Containers are instantiated from container images, a layered packaging system, to distribute applications along with their configuration and runtime dependencies.
From development to production, containers power modern cloud applications as they allow developers to move fast between platforms and versions.
Inside Google alone, at least two billion containers are generated each week to manage its vast operations. There are many tools to create, deploy and manage containers, including LXD, Docker and Kubernetes.
What is Docker?
Docker is an open-source containerisation platform. It provides an easy way to build and deploy containers in the cloud or on-premises. Docker didn’t introduce container technologies, but they made the user experience of container technologies so easy for developers that Docker soon became shorthand for containers and the most popular container format. Docker Inc, the company that supports the Docker project and community, also operates Docker Hub, a space for hosting container images.
Docker for beginners: docker-cli, containerd, and runc
Docker is many things: a community, a company, and multiple software projects. The so-called “Docker developer experience” uses three projects: docker-cli, containerd, and runc. The Docker command-line mostly interfaces with the containerd daemon to provide a great end-user experience. Containerd manages and supervises containers, images, storage, and networking. Finally, runc is the container runtime. It consists of all the code used to interact with container system features (think user namespaces, cgroups, and so on).
Kubernetes vs Docker: CRI-O and OCI
With more and more applications deployed on containers, simple orchestration tools are not enough to support complex production environments. 'Container orchestration'' becomes a problem space of its own. The rise of Kubernetes is the industry's answer to the container orchestration problem, providing a way to manage containers at scale efficiently.
CRI (Container Runtime Interface) is a Kubernetes API to interface between Kubernetes orchestration features and container runtimes, such as containerd or CRI-O. The Open Container Initiative (OCI) defines a set of specifications to enable all these technologies to work together. Docker, runc, containerd, CRI-O are all OCI compatible.
Not clear on how Kubernetes vs Docker differ?
Read the Kubernetes vs Docker blog ›
Containers vs virtual machines
Containers are a modern way to virtualise infrastructure, more lightweight than traditional virtual machines: all containers on a single host OS share the kernel and other resources, require less memory space, ensure greater resource utilisation and shorter startup times by orders of magnitude.
Docker vs LXD: comparing container technologies
Process containers (for example, Docker) and machine containers (traditional linux containers) are two types of container technologies that can address different use cases. Process containers typically contain a single application, while machine containers can contain one or more applications as well as their own operating system. Both container technologies share a kernel with the host operating system.
Docker is the most popular process container environment and allows for very small, immutable containers, containing only the application binaries and a minimal subset of libraries necessary for an application to run as a single process, requiring limited system resources.
LXD functions similarly to a traditional hypervisor and machine containers resemble virtual machines. Machine containers, also referred to as ‘system containers’ are larger compared to process containers, as well as stateful and mutable. They have an allocated filesystem, often containing a cut-down version of an operating system, which might include a shell and a limited number of daemons.
Docker is mostly used by developers making Platform-as-a-Service application instances more portable. LXD usage, on the other hand, is often driven by DevOps making Infrastructure-as-a-Service OS instances much faster.
Docker can run alongside LXD with both instances working together. Moreover, Docker can run inside of LXD with zero performance impact, allowing you to safely migrate your Docker containers between machines for easy scale-up and scale-down.
How to secure container images
Canonical’s Kubernetes and cloud native operations report showed that the best container images are secure, stable, and easy to use. While containerisation adds a layer of security by keeping workloads isolated from one another and the host system, it is not enough to secure an application.
Container images are made of software from many different projects and sources, not all equally well-maintained. Developers need to ask themselves what content can developers rely on today, tomorrow and for a long time thereafter. Particular attention should be paid to the base layer, specifically in selecting a frequently updated one with credible maintenance commitment, a large software ecosystem of well-maintained packages, and a great developer experience.
Canonical publishes a portfolio of base, runtime, and application images with an up to 10-year maintenance commitment. In collaboration with Docker, this content is publicly available on Docker Hub.