|
After Docker was launched, its ability to package applications and quickly deploy them has been widely welcomed by developers. In 2015, Docker further launched the private storage function Docker Registry and the native network function Docker Networking, making it easier for enterprises to build Docker clusters on their own. All of these have gradually made Docker a new choice for formal environments.
As Docker has received widespread acclaim, Sun Hongliang, who has written "Docker Source Code Analysis" and has received great praise from the Chinese Docker community, believes that Docker has at least three major shortcomings and cannot meet the needs of various environments. He has studied the Docker source code in depth and is also a software engineer involved in the front-line development of DaoCloud, a Chinese Docker PaaS service provider.
Unlike most Docker developers who discuss Docker from the application perspective, Sun Hongliang chose to analyze the advantages and disadvantages of Docker from the perspective of its code design architecture at the 2015 Container Summit.
Sun Hongliang also pointed out that although container technology has been developed for a long time, it is only through Docker's unique image file design that container technology has been developed and promoted in recent years.
Unique image design makes Docker popular
Container technology can be traced back to Unix V7, which was launched in 1979. The chroot system call instruction in the chroot system call command achieves the effect of system program isolation by changing the root directory of the program. Why did Container technology, which has been developed for more than 30 years, not sweep the global IT industry until 2013 because of Docker? Sun Hongliang explained that the design of Docker image files enabled Docker to break the past concept of "code is application".
Traditionally, it is believed that after software development is completed, the output is the program code or a binary executable file that can be compiled and executed.
In order for these codes to run smoothly, the development team must also prepare complete deployment files so that the maintenance team can deploy the application. However, even so, deployment failures often occur. Sun Hongliang said that Docker uses image files to package the system environment required to run the application in addition to the operating system core from the bottom up, so as to achieve seamless operation of applications across platforms.
Microsoft has announced that it will build Docker Engine into the next generation Windows Server 2016, so that Windows Sever can natively support Docker. However, Sun Hongliang also explained that most of the current support for Docker in Windows is still at the API layer. In addition to the huge difference between Windows operating system and Linux at the Kernel layer, Windows has also developed its own Container technology. The design of Docker image files enables Docker to break the old concept of "code is application". Through image files, the system environment required to run applications is packaged from bottom to top, excluding the operating system core, to achieve seamless operation of applications across platforms. (Photo source: Sun Hongliang)
Obstacles to Dockerization of System Services <br /> Although Docker solves the deployment problems of traditional maintenance teams through image file design, users still encounter practical problems when Dockerizing system services and applications.
Sun Hongliang said that when an application needs to schedule system services, such as using cron services to set tasks for automatic execution, or running syslog services to collect system logs, developers will encounter obstacles in using Docker.
For example, although Docker can be used to package cron services, there are big differences between Dockerized cron services and traditional Linux cron services. Sun Hongliang said that once the cron service is containerized, the original environment variable settings will become invalid. Therefore, users must analyze how the software and containers run in order to meet their needs. In addition, Docker's communication capabilities with the Linux Kernel are weak, and inter-process communication (IPC) will be isolated. For example, after the NFS server accepts the request from the client, it will pass the request to the Linux Kernel again. "Users must think twice before containerizing these functions." He said.
Not all applications are suitable for Dockerization <br /> As for the Dockerization of applications, although the rapid deployment feature of Docker is very attractive, not all applications are suitable for Dockerization. For example, Sun Hongliang believes that there are some disadvantages if Dockerization is used for MySQL. For example, when the user's data needs to be backed up additionally, it is necessary to create a MySQL database container. You can use the Docker run command to create a MySQL Database Container, or use the docker run command to modify the MySQL environment variables. These environment variables will be stored in the Docker Container in the json file format through the Docker Daemon and Docker Engine.
The environment variables in the Docker container have no meaning for the Docker Engine, but they are a hidden danger for users who use Docker. If they are seen by unrelated third parties, the user's container may have security concerns. Therefore, Sun Hongliang believes that the traditional developers' thinking when using MySQL cannot be seamlessly transferred to the Docker world.
Sun Hongliang said that after Docker came out, Docker officials also claimed that Docker's design was application-centric, hoping that users would focus on developing applications. Docker officials also did not particularly encourage users to consider Docker as a replacement for VM as a new generation of computing units. He believes that when Docker is used to package web applications or simpler system services, it can achieve a good Dockerization effect. However, if the scope of Docker's use is to be expanded to involve the basic operating level of the operating system, or when distributed systems are promoting microservices, using Docker will cause some problems.
Sharing Linux Kernel makes Docker inherently insecure <br /> From a technical perspective, Sun Hongliang said that Docker is a container technology that allocates hardware resources and implements resource isolation. When it comes to resource isolation, he said that most people would think of the most basic concepts in container technology, such as namespace and cgroup technologies. The popularity of Docker container technology means that functions that could not be performed through VM before can now be implemented through Container. Many users have therefore begun to discuss whether Container technology can replace VM.
A general physical server can run a container as long as it has a Linux Kernel, or it can run a container through the Hypervisor layer using a virtual machine running on the Linux Kernel. Sun Hongliang believes that from this perspective, the Linux Kernel is the most important condition that needs to be met to run a container, and both physical servers and VMs can meet the above conditions. However, when running a container on a physical machine, it can achieve performance comparable to that of a bare metal machine, but when running in a VM, performance will be compromised.
When talking about the resource isolation of Container, Sun Hongliang said that the most intuitive thing that most users think of is computing resources such as CPU, memory and IO. He believes that the scope of "resources" should be more than that. Although Container can isolate computing resources through cgroup and namespace, "without Linux Kernel, users cannot operate Container." He said that if Linux Kernel is also included in the scope of resources, because Container and operating system share Kernel at the same time, resource isolation is not actually achieved. However, VMs do not share the operating system kernel. Therefore, the resource isolation of VM will definitely be better than that of Container.
Although Docker Container is also subject to resource isolation, control, and permission control, it shares the operating system core with Linux, which will lead to security vulnerabilities. In order to solve this problem, Sun Hongliang said that the Linux capability mechanism can be used to strengthen permission control, so that the root inside the container and the root outside can be differentiated, and the system management capabilities of the container can be separated from the host host, thereby solving the security problem of the container.
In Docker 1.9.0 released last year, Docker also added a username space mechanism. Sun Hongliang said that this is a milestone achieved by Docker in terms of security. As long as the namespace is used, when the container is running, the user can have more permissions without affecting the host. |
