We had chroot since 1979, nobody managed to build a docker like wrapper for chroot which do not require netns?
vbezhenar 2 hours ago [-]
Docker is a genius idea which looks obvious in retrospect, but someone need to invent it.
Docker is more than just chroot. You also need: overlay file system; OCI registry and community behind it, to create thousands of useful images. And, of course, the whole idea of creating images layer by layer and using immutable images to spawn mutable containers.
I don't actually think that you need network or process isolation. In terms of isolation, chroot is enough for most practical needs. Network and process isolations are nice to have, but they are not essential.
akdev1l 2 hours ago [-]
network isolation is very important too, that’s what lets people run 4 containers all listening on port 80
process isolation is less prominent
vbezhenar 4 minutes ago [-]
You can bind your application to 127.0.0.2 for one container and to 127.0.0.3 for another container. Both can listen on port 80 and both can communicate with each other. And you can run another container, binding to 1.2.3.4:80 and using it as reverse-router. You can use iptables/nftables to prevent undesired connections and manually (or with some scripting) crafted /etc/hosts for named hosts to point to those loopback addresses. Or just DNS server. It's all doable.
The only thing that you need is the ability to configure a target application to choose address to bind to. But any sane application have that configuration knob.
Of course things are much easier with network namespaces, but you can go pretty far with host network (and I'd say it might be easier to understand and manage).
mikepurvis 35 minutes ago [-]
Process isolation is more about load management/balancing, which is more of a production concern than a development one.
ronsor 3 hours ago [-]
Chroot has significantly less isolation than Linux namespaces as used by Docker.
miladyincontrol 20 minutes ago [-]
This, better yet just use systemd-nspawn. Benefits of proper containers, configuration similar to any ol systemd service, super easy to use, simple to automate builds with mkosi.
The one thing people really seem to miss on them is like, contrary to popular belief you dont need a whole OS container there, minimal distroless containers work just fine with systemd-nspawn similar to as they would on docker.
spullara 2 hours ago [-]
Solaris Zones (follow on to Solaris Containers) was pretty amazing.
FreeBSD has had jails since version 4 (~year 2000), fwiw.
Much of the technology was there, but Docker was able to achieve a critical mass, with streamlined workflows. Perhaps as much a social phenomenon as a technical one?
oftenwrong 23 minutes ago [-]
Don't discount the technical innovation required to integrate existing technologies in a novel and useful way. Docker was an "off the shelf" experience unlike any other solution at the time. You could `docker run ...` and have the entire container environment delivered incrementally on demand with almost no setup required. It did have a social factor in that it was easy for people to publish their own images and share them. Docker Hub was provided as a completely free distribution service. The way they made distribution effortless was no doubt a major factor in why it took off.
I used FreeBSD on my firewall in the early 2000s, and on my NAS from around 2007 till last year.
The big pain with jails for me was the tooling. There was a number of non-trivial steps needed to get a jail that could host a networked service, with a lot that could go wrong along the way.
Sure a proper sysadmin would learn and internalize these steps, but as someone who just used it now and again it was a pain.
Way down the line things like iocage came along, but it was fragile and not reliable when I tried it, leading to jails in weird states and such.
So I gave up and moved to Linux so I could use Docker.
Super easy to spin up a new service, and fairly self-documenting as you just configure everything in a script or compose file so much less to remember.
Initially in a VM on Bhyve, now on bare metal.
It feels a bit sad though, as jails had some nice capabilities due to the extra isolation.
Yeroc 2 hours ago [-]
I think the real genius of Docker was the image packaging. The pieces were there but delivery and scripting it all wasn't easy.
mikepurvis 32 minutes ago [-]
Indeed. Even to this day, debootstrap feels a bit arcane and unapproachable, particularly relative to `docker pull ubuntu`.
disagr 2 hours ago [-]
[dead]
tkcranny 1 hours ago [-]
Yeah it really was a social phenomena. Ten years ago conferences were swarmed with docker employees, swag, plenty of talks and excitement.
The effort to introduce the concepts to the mainstream can’t be understated. It seems mundane now but it took a lot of grassroots effort and marketing to hit that critical mass.
Docker is more than just chroot. You also need: overlay file system; OCI registry and community behind it, to create thousands of useful images. And, of course, the whole idea of creating images layer by layer and using immutable images to spawn mutable containers.
I don't actually think that you need network or process isolation. In terms of isolation, chroot is enough for most practical needs. Network and process isolations are nice to have, but they are not essential.
process isolation is less prominent
The only thing that you need is the ability to configure a target application to choose address to bind to. But any sane application have that configuration knob.
Of course things are much easier with network namespaces, but you can go pretty far with host network (and I'd say it might be easier to understand and manage).
The one thing people really seem to miss on them is like, contrary to popular belief you dont need a whole OS container there, minimal distroless containers work just fine with systemd-nspawn similar to as they would on docker.
https://en.wikipedia.org/wiki/Solaris_Containers
Much of the technology was there, but Docker was able to achieve a critical mass, with streamlined workflows. Perhaps as much a social phenomenon as a technical one?
https://www.youtube.com/watch?v=wW9CAH9nSLs
The big pain with jails for me was the tooling. There was a number of non-trivial steps needed to get a jail that could host a networked service, with a lot that could go wrong along the way.
Sure a proper sysadmin would learn and internalize these steps, but as someone who just used it now and again it was a pain.
Way down the line things like iocage came along, but it was fragile and not reliable when I tried it, leading to jails in weird states and such.
So I gave up and moved to Linux so I could use Docker.
Super easy to spin up a new service, and fairly self-documenting as you just configure everything in a script or compose file so much less to remember.
Initially in a VM on Bhyve, now on bare metal.
It feels a bit sad though, as jails had some nice capabilities due to the extra isolation.
The effort to introduce the concepts to the mainstream can’t be understated. It seems mundane now but it took a lot of grassroots effort and marketing to hit that critical mass.