Ask HN: What is the actual purpose of Docker?

313 pointsby someguy1233almost 10 years ago

I'm hearing about Docker every other day, but when I look into it, I don't understand the purpose of it.I run many websites/applications that need isolation from each other on a single server, but I just use the pretty-standard OpenVZ containers to deal with that (yes I know I could use KVM servers instead, but I haven't ran into any issues with VZ so far).What's the difference between Docker and normal virtualization technology (OpenVZ/KVM)? Are there any good examples of when and where to use Docker over something like OpenVZ?

36 comments

tincoalmost 10 years ago

> What's the difference between Docker and normal virtualization technology (OpenVZ/KVM)? Are there any good examples of when and where to use Docker over something like OpenVZ?Docker is exactly like OpenVZ. It became popular because they really emphasize their OpenVZ Application Templates feature, and made it much more user friendly.So users of Docker, instead of following this guide: <a href="https://openvz.org/Application_Templates" rel="nofollow">https://openvz.org/Application_Templates</a>They write a Dockerfile, which in a simple case might be:<pre><code> FROM nginx COPY index.html /usr/share/nginx/html </code></pre> So no fuzzing with finding a VE somewhere, downloading it customizing it, and then installing stuff manually, stopping the container and tarring it, Docker does that all for you when you run `docker build`.Then you can push your nice website container to the public registry, ssh to your machine and pull it from the registry. Of course you can have your own private registry (we do) so you can have proprietary docker containers that run your apps/sites.From my perspective, the answer to your question would be: Always prefer Docker over OpenVZ, they are the same technology but Docker is easier to use.But I've never really invested in OpenVZ so maybe there's some feature that Docker doesn't have.

评论 #9847290 未加载

huevingalmost 10 years ago

It serves as an amazing excuse to re-invent the wheel at your own workplace. It's a hot technology, and if you're not using it, it's because you're inept. Rip all of the stable things out that everyone knew how to use and slap containers in there! If it's not working, it's because your not using enough containers.No security patching story at your workplace? No problem, containers don't have one either! If someone has shipped a container that embedded a vulnerable library, you better hope you can get a hold of them for a rebuild or you have to pull apart the image yourself. It's the static linking of the 21st century!

评论 #9845967 未加载

KaiserProalmost 10 years ago

docker and openVZ aim to do the same thing.docker is a glorified chroot and cgroup wrapper.There is also a library of prebuilt docker images (think of it as a tar of a chroot) and a library of automated build instructions.The library is the most compelling part of docker. everything else is basically a question of preference.You will hear a lot about build once, deploy anywhere. whilst true in theory, your mileage will vary.what docker is currently good for:o micro-services that talk on a messaging queueo supporting a dev environmento build system hostsHowever if you wish to assign ip addresses to each service, docker is not really mature enough for that. Yes its possible, but not very nice. You're better off looking at KVM or vmware.There is also no easy hot migration. So there is no real solution for HA clustering of non-HA images. (once again possible, but not without lots of lifting, Vmware provides it with a couple of clicks.)Basically docker is an attempt at creating a traditional unix mainframe system (not that this was the intention) A large lump of processors and storage that is controlled by a singular CPU scheduler.However, true HA clustering isn't easy. Fleet et al force the application to deal with hardware failures, whereas Vmware and KVm handle it in the hypervisor.

评论 #9845222 未加载

评论 #9846131 未加载

评论 #9846821 未加载

grhmcalmost 10 years ago

For me, it is the ultimate in the idea in Continuous Delivery of "build once." I can be very confident that the docker image I build in the first stage of my pipeline will operate correctly in production. This is because that identical image was used for unit tests, to integration and functional testing, to the staging environment and finally production. There is no difference than configuration.This is the core that Docker solves, and in such a way that developers can do most of the dependency wrangling for me. I don't even mind Java anymore because the CLASSPATHs can be figured out once, documented in the Dockerfile in a repeatable programatic fashion, and then ignored.In my opinion the rest of it is gravy. Nice tasty gravy, but I don't care so much about the rest at the moment.Edit: As danesparz points out, nobody has mentioned immutable architecture. This is what we do at Clarify.io. See also: <a href="https://news.ycombinator.com/item?id=9845255" rel="nofollow">https://news.ycombinator.com/item?id=9845255</a>

