Docker has attracted a lot of attention lately, with major vendors contributing to the containerization technology. The company is venturing into acquisitions, services like StackDock.com and Drone.io are emerging, and Docker technology is being embraced as a solid complement for the Java Virtual Machine.
To get the latest insights into Docker and where it is headed, InfoWorld Editor at Large Paul Krill met with Docker Vice President James Turnbull at the recent O'Reilly Open Source Convention in Portland., Ore. Turnbull is responsible for customer-facing business and has contributed to the Docker project.
InfoWorld: What is the big deal about Docker?
Turnbull: Docker has two interesting aspects. One is operating system level virtualization. It's a container instead of a virtual machine. As a result, it doesn't have a lot of overhead. It doesn't have the hypervisor in the middle, and that allows containers to be really lightweight and really fast. Running a Docket container is a subsecond launch, so it takes you snap, snap, snap and you can launch a Docker container. [It is] very, very fast.
On top of that, we've built a workflow, which is really designed to allow first-time developers, allowing them to say, "I have code on my laptop. I want to run that code in my dev test environment, and I want to get it pushed into my staging environment." So we built a workflow on top of these containers to help developers build applications, test them, run them, and deploy them.
InfoWorld: How does Docker fit into devops?
Turnbull: I describe it a little bit arrogantly as the first true sort of devops tool because it is really focused on providing developers with a platform to run their applications and providing ops people with a tool that will allow them to integrate with that workflow and allow them to deploy the same code. It tries to make the experience between a developer running an app and booting and testing an application and an operations person deploying that seamless, because that's where the friction is in devops. It's usually the part where the application developer hands over the application to the operations people and they discover, "Oh, it doesn't run. It ran fine on my laptop, doesn't work in production." Docker is designed to reduce the friction in that relationship.
InfoWorld: It's been estimated that apps running in a Docker container can run twice as fast as a virtual machine. How do you achieve this?
Turnbull: It's really about the removal of the hypervisor and the lightweight nature of Docker. Boden Russell at IBM Research had some statistics that said depending on the nature of the application, you could get 10-, 20-fold performance on a virtual machine. He published that earlier in the year, and we know it largely traced back to the fact that in the sort of traditional hypervisor world you have a physical machine and an operating system, then your virtual machine application, then a desktop system, then the application. In the Docker world you really have the physical machine, the operating system, Docker, then the application, so there's a lot of those layers taken out.
InfoWorld: Recently a security researcher published what is supposed to be the first security exploit of Docker in which files can be copied from the underlying OS and the file system then sent to a third party. Apparently this was considered serious, although it hasn't actually been found in the wild. How does Docker feel about this security issue?
Turnbull: Actually, the security issue that somebody found was in old releases of Docker. It has been fixed in a more recent release. Our response was twofold. One was that we'd already addressed the issue in the next release, and I think this was four or five releases old at that point. The second thing we did was Docker containers are not the same as virtual machines. They are a different type of compute unit, and we have published best practices for security and the best way you can deploy Docker containers. They provide security guidelines to make running in containers a safer experience.
InfoWorld: As far as best practices, could you name some?
Turnbull: We recommend users don't run root-enabled processes inside containers. We recommend users rely on tools like SELinux and AppArmor to provide security at the operating system level. And we suggest that users deploy applications of like trust on a Docker host. You don't deploy your mission-critical banking application right next to your customer-facing Web service, which is a pretty standard recommendation when you talk about security.