Posts by: Jérôme Petazzoni

Jérôme Petazzoni

If you are running apps in containers and are using Docker’s GELF logging driver (or are considering using it), the following musings might be relevant to your interests. Some context When you run applications in containers, the easiest logging method is to write on standard output. You can’t get simpler than that: just echo, print, write (or the equivalent in your programming language!) and the container engine will capture your application’s output. Other approaches are still possible, of course; for instance: you can use syslog, by running a syslog daemon in your container or exposing a /dev/log socket; you can write…

Continue reading...
Jérôme Petazzoni

This is a short collection of tips and tricks showing how Docker can be useful when working with Go code. For instance, I’ll show you how to compile Go code with different versions of the Go toolchain, how to cross-compile to a different platform (and test the result!), or how to produce really small container images. The following article assumes that you have Docker installed on your system. It doesn’t have to be a recent version (we’re not going to use any fancy feature here). Go without go … And by that, we mean “Go without installing go”. If you…

Continue reading...
Jérôme Petazzoni

When they start using Docker, people often ask: “How do I get inside my containers?” and people will tell them “Run an SSH server in your containers!” But, as you’ll discover in this post, you don’t need to run a SSHd daemon to get inside your containers. Well unless your container is an SSH server, of course! It’s tempting to run the SSH server, because it gives an easy way to “get inside” of the container. Virtually everybody in our craft used SSH at least once in their life. Most of us use it on a daily basis, and are familiar with…

Continue reading...
Jérôme Petazzoni

We are proud to announce that Yandex, the largest tech company in Russia, is using Docker for infrastructure virtualization and app isolation of its open-source PaaS system called Cocaine. The news was released at the YaC 2013 technological conference that took place on October 2 in Moscow, and where Jérôme Petazzoni was invited to give a talk on Lightweight Virtualization with Linux Containers and Docker and meet the Yandex team. Andrey Sibiryov, Head of Cloud Technologies Development Service at Yandex, on stage at YaC 2013 The Docker support is implemented as a plugin, which connects to the Docker daemon and controls it…

Continue reading...
Jérôme Petazzoni

Linux Containers rely on control groups which not only track groups of processes, but also expose a lot of metrics about CPU, memory, and block I/O usage. We will see how to access those metrics, and how to obtain network usage metrics as well. This is relevant for “pure” LXC containers, as well as for Docker containers.

Continue reading...
Jérôme Petazzoni

TL,DR: in my quest to CONTAINERIZE ALL THE THINGS!, I replaced my cheap VPS with a Linux VM at Joyent, installed Docker on it, then authored an OpenVPN image for Docker. The Dockerfile and scripts used are on jpetazzo/dockvpn on Github. Let me sing you the song of my people Do you remember that revised Maslow pyramid, the one with WiFi at the base of everything? Well, somewhere in my pyramid, there is a Linux box, with root access, a fast link, and low latency. I used to run an hosting company in France and I also worked for a…

Continue reading...
Jérôme Petazzoni

One of the (many!) features of Docker 0.6 is the new “privileged” mode for containers. It allows you to run some containers with (almost) all the capabilities of their host machine, regarding kernel features and device access. Among the (many!) possibilities of the “privileged” mode, you can now run Docker within Docker itself. First, we will see how to make that happen; next, we will explain what is involved under the hood, and finally, we will show something even more powerful than Docker in Docker! See Docker-in-Docker in action If you have Docker 0.6, all you have to do is:…

Continue reading...
Jérôme Petazzoni

This post reviews the various security implications of using Docker to run applications within containers, and how to address them. There are three great areas to consider: the intrinsic security of containers, as implemented by namespaces and cgroups; the specific attack surface of the Docker daemon itself; the “hardening” security features of the kernel and how they interact with containers. We will also discuss how Docker security features compare with other systems.

Continue reading...