评论 #9845185 未加载

评论 #9845062 未加载

评论 #9845531 未加载

评论 #9845913 未加载

评论 #9845232 未加载

评论 #9845023 未加载

评论 #9846013 未加载

评论 #9848300 未加载

shawnee_almost 10 years ago

Docker is a cute little tool that gives people who aren't that great at Linux the illusion that they know what they're doing. Throw in the use of some "Container" semantics and people become convinced it's that easy (and secure) to abstract away the containers from the kernel.But it's not, at least in my experience; not to mention that as of now, anything running Docker in production (probably a bad idea) is wide open to the OpenSSL security flaw in versions of 1.0.1 and 1.0.2, despite the knowledge of this issue being out there for at least a few days.Docker's currently "open" issue on github: <a href="https://github.com/docker/compose/issues/1601" rel="nofollow">https://github.com/docker/compose/issues/1601</a>Other references: <a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html" rel="nofollow">https://mta.openssl.org/pipermail/openssl-announce/2015-July...</a> <a href="http://blog.valbonne-consulting.com/2015/04/14/as-a-goat-im-skeptical-of-dockers-hype/" rel="nofollow">http://blog.valbonne-consulting.com/2015/04/14/as-a-goat-im-...</a>

评论 #9846346 未加载

评论 #9846031 未加载

评论 #9846261 未加载

评论 #9846587 未加载

alextgordonalmost 10 years ago

1. Stateless servers. Put your code and configuration in git repos, then mount them as volumes in your docker container. The absolute star feature of docker is being able to mount a file from the host to the container.You can tear down the host server, then recreate it with not much more than a `git clone` and `docker run`.2. Precise test environment. I can mirror my entire production environment onto my laptop. No internet connection required! You can be on a train, on a plane, on the beach, in a log cabin in the woods, and have a complete testing environment available.Docker is not a security technology. You still need to run each service on a separate host kernel, if you want them to be properly isolated.

评论 #9846825 未加载

danesparzaalmost 10 years ago

I'm stunned that nobody has brought up the idea of 'immutable architecture' -- the idea that you create an image and deploy it, and then there is no change of state after it's deployed. If you want a change to that environment, you create a new image and deploy that instead.Docker gives you the ability to version your architecture and 'roll back' to a previous version of a container.

评论 #9845634 未加载

评论 #9845918 未加载

评论 #9845631 未加载

评论 #9847624 未加载

评论 #9845291 未加载

评论 #9845641 未加载

zwischenzugalmost 10 years ago

Some key points:- Docker is nothing new - it's a packaging of pre-existing technologies (cgroups, namespaces, AUFS) into a single place- Docker has traction, ecosystem, community and support from big vendors- Docker is _very_ fast and lightweight compared to VMs in terms of provisioning, memory usage, cpu usage and disk space- Docker abstracts applications, not machines, which is good enough for many purposesSome of these make a big difference in some contexts. I went to a talk where someone argued that Docker was 'just a packaging tool'. A sound argument, but packaging is a big deal!Another common saw is "I can do this with a VM". Well, yes you can, but try spinning up 100 vms in a minute and see how your MacBook Air performs.

评论 #9845461 未加载

评论 #9846276 未加载

评论 #9846789 未加载

akshaykarlealmost 10 years ago

Docker is mainly an app packaging mechanism of sorts. Just like you would build a jars, wars or rpms, etc. you create docker images for your applications. The advantage you get is that you can package all your dependencies in the container thereby making your application independent and using the tools provided by docker in combination with swarm, compose, etc. it makes deployment of your apps and scaling easier.OpenVZ, LXC, solaris zones and bsd jails on the other hand or mainly run complete OS and the focus is quite different from packaging your applications and deployments.You can also have a look at this blog which explains the differences more in detail: <a href="http://blog.risingstack.com/operating-system-containers-vs-application-containers/" rel="nofollow">http://blog.risingstack.com/operating-system-containers-vs-a...</a>

jacques_chesteralmost 10 years ago

Docker uses the same kernel primitives as other container systems. But it tied together cgroups, namespaces and stackable filesystems into a simple cohesive model.Add in image registries and a decent CLI and the developer ergonomics are outstanding.Technologies only attract buzz when they're accessible to mainstream developers on a mainstream platform. The web didn't matter until it was on Windows. Virtualization was irrelevant until it reached x86, containerization was irrelevant until it reached Linux.Disclaimer: I work for a company, Pivotal, which has a more-than-passing interest in containers. I did a presentation on the history which you might find interesting: <a href="http://livestre.am/54NLn" rel="nofollow">http://livestre.am/54NLn</a>

评论 #9844953 未加载

sudioStudio64almost 10 years ago

I think the main thing is to provide an abstraction for applications so that they aren't tightly coupled to the operating system of the server that's hosting them. That's a big deal.Some people have mentioned security...patching in particular. Containers won't help if you don't have patching down. At the very least it lets you patch in the lab and easily promote the entire application into production.I think that the security arguments are a canard. By making it easier and faster to deploy you should be able to patch app dependencies as well. I, for one, would automate the download and install of the latest version of all libs in a container as part of the app build process. Hell, build them all from source.IT departments need to be able to easily move applications around instead of the crazy build docs that have been thrown over the wall for years.

jtwebmanalmost 10 years ago

It's a tool to make over engineering every project even easier! All joking aside it is a good tool for some teams to make sure the same exact code is running in production that was tested. I don't think it is for everyone and can make things much more complicated than they need to be. I also don't think everything needs to be in a docker.

hmansalmost 10 years ago

Docker is the industry-accepted standard to run web applications as root.

评论 #9846878 未加载

csardialmost 10 years ago

I like this presentation, as it shows what Docker really is, and also how to use Docker without Docker: <a href="https://chimeracoder.github.io/docker-without-docker/#1" rel="nofollow">https://chimeracoder.github.io/docker-without-docker/#1</a>

mariocesaralmost 10 years ago

The most common pro is "Build once deploy everywhere" even is possible, I always feel pushing a 500 MB tar image to the production servers is more an annoyance than being helpful; Yes, You can setup your own registry but maintaining the service, securing, adding user permissions and maybe use a proper backend like S3 is an extra annoying layer and another component that could fail.If the docker tool will have something like `docker serve` and start his own local registry will be more than great.For this case when I switch to Go was a great solution, building the binary is everything you need.About docker being helpful for development, definitively yes, I switch to postgres, elasticsearch and redis containers instead of installing them on my computer, is easy to flush and restart and having different versions of services is also more manageable

spaceisballeralmost 10 years ago

I know you have some other questions that I am not qualified to answer, but I recalled seeing a similar question asked not that long ago.<a href="https://news.ycombinator.com/item?id=9805056" rel="nofollow">https://news.ycombinator.com/item?id=9805056</a>

dschiptsovalmost 10 years ago

To create a buzzword to attract investors money. It is professional brand management at work.

hoshalmost 10 years ago

You're coming at this from the wrong direction, namely virtualization.What differentiates Docker is not virtualization, so much as package management. Docker is a package management tool that happens to allow you to execute the content of the package with some sort of isolation.Further, when you look at it from that angle, you start seeing the flaws with it, as well as it's potential. It's no accident that Rocket and the Open Container Project are arising to standardize the container format. Other, less-well-known efforts include being able to distribute the container format themselves in a p2p distribution system, such as IPFS.

评论 #9847005 未加载

评论 #9847881 未加载

Kiroalmost 10 years ago

For me I don't understand the purpose at all. I have a few node.js and PHP services. Why do I need isolation and have them in containers? If I want an identical environment when developing I can use Vagrant.

评论 #9845862 未加载

pjc50almost 10 years ago

The description on HN the other day of Docker as a souped-up static linking system is the most interesting one.

