The Docker Hype: Definition, Best Practices, and Security
In a world of constant technological innovation and improvement, it takes a lot to stand out from the crowd, but this is exactly what Docker is doing right now.
What is Docker?
Docker provides containerized applications, meaning applications which come in pre-packaged environments with everything they need to run.
The beauty of Docker containers is their portability—dependency problems for developers become a thing of the past because applications no longer depend on the machines on which you run them. As you can see from the above image, the infrastructure and OS are abstracted away from the application, letting you run a Docker container anywhere without worrying about different application behavior on disparate machines.
Docker containers are one of the hottest trends in software right now—a report by Datadog found Docker adoption increased by 40 percent in just one year. Essentially, Docker containers allow you to run more applications on existing hardware, and they make it much easier for developers to create, ship, and deploy apps.
In this article you’ll find out about some best practices for using Docker. You’ll also get an overview on Docker security concerns, and some tips on how to use Docker safely (before you dive in, see this post with some interesting best practices with regards to Docker security).
Docker Best Practices
Whether your organization already uses Docker or you plan to jump on the bandwagon, below are some best practices to use this container technology more effectively.
1. Simplify Your Ecosystem
It’s easy to end up with a volatile and complex ecosystem of containers when using Docker. Generally, the simpler your ecosystem is, the better. Always run different processes in different containers, and if you have services which are dependent on each other, run such services by linking two or more containers as opposed to combining them in the one container.
2. Understand Docker Images and Dockerfiles
To run a service/application using a Docker container, you first begin with a snapshot of that container, which is called an image. Images contain the file system and configuration of your application or service. For example, a typical image might be the Apache HTTP web server with PHP installed on it.
An image is created when a user instructs Docker to build one from a Dockerfile. A Dockerfile is simply a text document containing the commands used to build an image. The commands in our trivial example would be to grab an Apache web server image and install PHP.
The subtle point that beginners to Docker often get confused with is that containers and images are similar but not identical—a Docker container is a running instance of an image.
3. Minimize Image Sizes
Larger images take longer to load into local hardware memory when one attempts to run these images as containerized apps or services. Therefore, it’s important to keep Docker images as small as possible. Docker recommends several ways of doing this, but at the bare minimum, always ensure you start with the right parent image when building a Dockerfile.
For example, say you want to build and run a Java application in Docker. To achieve this, you’ll require the Java platform. Instead of building an image with Ubuntu and running Java on it, you can minimize the image size by ignoring Ubuntu and starting with the official openjdk parent image; an open-source implementation of the Java Platform. In this case, Ubuntu would’ve wasted local resources and made the image unnecessarily large.
Another tip for minimizing image sizes is not installing unnecessary files, libraries, or updates that are not essential for running your desired service or application.
4. Avoid Storing Data In Containers
One of Docker’s most emphasized guidelines is you should build containers that you can stop, destroy, or replace. Always design apps to write data to some physical data volume instead of keeping the data inside the container.
Docker security is one of the most important considerations when running Docker containers. In a world of increasingly sophisticated cyber attacks, Docker containers can be exploited to get access to host systems or other containers, where cyber criminals can wreak havoc via a range of attacks such as kernel exploits and denial-of-service (DoS).
In 2017, Docker had to patch a privilege escalation vulnerability which allowed hackers to affect operations of a host from inside a container. These threats and vulnerabilities scare people, and rightly so.
However, Docker security is generally excellent, especially if you follow the recommended best practices, such as the below:
- When pulling a parent image from any registry, always use trusted official images.
- Always scan pre-built containers for vulnerabilities before using them.
- Enable content trust, which ensures all data received from and sent to remote registries of Docker images s digitally signed.
- Consider using a third-party Docker security tool for added peace of mind.
The tech world is positively buzzing about Docker for many good reasons. Docker containers allow organizations to run more apps with less infrastructure, facilitating dramatic savings in terms of reduced infrastructural requirements.
With all its moving parts and initial complexity, Docker can seem time-consuming and unnecessarily complex. However, once it’s up and running, Docker dramatically simplifies the deployment process for developers when they build their apps, leading to much shorter development cycles in line with today’s fast-paced development mindset.
It’s important not to jump straight into the deep end with Docker. Take your time to study the best practices, and read in-depth about the Docker security issues outlined above so that you are fully prepared for this technology.