Build once, configure once and run anywhere. Sound familiar? Numerous companies have had a crack at this over the years. Sun was the first with Java and JVM: a platform-independent language and runtime environment that enables developers to build programs that are at once compiled and interpreted, allowing them to be run from anywhere a version of the JVM exists. Docker, the latest company to adopt the mantra, has a similar value proposition--except in this case we’re dealing with servers, not code.
Their technology deploys software applications with all the necessary parts in a container, thereby ensuring it will run on any Linux server, regardless of configuration and/or settings. Containers can be created, configured, and saved as templates for use on other hosts running the Docker engine. These templates can then be used to create more containers with the same OS, configuration, and binaries.
Docker Containers vs. VMs
Though both Docker containers and VMs use mechanisms for virtualization and abstraction, a fundamental difference lies in virtualization scope: VMs contain the full OS, while Docker containers share a single OS with the host machine. Since the support of multiple guest operating systems with a hypervisor is absent, Docker containers are especially lightweight and portable.
Take a look at the following graphic comparing VMs to Containers.
Note that the VM must load the hypervisor layer (see above diagram) as well as one instance of the guest OS for each desired app instance. In contrast, containers do away with the resource-intensive hypervisor layer, and can support any number of app instances running on top of the host OS.
In this paper comparing container and virtual machine environments, IBM tested Docker and KVM against CPU, memory, network and I/O benchmarks. Unsurprisingly, Docker outperformed KVM in every case tested. So while VMs are appropriate in use cases requiring full-machine virtualization, Docker containers boot quicker and require less system resources, making them highly suitable for packaging and shipping apps to run anywhere.
The Docker Hub
A reoccuring theme in the Docker world is speed: in quicker development, faster performing apps, and easier shipping and deployment. Similar to Amazon’s AWS Marketplace, where one can find community-contributed Amazon Machine Images for launching server instances quickly, the Docker Hub features a repository of community-contributed components for creating and publishing custom Docker containers quickly.
Some official Docker repositories. Image courtesy of Docker, Inc.
For example, a developer building a MySQL-backed SaaS app can use the Oracle Linux and MySQL images in Docker Hub to quickly spin up a server with the necessary components. This eliminates the need to build and configure each OS or application component by hand.
In short, Docker is ideal for building, shipping, and running portable cloud apps. If you’re anxious to get hands-on with Docker immediately, check out this interactive demo on the Docker site. And be sure to check back for Part 2 of this article, where we’ll take a closer look at Docker’s features, and find out how GuardRail can be used for monitoring container configurations, scanning differences and changes, and verifying test/production environments.
Security Benefits of Docker Containers
Using Docker to package up and deploy applications can yield a myriad of benefits, including higher server instance utilization in the cloud and multi-cloud portability. From a security standpoint, Docker containers provide unique benefits through isolation: since containers make it easy to segregate applications that would typically run on the same host, configurations for items like ports and files can be uniquely tied down to each container and application.
For instance, UpGuard’s cloud-hosted single tenant appliance is built on top of a cluster of Docker systems. This effectively isolates our customers from each other: every deployment runs its own database instance, with its own data isolated from everyone else’s. In fact, the entire application stack is run inside of the container—making constituent components like web workers and services also unique to each deployment.
Consider the following scenario—a Ruby-on-Rails (RoR) vulnerability is exploited by an attacker, allowing him access to the Rails server and resident data. In a Docker-packaged deployment of the application stack, only one customer is impacted. Similarly, if one host goes down in the Docker cluster, none of the other customer hosts/deployments are affected. Another common architecture places the database and application stack in separate Docker containers for even more granularity, as depicted in the RoR/PostgreSQL configuration below.
Incidentally, in terms of issues like the previously mentioned RoR vulnerabilities, UpGuard can scan the application stack for such flaws automatically—even inside Docker containers, as we’ll soon see.
UpGuard’s Platform Integration with Docker
The security benefits to isolation—as well as the industry’s shift towards software modularity—have made containers all the rage now. DevOps-enabled organizations in particular have adopted Docker for its portability and multi-cloud interoperability: the ability to package an application together with its libraries and dependencies for deployment across disparate cloud providers and customer deployments. However, keeping these software stacks and systems configured securely and consistently inside their containers can be just as unwieldy as traditional IT systems.
Luckily, UpGuard can scan and monitor environments within Docker containers, just like any other system. Our platform’s agentless architecture uses lightweight SSH-based connection managers for connecting to and scanning/monitoring Docker containers. And once a Docker container’s environmental state has been captured by UpGuard, powerful differencing and variance analysis tools can be used to keep your environment states in alignment. And in the spirit of open integration, UpGuard outputs to popular automation and DevOps tools—including Docker, which makes recreating containers to exact configuration specifications a trivial affair. WIth one click, a Dockerfile snippet is created from the desired node for easy automation.
In short, Docker gives organizations the ability package, deploy, and isolate applications for increased security and portability. Of course, native Docker integration is just one of a myriad of powerful features that makes UpGuard the leading platform for configuration integrity. Give UpGuard a test drive to find out for yourself—on us.