tobbybalmost 10 years ago

OpenVZ or LXC give you OS containers like KVM or VMWare gives your Virtual machines. Unlike OpenVZ, LXC does not need a custom kernel, and is supported in the mainline Linux kernel paving the way for widespread adoption.Docker took the LXC OS container template as a base, modified the container OS init to run a single app, builds the OS file system with layers of aufs, overlayfs, and disables storage persistence. And this is the app container.This is an opinionated use case of containers that adds significant complexity, more a way to deploy app instances in a PAAS centric scenario.A lot of confusion around containers is because of the absence of informed discussion on the merits or demerits of this approach and the understanding that you have easy to use OS containers like LXC that are perfectly usable by end users like VMs are, and then app containers that are doing a few more things on top of this.You don't need to adopt Docker to get the benefits of containers, you adopt Docker to get the benefits of docker and often this distinction is not made.A lot of users whose first introduction to containers is Docker tend to conflate Docker to containers, and thanks to some 'inaccurate' messaging from the Docker ecosystem think LXC is 'low level' or 'difficult' to use, Why would anyone try LXC if they think it's low level or difficult to use? But those who do will be pleasantly surprised how simple and straightforward it is.For those who want to understand containers, without too much fuss, we have tried to provide a short overview in a single page in the link below.<a href="https://www.flockport.com/containers-minus-the-hype" rel="nofollow">https://www.flockport.com/containers-minus-the-hype</a>Disclosure - I run flockport.com that provides an app store based on LXC containers and tons of tutorials and guides on containers, that can hopefully promote more informed discussion.

评论 #9850436 未加载

theknarfalmost 10 years ago

Docker is a way to create immutable infrastructure, which is a key component to a) have software working the same in test and prod. (hint DevOps.) and b) creating servers which can scale both vertically and horizontally.I think thats the best way I can summarise what Docker _is_.

mbrockalmost 10 years ago

I don't know much about virtualization technology, but Docker is nice for me because it's an accessible, well-known, and rather easy way to make applications easy and straightforward to run.Where I've worked in the past, setting up a new development or production environment has been difficult and relied on half-documented steps, semi-maintained shell scripts, and so on. With a simple setup of a Dockerfile and a Makefile, projects can be booted by installing one program (Docker) and running "make".You could do that with other tools as well, but Docker, and even moreso the emerging "standards" for container specification, seems like an excellent starting point.

bfirshalmost 10 years ago

This explains the difference between Docker and normal virtualization technology: <a href="https://www.docker.com/whatisdocker" rel="nofollow">https://www.docker.com/whatisdocker</a>

corradioalmost 10 years ago

Might be interesting for you: <a href="https://medium.com/using-artificial-intelligence-to-make-technology/engineering-a-fast-feedback-infrastructure-6f6f132e5807" rel="nofollow">https://medium.com/using-artificial-intelligence-to-make-tec...</a>

johnminteralmost 10 years ago

I think one useful purpose was described by Prof. Mine Cetinkaya-Rundel of Duke at the recent UseR conference. She teaches an introductory statistics class for non-majors. Docker lets her spin up individual virtual machines for each student with all the packages they need for the class without all the sys-admin headaches of getting all the software on everybody's systems. You can see her slides and evaluation of the alternatives here:<a href="https://github.com/mine-cetinkaya-rundel/useR-2015/blob/master/r_studio_docker.pdf" rel="nofollow">https://github.com/mine-cetinkaya-rundel/useR-2015/blob/mast...</a>

lgunschalmost 10 years ago

Simply put, Docker is operating system virtualization:<a href="https://en.wikipedia.org/wiki/Operating-system-level_virtualization" rel="nofollow">https://en.wikipedia.org/wiki/Operating-system-level_virtual...</a>Edit: formatting.

somberialmost 10 years ago

A meta critique after reading 139 comments: I too had the same question as the parent and from the ensuing conversations, I assume that either Docker is so thin-layered (not in a bad way) that it is open to so many interpretations or it is so thin-layered (in a trivial way), that one does not need to get all worked up adopting it if one is comfortable in using other VM options out there (like OpenVZ for example).

thenebalmost 10 years ago

I find docker is quite good for integration tests where you need to test against a third party bit of software. Lots of images exist in the hub for this.

justincormackalmost 10 years ago

OpenVZ is not upstream in the kernel; the container stuff that got merged is what Docker uses. Docker has much wider adoption than OpenVZ does now.

