Linux.com

Home News Enterprise Computing Cloud Computing Docker's Improved Stability Fuels Continued Growth

Docker's Improved Stability Fuels Continued Growth

Docker-logo

This is the summer of Docker's ripening as it begins to mature into stable, enterprise-worthy software. The release of version 1.0 coincided with the first annual DockerCon, and finally moves Docker from an experimental state into a production-capable application. The pace of development is not slowing down after these successes, but rather appears to be ramping up as Docker adoption continues to grow and more companies get involved in the development process. The last few months have seen a major acquisition, improvements to security, and a Solomon Hykesmultitude of bug fixes and new features.

Docker's Orchard of Fig

One of the biggest moves taken by the company in recent months is the acquisition of Orchard: a company that provides hosting services for Docker containers. This is part of the company's efforts to standardize Docker orchestration, something that has been handled differently by each distribution of Linux. The team coming from Orchard will spend part of their time developing an interface to make Docker orchestration easier.

This follows in the wake of Solomon Hykes' announcement of Libswarm during his keynote at Dockercon. Libswarm is an orchestration application built to deploy applications made from multiple containers on infrastructures made of multiple machines by offering an API which can be accessed by any existing clustered system that includes a Libswarm back end.

Orchard also produces Fig, an open source application that allows users to build isolated development environments using Docker. The Orchard team will maintain Fig and launch a Developer Experience group aimed at making Docker a better tool for developers. This effort will include improvements to Mac and Windows support, the creation of more educational materials, and aiding with the development of Docker.

Renewed Efforts on Security

A major point of confusion with Docker and Linux containers is that “containers do not contain,” meaning that putting something in a container does not necessarily limit its ability to access root processes or system vulnerabilities. Most security considerations required for standard Linux system administration are still necessary when using container environments. SELinux has emerged as a top choice for adding the necessary level of security to Docker containers by providing a simple labeling mechanism that controls how processes can access system resources. Every process, file, directory, and system object has labels; kernel-enforced policies are used to control access between labeled processes and labeled objects. This allows developers and system administrators to control how containers communicate with the host operating system.

Container to container interaction is handled through Multi Category Security (MCS) enforcement, which creates an additional label section that is unique to each image of a container. This new label section prevents each container from accessing similar resources on other containers, keeping them isolated. For the time being, SELinux is an integral part of using Docker in production environments, and should be utilized to ensure proper security.

(Jerome Petazzoni will be presenting on Docker security at LinuxCon this week in Chicago.)

Minor Updates and Bug Fixes

Version 1.0 was released on June 9, and featured over 40 bug fixes and a number of new features including the ability to pause and unpause containers and the addition of IANA port reservations for the Docker Engine. This is considered the first version of Docker stable enough for production use.

Version 1.1.0 came out on July 3 and includes:

  • .dockerignore files can be used to ignore specific files and directories when sending a build context to the daemon.

  • Containers pause during commit by default.

  • Logs of containers can now be tailed.

  • Tar archives can be used as the context for Docker builds.

  • The entire filesystem can be bind mounted in a container.

  • Fixes to port allocation, and save, inspect, and commit commands.

  • General performance increases.

The Growing Legion of Docker

openSUSE last week announced official support for Docker containers in version 13.1, adding openSUSE to the growing number of Linux distributions that officially support Docker. A list that includes Ubuntu, centOS, Debian, Fedora, Red Hat, Gentoo, Arch Linux, and CRUX. The official Docker release for openSUSE can be found on the Docker Hub.

Finally, a team of researchers at IBM have just released a new paper that demonstrates the efficiency of Docker containers by comparing them to native Linux processes and KVM's in a number of processing tasks including Linpack, memory bandwidth, random memory access, network latency, Redis, and MySQL. In nearly all cases, Docker proved to be nearly as efficient as the native Linux kernel, and often outperformed KVM's by a substantial margin. The team invites others to expand on this research and explore performance isolation when multiple workloads run on the same server, live resizing of containers and VMs, and tradeoffs between live migration and restarting. 

 

Comments

Subscribe to Comments Feed

Upcoming Linux Foundation Courses

  1. LFD331 Developing Linux Device Drivers
    13 Oct » 17 Oct - Virtual
    Details
  2. LFS425 Linux Performance Tuning Crash Course
    16 Oct » 16 Oct - Düsseldorf, Germany
    Details
  3. LFS220 Linux System Administration
    20 Oct » 23 Oct - Virtual
    Details

View All Upcoming Courses

Become an Individual Member
Check out the Friday Funnies

Sign Up For the Linux.com Newsletter


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board