Expert opinion: Analysis of the advantages and disadvantages of Docker architecture

Abstract:  After the advent of Docker, its ability to package applications and deploy quickly has been widely welcomed by developers. In 2015, Docker further launched Docker Registry, a private repository function, and Docker Networking, a native network function, to make it easier for enterprises to build their own Docker clusters.

After the advent of Docker, its ability to package applications and deploy quickly has been widely welcomed by developers. In 2015, Docker further launched Docker Registry, a private repository function, and Docker Networking, a native network function, to make it easier for enterprises to build their own Docker clusters. These all make Docker gradually become a new choice for formal environments.

Sun Hongliang, the author of "Docker Source Code Analysis", has been well received by Docker. Sun Hongliang, who has been well received by the Chinese Docker community, believes that Docker has at least three major shortcomings and cannot meet the needs of various environments. He has deeply studied the Docker source code, and is also a software engineer involved in the first-line development of DaoCloud, a Chinese Docker PaaS service provider.

Unlike most Docker developers who talk about Docker from the perspective of applications, Sun Hongliang chose to analyze the advantages and disadvantages of Docker's code design architecture at the 2015 Container Summit.

Sun Hongliang also pointed out that although Container technology has been developed for a long time, Docker's unique image file design has enabled Container technology to flourish in recent years.

Unique image file design makes Docker popular

Container technology can be traced back to Unix V7 introduced in 1979. The chroot system call command can achieve the effect of system program isolation by changing the root directory of the program. As for Container technology, which has been in development for more than 30 years, why did Docker swept the global IT industry as late as 2013? Sun Hongliang explained that because of the design of Docker image files, Docker was able to break the concept of "code as application" in the past.

Traditionally, after software development is over, the output is code, or a binary executable that can be compiled and executed.

In order for these codes to be executed smoothly, the development team also has to prepare a complete deployment file so that the maintenance team can deploy the application. However, even so, deployment failures often occur. According to Sun Hongliang, Docker uses image files to package the system environment required to run applications outside the core of the operating system from the bottom up to achieve seamless cross-platform operation of applications.

And Microsoft has announced that it will build Docker Engine in the next generation of Windows Server 2016, so that Windows Server can natively support Docker. But Sun Hongliang also explained that most of the current Windows support for Docker is still at the API layer. In addition to the difference between the Windows operating system and Linux in the Kernel layer, Windows also has its own Container technology.

The design of the Docker image file allows Docker to break the old concept of "code as an application". Through the image file, except the core of the operating system, the system environment required to run the application is packaged from the bottom up, so as to achieve the seamless operation of the application across platforms.

Barriers to Dockerizing System Services

Although Docker uses image file design to solve the deployment problems of traditional maintenance teams. However, when Dockerizing system services and Dockerizing applications, users still encounter practical problems.

Sun Hongliang said that when an application must schedule system services, such as using the cron service, setting the work to be automated, or executing the syslog service to collect system logs, developers will encounter obstacles to using Docker at this time.

For example, although cron services can be packaged using Docker, Dockerized cron services are quite different from traditional Linux cron services. Sun Hongliang said that once the cron service is containerized, the original environment variable settings will be invalid. Therefore, users must analyze the operation mode of software and Container in order to meet the needs of use. In addition, the communication ability between Docker and Linux Kernel is weak, and inter-process communication (IPC) will be isolated. For example, after the NFS server accepts the request from the client, it will pass the request to the Linux Kernel again. "Users must think twice before containerizing these functions." He said.

Not every application is suitable for Dockerization

In terms of application Dockerization, although Docker's rapid deployment features are attractive, not all applications are suitable for Dockerization, such as MySQL. Sun Hongliang believes that there are some drawbacks if it is Dockerized. For example, when the user's data needs to be backed up, a MySQL database Container needs to be created. You can create a MySQL Database Container through the Docker run command, or use the docker run command to modify the MySQL environment variables. And these environment variables will be stored in Docker Container in json file format through Docker Daemon and Docker Engine.

The environment variables that exist in the Docker Container are meaningless to Docker Engine, but there are hidden concerns for users who use Docker. If they are seen by unrelated third parties, the user's Container may have concerns about security. Therefore, Sun Hongliang believes that the thinking of traditional developers using MySQL cannot be seamlessly transferred to the world of Docker.

Sun Hongliang said that after the advent of Docker, Docker officials also claimed that the design of Docker is application-centric, hoping that users will focus on developing applications, and Docker officials do not particularly encourage users to use Docker It is regarded as the idea of ​​replacing VM as a new generation computing unit. He believes that when Docker is used to package web applications, or relatively simple system services, it can achieve a good Dockerization effect. However, if you want to expand the use of Docker, start to involve the basic operating layer of the operating system, or when the decentralized system promotes microservices, using Docker will cause some problems.

Shared Linux Kernel makes Docker inherently less secure

Original link