评论 #9845546 未加载

xaduhaalmost 10 years ago

Someone (Darren Shepherd?) compared Docker to Ajax. It's not a technological breakthrough, it's another kind of breakthrough.I think it was here [1], but deleted now.[1] <a href="http://ibuildthecloud.tumblr.com/post/63895248725/docker-is-lxcs-ajax" rel="nofollow">http://ibuildthecloud.tumblr.com/post/63895248725/docker-is-...</a>

tfnalmost 10 years ago

I went ahead and blogged an answer here: <a href="http://blog.tfnico.com/2015/07/the-sweet-spot-of-docker.html" rel="nofollow">http://blog.tfnico.com/2015/07/the-sweet-spot-of-docker.html</a>TL;DR: It's better for deploying applications and running them than using home-made scripts.

atsalolialmost 10 years ago

See <a href="http://stackoverflow.com/questions/29304951/difference-between-docker-and-openvz" rel="nofollow">http://stackoverflow.com/questions/29304951/difference-betwe...</a>

programminggeekalmost 10 years ago

It exists to create jobs in devops.

kolyshkinalmost 10 years ago

[Disclaimer: I am the guy who was running OpenVZ since the very beginning, and if you hate OpenVZ name/logo, I am the one to blame. Also, take everything I say with a grain of salt -- although I know, use, like and develop for Docker, my expertise is mostly within OpenVZ domain, and my point of view is skewed towards OpenVZ]Technologically, both OpenVZ and Docker are similar, i.e. they are containers -- isolated userspace instances, relying on Linux Kernel features such as namespaces. [Shameless plug: most of namespaces functionality is there because of OpenVZ engineers work on upstreaming]. Both Docker and OpenVZ has tools to set up and run containers. This is there the similarities end.The differences are:1 system containers vs application containersOpenVZ containers are very much like VMs, except for the fact they are not VMs but containers, i.e. all containers on a host are running on top of one single kernel. Each OpenVZ container has everything (init, sshd, syslogd etc.) except the kernel (which is shared).Docker containers are application containers, meaning Docker only runs a single app inside (i.e. a web server, a SQL server etc).2 Custom kernel vs vanilla kernelOpenVZ currently comes with its own kernel. 10 years ago there were very few container features in the upstream kernel, so OpenVZ has to provide their own kernel, patched for containers support. That support includes namespaces, resource management mechanisms (CPU scheduler, I/O scheduler, User Beancounters, two-level disk quota etc), virtualization of /proc and /sys, and live migration. Over ten years of work of OpenVZ kernel devs and other interesting parties (such as Google and IBM) a lot of this functionality is now available in the upstream Linux kernel. That opened a way for other container orchestration tools to exist -- including Docker, LXC, LXD, CoreOS etc. While there are many small things missing, the last big thing -- checkpointing and live migration -- was also recently implemented in upstream, see CRIU project (a subproject of OpenVZ, so another shameless plug -- it is OpenVZ who brought live migration to Docker). Still, OpenVZ comes with its own custom kernel, partly due to retain backward compatibility, partly due to some features still missing from the upstream kernel. Nowadays that kernel is optional but still highly recommended.Docker, on the other side, runs on top of a recent upstream kernel, i.e. it does not need a custom kernel.3 ScopeDocker has a broader scope than that of OpenVZ. OpenVZ just provides you with a way to run secure, isolated containers, manage those, tinker with resources, live migrate, snapshot, etc. But most of OpenVZ stuff is in the kernel.Docker has some other things in store, such as Docker Hub -- a global repository of Docker images, Docker Swarm -- a clustering mechanism to work with a pool of Docker servers, etc.4 Commercial stuffOpenVZ is a base for commercial solution called Virtuozzo, which is not available for free but adds some more features, such as cluster filesystem for containers, rebootless kernel upgrades, more/better tools, better containers density etc. With Docker there's no such thing. I am not saying it's good or bad, just stating the difference.This is probably it. Now, it's not that OpenVZ and Docker are opposed to each other, in fact we work together on a few things:1. OpenVZ developers are authors of CRIU, P.Haul, and CRIU integration code in Docker's libcontainer. This is the software that enables checkpoint/restore support for Docker.2. Docker containers can run inside OpenVZ containers (<a href="https://openvz.org/Docker_inside_CT" rel="nofollow">https://openvz.org/Docker_inside_CT</a>)3. OpenVZ devs are authors of libct, a C library to manage containers, a proposed replacement or addition to Docker's libcontainer. When using libct, you can use enhanced OpenVZ kernel for Docker containers.There's more to come, stay tuned.

droidztixalmost 10 years ago

reading while eating popcorn ( ͡° ͜ʖ ͡°)