...
Docker solves the problem of operating system environment consistency (packages, libraries, environment variables, configuration state etc.) and build qualification. It allows consistent test scenariossetups, which can greatly add to reliable service operations.
Before container deployment schemes (like with Docker) convergent end-to-end management of build, test, release and production environments was often lacking, and unsuspecting issues could cause high diagnostics efforts (debugging, system analysis, root cause analysis etc.). Since nobody liked doing this live, in production, container solutions like Docker rose to popularity alongside DevOps. Better testability, reproducibility, convergence, end-to-end control… you name it
On a tech level Docker uses (Linux) kernel features and puts the known chroot
concept on steroids. This way we can get a universal system to build and ship applications. Docker is the popular implementation, which has informed the OCI- specification and given rise to other runtimes such as Podman.
Table of Contents |
---|
The technical foundation
...
Cloud Native denotes a macro trend related to the standardization of Linux service management and Linux-based cloud computing. It’s when services are made for the cloud (including on-premises private cloudsas clouds as defined within NIST 800-145). Cloud Native services can be migrated between different kinds of cloud deployment scenarios, which may help with a defined onboarding, migration and exit strategy of the services in scope.
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf
Docker under the hood
Unlike a virtual machine, a container does not need to boot the operating system kernel. Therefore, containers can be created in less than a second.
( ) The process isolation (which uses Linux namespaces, cgroups and other kernel features like capabilities happens within a libcontainer
component called “runC”. Once a container gets instantiated, there is another runC
instance.
...
cgroups is a Linux kernel feature for resource compartmentalization.
https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
Control Groups provide a mechanism for aggregating/partitioning sets of
tasks, and all their future children, into hierarchical groups with
specialized behaviour.
...
Solutions: rootless Docker
https://docs.docker.com/engine/security/rootless/
Software vulnerabilities
Any security vulnerability that’s reachable from the ENTRYPOINT process can potentially be reached with injection attacks from software exploits.
Dockerfile reference (ENTRYPOINT)
Solutions: Application Security including Supply-Chain security including SCA (Software Composition Analysis)
...
Code Block |
---|
% docker rmi $(docker images -a -q) |
...