Docker Done Right


July 21, 2015

Yes, that is a bold statement. The Docker application containment architecture is all the rage right now and FreeBSD just may prove to be the ultimate Docker platform thanks to its 15+ years of containment experience and the unrivaled OpenZFS file system.
As one Twitter user put it, “#docker has now had more security issues within a year than
#freebsd #jails has had since 2000. Good job #techbros.”
Indeed, Docker has never been pitched as a security technology but rest assured, Docker on FreeBSD institutionally imprisons and secures Docker images using FreeBSD’s proven Jail infrastructure. FreeBSD Jails have been used in production since their inception to contain applications and full systems and are exactly what Docker needs. Docker itself has migrated away from Linux LXC containers in favor of the cross-platform libcontainer and of all the pluggable choices, FreeBSD’s Jail stands out as one of the best. FreeBSD also offers the bhyve and Xen hypervisors to provide you yet more options for containing your Linux-native and FreeBSD-native Docker deployments.
Then comes storage. Docker images are designed to be read-only and disposable until instructed otherwise. If only there were a file system that institutionalized lightning-fast snapshotting and cloning…
That file system exists! It’s called OpenZFS and FreeBSD has supported it since FreeBSD 7.0. This not only means you get the institutionalized snapshotting and cloning that suit Docker so well, but also the unrivaled data integrity protection that OpenZFS offers. If you care about your data, you care about OpenZFS.
Hands-on Docker
To try Docker on FreeBSD, you will need a recent snapshot such as 10.2 BETA or 11-CURRENT. Note that you should change “zroot” to match your system’s zpool.

 # pkg install docker-freebsd ca_root_nss
# zfs create -o mountpoint=/usr/docker zroot/docker
# service docker onestart
Starting docker…
# docker pull centos

# docker images
centos latest 7322fbe74aa5 4 weeks ago 172.2 MB
# docker run -t -i centos /bin/bash
[root@ /]# uname -a
Linux 2.6.32 FreeBSD 11.0-CURRENT #5 r285594: Tue Jul 14 23:30:11 EDT 2015
x86_64 x86_64 x86_64 GNU/Linux

Suddenly… CentOS!
Where the wheels really hit the pavement is with a peek under the hood at the Jail and ZFS output of our Docker Jail and OpenZFS dataset:

 # jls
JID IP Address Hostname Path
3 /usr/docker/zfs/graph/920bc5fbb45c
# zfs list

119M 107G 6.02M /usr/docker
8K 107G 112M legacy
init 128K 107G 112M legacy

This output should be familiar to FreeBSD users and is becoming familiar to more and more GNU/Linux users every day.
For an expanded example of Docker on FreeBSD, consult the FreeBSD Wiki:
FreeBSD is poised to be go-to Docker platform thanks to FreeBSD’s proven Jail and OpenZFS features and iXsystems has shipped over ten thousand systems with the best support for these features available anywhere. We can also build out your GNU/Linux-based Docker deployment and ship thousands of GNU/Linux systems every year. Give us a call to learn how we can take your Docker deployment to the next level and beyond.
Michael Dexter

Share On Social: