Docker is an open source software platform to create, deploy and manage virtualized application containers on a common operating system (OS), with an ecosystem of allied tools. Docker container technology debuted in 2013; Docker Inc. was formed to support a commercial edition of container management software and be the principal sponsor of an open source version. Mirantis acquired the Docker Enterprise business in November 2019.
How Docker works
Docker packages, provisions and runs containers. Container technology is available through the operating system: A container packages the application service or function with all of the libraries, configuration files, dependencies and other necessary parts and parameters to operate. Each container shares the services of one underlying operating system. Docker images contain all the dependencies needed to execute code inside a container, so containers that move between Docker environments with the same OS work with no changes.
Docker uses resource isolation in the OS kernel to run multiple containers on the same OS. This is different than virtual machines (VMs), which encapsulate an entire OS with executable code on top of an abstracted layer of physical hardware resources.
Docker was created to work on the Linux platform, but has extended to offer greater support for non-Linux operating systems, including Microsoft Windows and Apple OS X. Versions of Docker for Amazon Web Services (AWS) and Microsoft Azure are available.
This article is part of
Docker components and tools
Docker Community Edition is open source, while Docker Enterprise Edition is a commercialized version offered by Docker Inc. Docker consists of various components and tools that help create, verify and manage containers.
The Docker Engine is the underlying technology that handles the tasks and workflows involved in building container-based applications. The engine creates a server-side daemon process that hosts images, containers, networks and storage volumes. The daemon also provides a client-side command-line interface (CLI) for users to interact with the daemon through the Docker application programming interface. Containers created by Docker are called Dockerfiles. Docker Compose files define the composition of components in a Docker container.
Docker Hub is a software-as-a-service tool that enables users to publish and share container-based applications through a common library. The service touts more than 100,000 publicly available applications, as well as public and private container registries.
Similar to Hub, Trusted Registry is a repository with an extra layer of control and ownership over container image storage and distribution.
Docker swarm mode in Docker Engine supports cluster load balancing for Docker. Multiple Docker host resources are pooled together to act as one, which enables users to quickly scale up container deployments to multiple hosts.
The Universal Control Plane is a web-based, unified cluster and application management interface.
Compose is a tool to configure multi-container application services, view container statuses, stream log output and run single-instance processes.
Content Trust is a security tool to verify integrity of remote Docker registries, through user signatures and image tags.
Docker versions and major features
Docker Enterprise 1.13, released in January 2017, added backward compatibility for the command-line interface (CLI) to handle older Docker daemons, and several cleanup commands to more efficiently manage disk space and data, as well as some security and bug fixes. Other improvements to Docker Enterprise in 2017 included native Kubernetes support for container orchestration, in addition to Docker's swarm mode; and support for IBM mainframe and Windows Server 2016, for users to run mixed clusters and applications across multiple operating systems.
Docker Enterprise Edition 2.0, released in April 2018, featured multi-OS and multi-cloud support for hybrid environments.
Docker Enterprise 3.0, the most recent release as of July 2019, added blue-green container cluster upgrades, and the ability to build multiservice container-based applications run from any environment. Other new features include:
- Docker Desktop Enterprise, which lets developers deploy applications to a Kubernetes-conforming environment with automated pipeline integration and centralized IT management;
- Docker Applications, a set of productivity tools for developers;
- Docker Kubernetes Service, which automates management and scale of Kubernetes-based apps and provides security, access control and automated lifecycle management; and
- Docker Enterprise as a Service, a full managed enterprise container service.
Docker advantages and disadvantages
Docker emerged as a de facto standard platform to quickly compose, create, deploy, scale and oversee containers across Docker hosts. Docker allows a high degree of portability so that users can register and share containers over various hosts in private and public environments. Docker benefits include efficient application development, lower resource use and faster deployment compared to VMs.
