Richard Bucker

Choosing a Tiny OS to run your Docker containers

Posted at — Mar 12, 2015

The space is starting to get crowded:CoreOSBoot2dockerRancherOSProject Atomic (Fedora, CentOS, RedHat)Ubuntu SnappyOpenStackVMwareBriefly;CoreOS is the most production ready of the group. The alpha channel supports the most modern versions of all of the tool chains except etcd (which is surprising).Boot2docker is tuned to run docker but it’s RAM only and is well documented as a development only platform. But it works well with the exception that it is not capable of sharing host folders as volumes on the container.RancherOS is interesting in that it’s a total immersion in the container ecosystem. Even PID-1 is a container. I imagine it’s going to work because either it works or it doesn’t and it’s obvious. The authors are very clear that this project is VERY alpha.Project Atomic is probably production ready. That it spans Fedora, CentOS and RedHat is interesting but not a make or break. The last time I tried to install the Fedora version it took several days to make my way through the documentation. I imagine the next time I do through this it’s going to be easier but there is something to hate about having to convert image formats before importing that makes this a bad experience. UPDATE: Atomic might be the most secure host OS due to the influence of SELinux.Ubuntu is clearly one of the grandest Linux projects. They recently produced Snappy as a me-to in the tiny linux distros. I have tried to deploy it a few times but with little success as I refused to read the documentation. I will have to revisit that.OpenStack and VMware are attempting to build Docker shims so that the container feels like it running on a host. The details a sketchy but promise to let the devops leverage the tools and environments to run Docker containers as if they were VMs. I have not been able to compute the savings as yet. Not even in bold strokes. In the proper Docker installation where the guest is running on a Scratch container the benefit is clear. But when running on top of a proper distro like ubuntu there is some OS overhead that is incurred. By inference when a container is running on top of a dedicated kernel shim the costs may not be any different or just marginally better than running in a proper VM.As for Docker, I’m still on the fence between Docker and Rocket.  The CoreOS team clearly has a better handle on the security issues and yet the Docker team is trying to get marketshare. Unless you’re running in a multi-tenant environment the rocket trust model might not be useful. Also, with Apcera Continuum the policy layer is implemented and appears to be much stronger than the Rocket trust. But we still need container standards!Good luck to the teams.