Jérôme Petazzoni

Adventures in GELF

If you are running apps in containers and are using Docker’s GELF logging driver (or are considering using it), the following musings might be relevant to your interests. Some context When you run applications in containers, the easiest logging method is to write on standard output. You can’t get simpler than that: just echo, print, write (or the equivalent in your programming language!) and the container engine will capture your application’s output. Other approaches are still possible, of course; for instance: you can use syslog, by running a syslog daemon in your container or exposing a /dev/log socket; you can write to regular files and share these log files with your host, or with other containers, by placing them on a volume; your code can directly talk to the API of a logging service. In the last scenario, this service can Continue reading…

Jérôme Petazzoni

Docker + Golang = <3

This is a short collection of tips and tricks showing how Docker can be useful when working with Go code. For instance, I’ll show you how to compile Go code with different versions of the Go toolchain, how to cross-compile to a different platform (and test the result!), or how to produce really small container images. The following article assumes that you have Docker installed on your system. It doesn’t have to be a recent version (we’re not going to use any fancy feature here). Go without go … And by that, we mean “Go without installing go”. If you write Go code, or if you have even the slightest interest into the Go language, you certainly have the Go compiler and toolchain installed, so you might be wondering “what’s the point?”; but there are a few scenarios where you Continue reading…

Jérôme Petazzoni

Why you don't need to run SSHd in your Docker containers

When they start using Docker, people often ask: “How do I get inside my containers?” and people will tell them “Run an SSH server in your containers!” But, as you’ll discover in this post, you don’t need to run a SSHd daemon to get inside your containers. Well unless your container is an SSH server, of course! It’s tempting to run the SSH server, because it gives an easy way to “get inside” of the container. Virtually everybody in our craft used SSH at least once in their life. Most of us use it on a daily basis, and are familiar with public and private keys, password-less logins, key agents, and even sometimes port forwarding and other niceties. With that in mind, it’s not surprising that people would advise you to run SSH within your container. But you should think twice. Let’s Continue reading…

Jérôme Petazzoni

Yandex using Docker for infrastructure virtualization and app isolation

We are proud to announce that Yandex, the largest tech company in Russia, is using Docker for infrastructure virtualization and app isolation of its open-source PaaS system called Cocaine. The news was released at the YaC 2013 technological conference that took place on October 2 in Moscow, and where Jérôme Petazzoni was invited to give a talk on Lightweight Virtualization with Linux Containers and Docker and meet the Yandex team. Andrey Sibiryov, Head of Cloud Technologies Development Service at Yandex, on stage at YaC 2013 The Docker support is implemented as a plugin, which connects to the Docker daemon and controls it using a rich REST API. Right now, Yandex is using Cocaine in their Yandex.Browser backend and their internal infrastructure. Read more about Cocaine on Yandex. Read more about the news there:     

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.

Jérôme Petazzoni

Gathering LXC and Docker containers metrics

Linux Containers rely on control groups which not only track groups of processes, but also expose a lot of metrics about CPU, memory, and block I/O usage. We will see how to access those metrics, and how to obtain network usage metrics as well. This is relevant for “pure” LXC containers, as well as for Docker containers.

Jérôme Petazzoni

Docker + Joyent + OpenVPN = Bliss

TL,DR: in my quest to CONTAINERIZE ALL THE THINGS!, I replaced my cheap VPS with a Linux VM at Joyent, installed Docker on it, then authored an OpenVPN image for Docker. The Dockerfile and scripts used are on jpetazzo/dockvpn on Github. Let me sing you the song of my people Do you remember that revised Maslow pyramid, the one with WiFi at the base of everything? Well, somewhere in my pyramid, there is a Linux box, with root access, a fast link, and low latency. I used to run an hosting company in France and I also worked for a very disruptive dark fiber provider in the Paris area; so when I was in the land of baguette, foie gras, and Tour Eiffel, those commodities were kind of granted. But when I set foot in California, I was more than Continue reading…

Jérôme Petazzoni

Docker can now run within Docker

One of the (many!) features of Docker 0.6 is the new “privileged” mode for containers. It allows you to run some containers with (almost) all the capabilities of their host machine, regarding kernel features and device access. Among the (many!) possibilities of the “privileged” mode, you can now run Docker within Docker itself. First, we will see how to make that happen; next, we will explain what is involved under the hood, and finally, we will show something even more powerful than Docker in Docker! See Docker-in-Docker in action If you have Docker 0.6, all you have to do is: docker run -privileged -t -i jpetazzo/dind This will download my special Docker image (we will see later why it is special), and execute it in the new privileged mode. By default, it will run a local docker daemon, and drop Continue reading…

Jérôme Petazzoni

Containers & Docker: How Secure Are They?

This post reviews the various security implications of using Docker to run applications within containers, and how to address them. There are three great areas to consider: the intrinsic security of containers, as implemented by namespaces and cgroups; the specific attack surface of the Docker daemon itself; the “hardening” security features of the kernel and how they interact with containers. We will also discuss how Docker security features compare with other systems.