the application. This primarily simplifies the deployment, or distribution of software on various systems – and not only for newly developed applications. The container technology is also effectively used when it comes to legacy applications – aka out-of-date applications still considered essential for daily operations – and transferring them to the cloud.
Older software components are often difficult to integrate into cloud infrastructures because of their dependencies on particular operating systems, frameworks, or classes. Here, a lean container engine like Docker can provide an abstraction layer that compensates for code dependencies without the need for administrators to take the overhead of a virtual operating system into account.
If you compare the container technologies that the Docker platform is based on with a classic hardware virtualization via VM, the differences in terms of speed and performance are very clear.
Since applications encapsulated in containers rely directly on the core of the host system, no separate systems have to be started for this type of virtualization. Instead of a hypervisor, Docker uses a lightweight container engine. This eliminates not only the boot-up time for a virtual machine, but also the resource consumption of the additional operating system. Container apps are ready quicker and with fewer resources than applications based on virtual machines. This enables the administration to start significantly more containers from one host system than would be possible on guest systems on a comparable hardware platform. For example, a server can host from 10 to 100 virtual machines, but around 1,000 containers.
There’s also the added fact that containers which include only binary files and libraries in addition to the application code need far less storage space than a virtual machine, including the application and operating system.
Digitalization and the trend toward mobile internet user has significantly accelerated the life cycle of applications. It’s not only updates, patches, and bug fixes that need to be provided as soon as possible, but also the releases of new software versions that are following one another at shorter and shorter intervals.
But deploying updates presents challenges for developers and administrators. While software manufacturers would like to present their customers with new functions for an application as quickly as possible, administrations are terrified of the risk of failure that any change to the IT infrastructure and its software components brings along with it. Solution strategies for difficulties of this type are given the keyword DevOps. The DevOpsDays were launched in 2009, at which process improvement approaches for the cooperation of development and IT operations were discussed for the first time at an international conference.
The goal of DevOps is to improve the quality of new software versions as well as to accelerate development, distribution, and implementation through a more effective cooperation of all involved parties and extensive automation. The automatable DevOps tasks include build processes from the repository, static and dynamic code analysis, as well as module, integration, system, and performance tests. At the heart of the DevOps approach there are still considerations of continuous integration (CI) and continuous delivery (CD) – two central application fields of the Docker platform.
Continuous delivery is an approach meant to optimize software distribution using various technologies, processes, and tools at the touch of a button. Central to this is an automation of the so-called deployment pipeline.
Docker offers integration possibilities for established CI/CD tools such as Jenkins, Travis, or Drone and make it possible to automatically load code from the Docker Hub or version control repositories like GitHub, GitLab, or Bitbucket. The container platform represents a foundation for DevOps workflows in which developers can create new application components together and run them in any test environment.
Docker also supports on-premise, cloud, and virtual environments as well as various operating systems and distributions. One of the key benefits of a Docker-based CI/CD architecture is that companies are no longer slowed down by inconsistencies between different IT environments.
Even if containers run encapsulated processes on the same core, Docker uses a number of isolation techniques to shield them from one another. These focus on core functions of Linux core, like Cgroups and Namespaces. Each container gets its own host name, own process IDs, and own network interface. Each container also only sees the part of the file system assigned to it. The allocation of system resources like storage, CPU, and network bandwidth happens on a Cgroup mechanism. This ensures that each container can only claim the share allocated to it.
Containers still don’t offer the same degree of isolation that can be accomplished with virtual machines. If an attacker hijacks a virtual machine, they still have little chance of interacting with the core of the underlying host system. Containers as encapsulated instances of the same host core, though, give attackers significantly more freedom.
Despite the described isolation techniques, important core subsystems such as Cgroups as well as core interfaces in the /sys and /proc directories can be reached from containers. This gives attackers the ability to circumvent the host’s security functions. Plus, all containers run on a host system in the same user namespace. As a result, a container that’s granted root privileges retains them even when interacting with the host core. So administrators should make sure that all containers start with only restricted rights.
The Docker daemon, which is responsible for managing containers on the host system, also has root privileges. A user who has access to the Docker daemon automatically obtains access to all of the directories that the daemon can access, as well as the ability to communicate over a REST-API via HTTP. The Docker documentation recommends to only grant Daemon access to trustworthy users.
The Docker development team also recognized these safety concerns as an obstacle for the establishment of container technology on production systems. In addition to the fundamental isolation techniques of the Linux core, newer versions of the Docker engine also support the frameworks AppArmor, SELinux, and Seccomp, that function as a type of firewall for core resources.
Docker also uses Linux capabilities to restrict the root permissions with which the Docker engine starts containers.
Other security concerns also exist regarding software vulnerabilities within application components that are distributed by the Docker registry. Since basically anyone can create Docker images and make them publically accessible to the community in the Docker Hub, there’s the risk of introducing malicious code to your system through an image download. Before deploying an application, Docker users should make sure that the entire code provided in an image for the execution of containers stems from a trustworthy source. As part of the container platform’s enterprise edition (EE), Docker has been offering a certification program since the beginning of 2017 through which infrastructure, container, and plugin providers can test and distinguish their software. To obtain a certificate, the following requirements must be fulfilled:
In addition to boosting the security for users, Docker certification are designed to provide software developers with the ability to make their projects stand out from the large number of available resources on the market.
Container technology is no longer a niche topic. There are already a number of market-leading companies, such as Amazon, Red Hat, or Cisco are converting parts of their IT to container systems. The technology is a resource-conserving alternative to classic hardware virtualization and is particularly suitable for companies that need to provide interactive web applications or handle large volumes of data. An increasing demand is expected in the coming years in all e-commerce industries. Global players like eBay and Amazon already use containers as their standard technology. Smaller online retailers will soon follow suit.
At the same time, the fledgling software company Docker has gained a spot as a technological market leader in the industry of operating system level virtualization, thanks to the open source concept and efforts to standardize within a few years. But competition in the container industry doesn’t sleep. Users benefit from the speed of innovation that the intense competition between providers of container solutions and administration tools brings with it.
In the past, security concerns were primarily an obstacle in the way of the spread of container technology. The central challenge for developers of container-based virtualization technology is the improvement of the isolation process in the Linux core – an area which saw progress in the past through projects such as SELinux, AppArmor, and Seccomp.
If you look at the high acceptance rate for containers, it can be assumed that the operation system level virtualization will establish itself as an alternative to virtual machines in the long-term as well. The Docker project and its rapidly growing ecosystem in particular offer companies a future-proof basis for the operation of software containers in the development and operation business.
The open source container platform Docker is quite exciting to the open source community. As an alternative to hardware virtualization based on virtual machines, Docker has made the use of software containers acceptable outside of the Linux universe. In our tutorial for beginners, we break down the Docker trend from the ground up. With these clear, step-by-step instructions, learn how to install...
Docker is currently doing very well for itself, but there are many forerunner technologies and competitor products following in the market leader’s wake. They also offer attractive alternative solutions for resource-saving virtualization on an operating system level. We give you an overview of the most important options in the container industry, and introduce established container formats and...
CaaS – Container-as-a-Service – is the latest model in the cloud computing market: users can find suitable platforms for all established infrastructure providers. But what actually is CaaS? And what is the difference between CaaS and other cloud services, like Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS)? Here we introduce hosted container...
The container platform Docker offers native functions for the orchestration of containers in physical or virtual clusters. Docker also offers a tool for the deployment of multi-container apps with Compose. Thanks to the native swarm mode, you can scale complex applications by yourself on any number of Docker hosts. We show you how that works and offer comprehensive help in our tutorial for Docker...
Developers use Raspberry Pi for a variety of purposes. Among the areas its particularly useful for is working with container technology. Connecting Docker to Raspberry Pi comes with a number of advantages, since both are perfect for creating test environments. Keep reading to learn about the ins and outs of combining Raspberry Pi and Docker.
Provide powerful and reliable service to your clients with a web hosting package from IONOS.
View packages
