[cpuguy83]

I don't think you are understanding what docker is doing.

Docker interfaces with the kernel to provide security and isolation via cgroups and namespaces. This is exactly what jails does, and is indeed on the list of things to be added. It's really a matter of someone taking the time to write the driver for it.

Docker also provides an image format and infrastructure for helping to make applications portable.

[Alupis]

> I don't think you are understanding what docker is doing.

Seems like you actually are not understanding what docker is doing. Docker (and LXC for the matter) aren't about security -- they are about portability of the application and environment. Everything else is tertiary.

> It's really a matter of someone taking the time to write the driver for it.

It's a bit more complicated than that -- the two are different beasts with different goals.

> Docker also provides an image format and infrastructure for helping to make applications portable.

This is the main goal of Docker -- making applications and their environment portable.

> Docker interfaces with the kernel to provide security and isolation via cgroups and namespaces

Neither Cgroups nor Namspaces provide security in the same sense as a virtual machine or virtualized app (jails). Cgroups are about resources allocated from the host, and namespaces are about process isolation... but neither prevent different containers from interacting with each other nor the host. This is the security aspect - which Docker (and LXC) were not designed to provide. The problem they solve does not require it.

Use the right tool for the right job. If you are going to host a bunch of applications for different people -- go with virtualization, either via a hypervisor or jail. If you are going to deploy applications in an enterprise environment and need it to be consistent always, across all distros and version -- go with LXC/docker.

[waffle_ss]

> Seems like you actually are not understanding what docker is doing

cpuguy83 is a Docker core maintainer: https://github.com/cpuguy83

He's answered plenty of my questions in #docker IRC.

[cpuguy83]

I don't know about core maintainer, but I contribute where I can :)

[cpuguy83]

The cgroups and namespaces do indeed provide a layer of security. We also drop certain capabilties, so for instance root inside the container can't (by default) manipulate iptables, mount things, change network settings, etc. To come later would also be user namespaces so root inside the container != root outside the container. There's also a significant amount of support within Docker for selinux/apparmor stuff.

Indeed, all these things come together to do exactly what jails does.

Jails do not provide the same security as a VM, just like what Docker does is not providing that same level of security. You are kidding yourself if you think jails does.

It's all layers... like ogres... or onions :)

[Alupis]

I get the PR angle... But over-representing Docker is doing more harm than good. People are reading things like "We would like to add feature X" or "Implementing feature X is on the roadmap", but interpreting it as "Docker does all these things right now". Soon people will be talking about how Docker makes pizza too.

Can Docker be secure? Sure -- is it? No.

[cpuguy83]

These are all things that are there now, except user namespaces (which is indeed huge), not roadmap items.

[josteink]

> I don't think you are understanding what docker is doing. Docker interfaces with the kernel to provide security and isolation via cgroups and namespaces.

If I were to nitpick I would say docker is doing none of those things. LXC is. Docker is just freeloading off LXC while providing almost no benefits.

I tried Docker, but quickly discovered it was a cumbersome interface on top of LXC, and if you wanted to get any real work done, you needed to manage LXC yourself anyway. So ... Why should I bother with Docker in the first place then?

Docker may be good enough for some people, but I feel LXC, which Docker is actually built on is getting no credit, when clearly they deserve 99% of it.

[zenlikethat]

> If I were to nitpick I would say docker is doing none of those things. LXC is. Docker is just freeloading off LXC while providing almost no benefits.

This was true in early versions, but now the default container "exec driver" is libcontainer (a pure Go container implementation), and you can swap to LXC "exec driver" if you wish. To say Docker is piggybacking on top of LXC is unfair when in reality Docker wrote thier own container implementation.

> I tried Docker, but quickly discovered it was a cumbersome interface on top of LXC, and if you wanted to get any real work done, you needed to manage LXC yourself anyway. So ... Why should I bother with Docker in the first place then?

How long ago was this? The project moves fast and new features get added all the time.

[CSDude]

Almost no benefits? The good parts of Docker adds on top of plain LXC:

- Layered file system for containers, commiting - Images, easily transferable - Remote API - Network interfaces - Linking containers - Nice build system, one Dockerfile and you are almost good to go

I really wonder what is the real work you want to do, that you cannot do with Docker, and Docker becomes a cumbersome.