[gtrubetskoy]

What we collectively refer to as "containers" and software like Docker are just tools that take advantage of various facilities provided by the OS which allow one to isolate/restrict various resources like CPU, memory, network, visibility of other processes, filesystem access, fs layering and namespacing, provide traffic shaping, etc.

These isolation features go back a really long time in various OS's, but only in the last few years have they seen mass adoption, which, alas is running a bit ahead of any effort to make it a formal standard or anything even close to that.

And so the way you would create a "container" on Linux is very different from the way you'd do that on FreeBSD or Solaris or Windows. Docker was one of the first pieces of software to facilitate that on Linux (where it was and still is far from trivial), along with the whole docker image dockerhub ecosystem, etc. But ultimately what Docker does amounts to the right commands (or system calls) done, and you can have the same effect without Docker (there's even a nice Docker talk on youtube somewhere that shows how to do what Docker does without it from the command line).

IMHO in the developer community at large few people care to understand the operating system intimately, and even fewer people know stuff like cgroups or the tc command on Linux, and that's primarily why Docker is so popular - you don't need to know any of it.

I think it'd be nice if people stopped using "Docker" and "container" interchangeably, and if a set of tools emerged which would be more part of the OS distribution and less a separate concept/brand/company/whatever and was more or less uniform across, at least the Un*x-like OSs.

[ameliaquining]

Obligatory link to https://github.com/p8952/bocker/blob/master/bocker, a "clone" of Docker implemented as a ~100-line shell script.

[matt_wulfeck]

> These isolation features go back a really long time in various OS's, but only in the last few years have they seen mass adoption, which, alas is running a bit ahead of any effort to make it a formal standard or anything even close to that.

Also containers really didn't get very secure until Google started upstreaming various patches and updates to the kernel's cgroups[0].

The way docker runs containers is very different than then the way (I assume) Google does it. In a strange twist a fate Google did a lot of he grunt work to make containers safe and useable but then a another tool came to market and made containers ubiquitous.

[0] https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.t...

[derefr]

Linux had "containers" for years before Google's work, vis. Virtuozzo's https://en.wikipedia.org/wiki/OpenVZ.

OpenVZ's containers—and they were containers, in every sense of the word—were already secure; what they weren't was implemented by a set of granular, reusable in-kernel primitives that served any goals other than that of "containerization." Instead, OpenVZ was a very "cathedral"-esque approach to Linux containerization: just one big blob of code with a complex API surface. Thus, the kernel refused to upstream it.

Google's contribution was mainly to clone the feature-set of OpenVZ by working on a series of small enhancements (to cgroups and kernel namespaces) that would each be a useful standalone feature, but would also coincidentally be composable to replicate the power of an OpenVZ container. In other words, to create an OpenVZ alternative that was mergeable.

(Side-note: although Virtuozzo is recently a standalone company, for most of its life it was a brand owned by Parallels. If anyone is to "blame" for Linux containerization becoming a thing everyone was interested in, it's probably them.)

[SEJeff]

How about we replace every use of docker with "linux kernel namespaces and control groups along with netfilter and network bridge"? I think it has became so ubiquitous because it is so much less of a mouthful. While I don't disagree with you one bit, I doubt in practice it will ever happen.

Remember, much of the enterprise will start looking at docker maybe 2 years from now.

[TheDong]

> a set of tools emerged which would be more part of the OS distribution and less a separate concept/brand/company/whatever and was more or less uniform across, at least the Unx-like OSs.

If we redefine "Unx-like" to "literally only linux", then we have "systemd-nspawn" which integrates well with the rest of the linux system and is a nice and standards-y looking way to run a container.