Docker vs Rkt (Rocket) – Which one to choose?
In 2013, Docker introduced an easy way to build and ship applications. Currently at version 1.11, Docker is now perhaps the most popular light weight virtualization technology used by application developers.
However, Docker now has a competitor – rkt (aka rocket) which offers some unique features. So, what’s the difference?
What’s the difference between Docker and Rkt?
The rkt project was initiated in Dec 2014, when Docker was found to have several security issues. Rkt was designed to be a more secure, inter-operable, and open container solution in comparison to Docker.
Since then, Docker has covered a lot of ground in addressing all critical security issues. However, it is worth while to note how these two platforms differ in their various capabilities.
Here’s a list of the top differences:
1. Container image security
A great thing about Docker is that there’s a public registry from which anyone can download optimized application server images. So, if you want an Nginx server optimized for Magento web application, you’d get one from the Docker registry.
However, there’s a hidden danger in this. It is possible for an attacker to replace a server image with another one infected with malware.
Prior to version 1.8, Docker didn’t have a way to verify the authenticity of a server image. But in v1.8, a new feature called Docker Content Trust was introduced to automatically sign and verify the signature of a publisher.
In rkt, signature verification is done by default. So, as soon as a server image is downloaded, it is cross checked with the signature of the publisher to see if it is tampered in any way.
So, as long as you are running the latest version of Docker (v1.12) or Rkt (v1.3), you’re safe from this issue.
[ Make your container deployments and maintenance stress free. Our Server Maintenance plans start at just $74.99/server/month. ]
2. Preventing “root” privilege escalation attacks
Docker runs with super-user privileges (aka “root”), and spins off new containers as its sub-process. The issue with that is, a vulnerability in a container, or poor containment can give an attacker root level access to the whole server. CVE-2014-9357 was one such vulnerability.
Sure, Docker always recommended running containers within SELinux or AppArmor, but many server owners consider it too complicated, and skip the step.
Rkt came up with a better solution where new containers are never created from a root privileged process. In this way, even if a container break-out happens, the attacker cannot get root privileges.
As a way to contain this threat, Docker loads AppArmor security modules by default. This prevents one user (container) from seeing another user’s files or memory content.
In addition, many additional features like user name spaces, un-privileged execution, etc. can be configured to keep Docker containers secure.
[ You don’t need to compromise on quality or cost for expert server management services. Our virtualization experts give you real-time solutions at affordable pricing.]