[schmichael]

One large difference is that docker has a daemon that exposes an HTTP API and acts more or less like an init for containers.

The docker daemon has historically had some stability issues as well as some security implications. Running a command line tool like rkt is a vastly smaller attack surface and less complex stack overall.

[orthecreedence]

Also, not sure if this is still the case, but Docker's daemon ran as root on the host. Any vulnerability has the potential to give root on the host machine to an attacker. I don't think this has ever happened, but rkt's approach of using a process per container just makes much more sense in a security context (and for containerization in general).

[fapjacks]

The daemon needs superuser privileges to do its business, but your containers are not running as root. That lives behind the --privileged option and has ample guidance in the documentation against using it.

[TheDong]

Wrong. Without usernamespacing your containers do run as root. If you type `docker run busybox id` it will print uid=0, and that uid is 0 in the container and out of it.

You are namespaced, so the linux kernel promises that even though you're root, you're not dangerous, and there is syscall filtering and shit going on.... but that historically has not really fared that well!

But your statement is false. You're root with and without privileged. Privileged gives you back CAPABILITIES which are different than USER, so your claim is bullshit.

[tmzt]

Where in the kernel is 0==uid still privileged? Are there still places where the uid is checked instead of caps?

[TheDong]

He said "but your containers are not running as root".

That is objectively false.

uid = 0 is "privileged" basically everywhere in the kernel, from filesystem management (reading a file bindmounted in that's owned by root e.g.) to binding to low ports (like 80).

[fapjacks]

Whatever dude. You keep spreading your FUD. You clearly do not understand what Docker is and what Docker does.

[indexerror]

> docker has a daemon that exposes an HTTP API

This API has to enabled explicitly. Docker daemon works by using a unix socket instead ( "/var/run/docker.sock" ).

> acts more or less like an init for containers

There is Docker daemon and there is Docker CLI. Both have separate scopes.

[gnosek]

> There is Docker daemon and there is Docker CLI. Both have separate scopes.

Docker CLI is glorified curl, everything happens in the daemon (containerd being logically -- but finally not physically -- part of the daemon).

[TheDong]

The unix socket actually serves an HTTP api (just not over tcp) as well, so the statement was true either way.

[simstein]

Could you please give a hint on what kind of stability issues you experienced? Do they still exist? My team is thinking about using Docker for high loaded system in production, and stability is one of our priorities here.

[schmichael]

I don't personally operate docker in production, but googling "docker stability" or perusing their github issues should lead to the same anecdotes I'm referring to.

If you'll indulge me putting on my corporate hat for a minute: we've had some customers very happy scheduling a high volume of containers at a high rate on nomad:

- https://www.hashicorp.com/c1m.html (mentions a docker bug even)

- https://www.youtube.com/watch?v=MRtRwhL5lwM

If at all possible I'd recommend using our Java or exec drivers as they use builtin containerization and avoid the overhead of docker or rkt.