Docker: The first true devops tool?

Docker VP explains how Docker bridges the gap for dev and ops at JVM-busting speeds

Docker has attracted a lot of attention lately, with major vendors contributing to the containerization technology. The company is venturing into acquisitions, services like and are emerging, and Docker technology is being embraced as a solid complement for the Java Virtual Machine.

To get the latest insights into Docker and where it is headed, InfoWorld Editor at Large Paul Krill met with Docker Vice President James Turnbull at the recent O'Reilly Open Source Convention in Portland., Ore. Turnbull is responsible for customer-facing business and has contributed to the Docker project.

InfoWorld: What is the big deal about Docker?

Turnbull: Docker has two interesting aspects. One is operating system level virtualization. It's a container instead of a virtual machine. As a result, it doesn't have a lot of overhead. It doesn't have the hypervisor in the middle, and that allows containers to be really lightweight and really fast. Running a Docket container is a subsecond launch, so it takes you snap, snap, snap and you can launch a Docker container. [It is] very, very fast.

On top of that, we've built a workflow, which is really designed to allow first-time developers, allowing them to say, "I have code on my laptop. I want to run that code in my dev test environment, and I want to get it pushed into my staging environment." So we built a workflow on top of these containers to help developers build applications, test them, run them, and deploy them.

InfoWorld: How does Docker fit into devops?

Turnbull: I describe it a little bit arrogantly as the first true sort of devops tool because it is really focused on providing developers with a platform to run their applications and providing ops people with a tool that will allow them to integrate with that workflow and allow them to deploy the same code. It tries to make the experience between a developer running an app and booting and testing an application and an operations person deploying that seamless, because that's where the friction is in devops. It's usually the part where the application developer hands over the application to the operations people and they discover, "Oh, it doesn't run. It ran fine on my laptop, doesn't work in production." Docker is designed to reduce the friction in that relationship.

InfoWorld: It's been estimated that apps running in a Docker container can run twice as fast as a virtual machine. How do you achieve this?

Turnbull: It's really about the removal of the hypervisor and the lightweight nature of Docker. Boden Russell at IBM Research had some statistics that said depending on the nature of the application, you could get 10-, 20-fold performance on a virtual machine. He published that earlier in the year, and we know it largely traced back to the fact that in the sort of traditional hypervisor world you have a physical machine and an operating system, then your virtual machine application, then a desktop system, then the application. In the Docker world you really have the physical machine, the operating system, Docker, then the application, so there's a lot of those layers taken out.

InfoWorld: Recently a security researcher published what is supposed to be the first security exploit of Docker in which files can be copied from the underlying OS and the file system then sent to a third party. Apparently this was considered serious, although it hasn't actually been found in the wild. How does Docker feel about this security issue?

Turnbull: Actually, the security issue that somebody found was in old releases of Docker. It has been fixed in a more recent release. Our response was twofold. One was that we'd already addressed the issue in the next release, and I think this was four or five releases old at that point. The second thing we did was Docker containers are not the same as virtual machines. They are a different type of compute unit, and we have published best practices for security and the best way you can deploy Docker containers. They provide security guidelines to make running in containers a safer experience.

InfoWorld: As far as best practices, could you name some?

Turnbull: We recommend users don't run root-enabled processes inside containers. We recommend users rely on tools like SELinux and AppArmor to provide security at the operating system level. And we suggest that users deploy applications of like trust on a Docker host. You don't deploy your mission-critical banking application right next to your customer-facing Web service, which is a pretty standard recommendation when you talk about security.

InfoWorld: Docker just acquired Orchard. What is the benefit of this acquisition, and do you anticipate any future acquisitions?

Turnbull: The benefit is, Docker at the moment is very much focused on that developer workflow and providing the compute unit, the container. But in order to deliver what we think is the true value of Docker, you start to look at things like orchestration tools that allow you to build whole applications stacks inside Docker. Orchard built a tool called Fig, and that tool is one of the first orchestration tools from Docker. We think it's a great tool, and we wanted to bring them in-house. As to future acquisitions, I can't speak to that.

InfoWorld: What is the business model for Docker?

Turnbull: We run a software-as-a-service product called the Docker Hub, which is essentially a central point in which people can manage their Docker environments. We also provide support for Docker, so we have the traditional open source support model and we provide self services in education. We'll also, as time goes by, be building tools and extending Docker Hub to provide paid-for services.

InfoWorld: Docker is getting a lot of support from vendors like Microsoft, Red Hat, IBM, and Google. Why is it getting so much support from these major companies? Are there any holdout companies you'd like to see get on the Docker train?

Turnbull: Most of these companies identified that the revolution that's being driven partly by platform as a service and infrastructure as a service. To this point, it's been very infrastructure-centric, and Docker is very developer-centric and these companies identify that as a big gap in the market. They have a huge number of users and customers who are developers, and their tooling is sometimes not great, and Docker provides a way to uplift that tooling. Those companies see that as a really valuable part of the market they need to maintain or capture. I don't see any particular holdouts.

InfoWorld: Do you anticipate any Docker rivals emerging, or do you expect Docker to become the industry standard?

Turnbull: Containers have existed for a long time and no one managed to capture that standard feel. But I think, given the uptake in adoption, we're pretty comfortable that we represent a standard in the container world.

InfoWorld: What's next for Docker? What improvements are planned and when?

Turnbull: We're focused on a couple of big things. The one I mentioned was orchestration that's moving up the stack. The other is what we call trust, and trust is things like we want to be able to provide the ability for Docker users to be able to sign Docker images. This is really important for two groups of people. The first one is the ISVs of the world, and that's who have Oracle, when they publish their WebLogic image, will be able to sign it with a certificate that allows a user to say, "I can check the certificate of this image, and I can guarantee it comes from Oracle." We have a level of security that if a vendor provides a Docker image you can guarantee that it's untouched and safe to use in your environment.

The second thing is it allows customers and consumers to be able to do things like find some controls around who can deploy and run things in their environment. For example, I can sign all my Docker images for production with a particular certificate, then I can ensure that only those images run in production and provide some level of security. This will be probably in the Docker 1.x series. Probably in the next couple months we'll see additional steps in that functionality.

InfoWorld: Where do you think Docker will be in five years?

Turnbull: I hope Docker in five years will be VMware, at least that sort of scale. That would be my anticipation.

InfoWorld: Is VMware a competitor to Docker or not necessarily?

Turnbull: They are a little bit. I would call it frenemies at the moment.

Clearly, the dominant virtualization in the market is hypervisor virtualization. VMware owns the commodity end of that market. We represent somewhat of a threat, but at the moment I think VMware is also acknowledging the fact that they may not actually match the needs of most of their customers. It's large and ungainly. It's not as agile, and their customers recognize that. As their customers start to optimize other parts of their build platforms and other parts of their infrastructure, they come back to this thing and it hasn't changed in five years, essentially, in terms of the startup speeds. It represents a fixed bottleneck in their environments, and I think VMware has to acknowledge the need to make some changes about that.

InfoWorld: Are they not supporting Docker?

Turnbull: They are. We're having some conversations with VMware right now about how we might work together.

This story, "Docker: The first true devops tool?" was originally published by InfoWorld.