There are also potential challenges with Docker. The sheer number of containers possible in an enterprise can be difficult to manage efficiently. As use of containers evolves from granular virtual hosting to orchestration of application components and resources, the distribution and interconnection of componentized applications -- which can involve hundreds of ephemeral containers -- is a major hurdle.
In recent years, Docker was supplanted by Kubernetes for container orchestration; however, most Kubernetes offerings actually run Docker behind the scenes.
A historically persistent issue with containers -- and Docker, by synonymous extension -- is security. Despite excellent logical isolation, containers still share the host's operating system. An attack or flaw in the underlying operating system can potentially compromise all of the containers running atop the OS. Vulnerabilities can involve access and authorization, container images, and network traffic among containers. Docker images may retain root access to the host by default, although this is often carried over from third-party vendors' packages.
Docker has regularly added security enhancements to the Docker platform, such as image scanning, secure node introduction, cryptographic node identity, cluster segmentation and secure secret distribution. Docker secrets management also exists in Kubernetes as well as D2iQ, CISOfy Lynis and HashiCorp Vault. Various container security scanning tools have emerged from Aqua, Twistlock, NeuVector and others.
Some organizations run containers within a VM, although containers do not require virtual machines -- this does not solve the shared-resource problem vector, but it does mitigate the potential impact of a security flaw. Another alternative is to use lower-profile or "micro" VMs, which don't require the same overhead as a typical VM; examples include gVisor, Kata Containers and Amazon Firecracker. Above all, the most common and recommended step to ensure container security is to not expose container hosts to the internet, and only use container images from known sources.
Security also was the main selling point for Docker alternatives, particularly CoreOS' rkt. However, Docker has made many strides to improve its security options, while at the same time momentum for those container alternatives has faded.
Docker alternatives, ecosystem and standardization
There are third-party tools that work with Docker for tasks such as container management and clustering. The Docker ecosystem includes a mix of open source and proprietary technologies such as open source Kubernetes, Red Hat's proprietary OpenShift packaging of Kubernetes and Canonical's distribution of Kubernetes referred to as "pure" upstream Kubernetes. Docker competes with proprietary application containers such as the VMware vApp and infrastructure abstraction tools, including Chef.
Docker is not the only container platform available, but it holds the vast majority of the container marketplace. CoreOS rkt, pronounced rocket, is noted for its security with support for SELinux and trusted platform management. Red Hat (now owned by IBM) purchased CoreOS and integrated its functionality into its OpenShift architecture. However, rkt is now an archived project at the Cloud Native Computing Foundation.
Other major container platforms include LXD, which is from Canonical (and its Ubuntu Linux version), and OpenVZ, the oldest of the system container platforms, originally developed by Virtuozzo. OpenVZ combines the small size and high speed of standard containers with the additional security of an abstracted OS layer.
Docker also played a leading role in an initiative to more formally standardize container packaging and distribution: the Open Container Initiative, established to foster a common container format and runtime environment. Other members include over 40 other container industry vendors, including CoreOS, AWS, Intel, Red Hat and Virtuozzo.
Finally, Windows Server 2019 and Windows 10 offer direct support for containers using the Windows container feature based on Docker technology.
Docker company history
Docker was first released as an open source platform in March 2013, under the name dotCloud. Docker Engine 1.0 launched in 2014. In 2016, Docker integrated its swarm orchestration with Docker Engine in version 1.12. Docker's broader goal was to build up its business with container as a service, but eventually these plans were overtaken by the rise of Kubernetes.
Docker Enterprise was introduced in March 2017, and the company also donated its containerd container runtime utility to the Cloud Native Computing Foundation.
In November 2019 Mirantis acquired Docker products and IP around Docker Engine - Enterprise, Docker Trusted Registry, Docker Universal Control Plane and Docker CLI, as well as the commercial Docker Swarm product. Mirantis initially indicated it would shift its focus to Kubernetes and eventually end support for Docker Swarm, but later reaffirmed its intent to support and develop new features for it. The remaining Docker Inc. company now focuses on Docker Desktop, as well as Docker Hub.