6

From everything I've read and heard about Docker, the whole point of it is to encapsulate an application so that it is runnable on any machine. It achieves this by wrapping up the environment needed (tools/dependencies) into the docker image. A container is an instance of an image. There isn't an OS running in a docker container.

Now, if that's all true, then why does this exist: CentOS official docker image? I thought docker images were just for applications, not entire operating systems.

Whenever I instantiate that image, I get a container that, when attached to it, appears to be a functioning CentOS shell.

You can do it yourself to see what I mean:

  • Dockerfile contents: FROM centos:centos7
  • Build the image: docker build centos-img .
  • Run the container: docker run -ti centos-img
  • To detach: ctrl+p, ctrl+q
  • To reattach: docker attach <container id>

This really looks and feels like a VM.

If I run cat /etc/os-release it even says I am running CentOS.

What exactly is this? Could I use a CentOS docker image as if it were a virtual machine? What are the limitations?

(What's confusing me is docker containers != VMs, however, from by exploration, I created a docker image that looks and feels like a VM. Why would I ever want to run a VM again, if I can run a lightweight docker image that acts exactly like a VM?)

Is this centOS docker image just a starting place, that I am supposed to build off of (ie, put my application in), so that it just functions as a host for my application? The more I read and dig into Dockerfile examples, the more I believe this is assumption is true.

What I'm really trying to do:

I have a bunch of small applications/services that function together as a system that make up a large application. I currently have this system running on a centOS machine. I want the ability to easily run multiple instances of this large application, each in their own environment / without stepping on each other's toes. Would it be possible to do this by using a centOS docker image + all of the small applications/services needed, resulting in a large application image? With this image, I can spin up multiple containers, each one running a separate instance of the large application? Is that a reasonable/achievable thing to do with Docker?

Some of my understanding may be incorrect, or I may be suggesting to use Docker in a way that it is not meant to be used. If so, feel free to point it out. Thanks!

giant91
  • 1,153
  • 2
  • 9
  • 18
  • "acts exactly like a VM" -- except that if someone manages a kernel-level exploit they broke into your host, instead of needing to then figure out how to escape from the VM itself. The security-model deltas are substantial. – Charles Duffy Apr 13 '19 at 00:20
  • 1
    Similarly, there are a lot of places where you need to set a container to be "privileged" to have given functionality at all; calling a Docker container privileged makes escapes to the outside world nothing short of trivial. Whereas an ideal VM is secure even against an attacker loading malicious kernel modules inside of it. – Charles Duffy Apr 13 '19 at 00:22
  • That said, this question is off-topic here (so is the proposed duplicate linked above, which is why it's closed). StackOverflow is **exclusive** to questions about **writing software**. Questions about system administration are out-of-scope; so are generic OS or computing questions. – Charles Duffy Apr 13 '19 at 00:23
  • It used to be that CentOS with systemd in Docker required a privileged container, negating most (if not all) of the security benefits. I'm not sure if this is still the case. – antonyh Apr 13 '19 at 00:25
  • @CharlesDuffy Please forgive my naiveity; if docker questions are off-topic why is there a 'docker' tag available? I'll go ask in Meta ;-) – antonyh Apr 13 '19 at 00:27
  • @antonyh, I didn't claim that all Docker questions are off-topic, just that this one is; it's not asking narrowly about a specific problem encountered in the course of software development. Please link me to the question you open on meta. – Charles Duffy Apr 13 '19 at 15:40

2 Answers2

2

It's a multi-faceted question and I'm unlikely to do it justice with this reply but I'll try to answer your core question. I recommend that you read the many articles that exist that cover container basics.

Fundamentally, containers share a kernel (generally Linux) not an Operating System (CentOS, Debian, Ubuntu etc.).

The simplest Linux container image is called scratch and it is empty and so effectively provides you with just the Linux kernel.

At the other extreme, complete Linux operating system images including CentOS. These are full-blown OS images and provide a user and applications with a mostly comparable experience to running such an operating system on "bare metal" or a VM.

It is good container practice to try to aim for closer to 'scratch' than it is to aim for closer to e.g. centos. Fundamentally, an OS is a huge expanse of code much of which your application(s) likely don't need. While it may be nice to have all this extra functionality available, it means you must maintain (and secure) superfluous (!) code and it means your image has to drag all this content around with it too.

It is unlikely that you're applications will run on scratch because they likely depend on other applications and shared libraries. If you already have a good idea of these dependencies, you should start from an image like 'scratch' and add in what your apps need.

If you look at Dockerfiles on the web, you'll see many of the best examples start from a smaller base image, add in necessary packages and finally add the relevant binary.

See:

HTH!

DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • In [How to Answer](https://stackoverflow.com/help/how-to-answer), see the section "Answer Well-Asked Questions", and the bullet therein regarding questions which "are not about programming [as defined in the help center](https://stackoverflow.com/help/on-topic)". (The bullet point about questions which "have already been asked and answered many times before" also applies). – Charles Duffy Apr 13 '19 at 00:25
1

One common use of CentOS (and other full OS distros) in Docker is when developers need the full system running locally for development / test / debug purposes but it's not running in Docker in production. It's not uncommon to run monolithic applications that are ill-suited to docker in a VM or even on bare metal.

One example might be applications deployed into AWS as AMIs; this is something that's non-trivial to reproduce on a Mac or Windows machine, and unclean (to put it mildly) in installed directly to a Linux host, possibly cost-prohibitive, and unsuited to offline use to spin up more cloud-hosted instances.

It's one of the great strengths of Docker that it's capable of running minimal systems if that's what is needed or full-blown OS installations even if this isn't considered optimal. It certainly has it's uses in this capacity.

antonyh
  • 2,131
  • 2
  • 21
  • 42