[DannoHung]

If you're sort of confused as to what advantage there is to this way of doing things over just running a VM in VirtualBox or using Vagrant, you probably aren't yet aware of what the Docker project is doing.

It's creating the VirtualBox of Linux Containers. Docker image files are extremely light weight when compared to VirtualBox images and use Union File systems to allow for complete isolation rather than using VM volumes.

An example scenario for when you'd want something like this is if you want to load an experimental library for a specific application that some part of your system depends on the stability of. Fire up a docker image for just that application with the experimental library replacing the stable library and just the applications inside the docker image will see it. No need to even play around with library versions or links. And since the Docker images are so light weight and incur extremely little performance penalty (I think it is limited to just the cost of using the Union FS over your normal FS), you can do this for dozens of scenarios at once.

[zobzu]

I'm confused with the advantage over "pure" LXC and a couple of scripts for the mounts, what does it provides for this kind of usage? Or is it not using LXC and basically implements its own interface to the Linux namespaces? (that'd be actually cool... :P)

[DannoHung]

Docker combines LXC along with a few other isolation and security technologies. What the Docker maintainers are also doing is setting up a system for distributing LXC based images. Beyond this, since Docker works with these union file systems, it also lets you build on top of other images.

Eventually, there may be some way to merge images together, though I imagine that will always be a little harry compared to a simple stack up.

Documentation is more than a little sparse right now, unfortunately. It took me a few days to figure out how all the pieces work together.

[eldondev]

Can you be specific about the other security methodologies docker rolls in? Everywhere I read, people say "LXC != VM-level security," specifically, I hear that root on the container means root on the host. These suse guys at least say "If you want to be secure, kvm is still your answer." : http://unixcal.com/s/a4mn . Thoughts?

[jpetazzo]

Root on the container doesn't mean root on the host. Machine-level virtualization has received more scrutiny than LXC, so as of today, many people consider traditional VMs to be more secure. But KVM or Xen are not intrinsically more secure than LXC or OpenVZ. They all have their histories of exploits and privilege escalations.

One key thing is, that it makes sense to run containers without root privileges (greatly improving security), while it is much harder to realistically run a VM without root processes. As a result, it could be said that containers are much safer, because before even thinking about breaking out of the container, you have to work on a root exploit - on a system which, by essence, only runs the processes that you really need, and has a much smaller attack surface.

We're working on a more elaborated answer, to be included within Docker docs!

[shykes]

Docker does use lxc under the hood. They serve very different purposes.

lxc is a tool for sysadmins to deploy and configure virtual servers on their machines.

docker is a tool for developers to package their application into a deployable object without worrying about how the sysadmin will deploy it, and for sysadmins to deploy applications without worrying about how they were packaged.

When you tinker long enough with lxc, eventually you start building something like docker on top of it, because it just makes sense. Now instead of reinventing the wheel you can just use docker.

[FooBarWidget]

It's a wrapper around LXC (and a couple other things) to make it usable for mere humans. With LXC there's still too much low-level fiddling work to do. Docker provides everything you need to create and use containers easily and quickly. It downloads images for you. It creates bind mounts for you. It sets up networking in the container for you. It sets up certain IP forwarding rules for you. Etcetera.

[rogaha]

Great explanation! Thanks DannoHung