Docker runs on 13 major operating systems that include RHEL, Ubuntu, openSUSE, Arch Linux, and others. However, these operating systems are full-featured distributions, and are an over-kill for container based services.
Docker containers only need a limited set of Linux kernel features. But almost all traditional operating systems come pre-loaded with services and kernel features that are not used by Docker.
This additional “bloat” translates to unwanted resource usage, security overhead, and other maintenance issues. These issues led to the rise of minimal operating systems optimized for containers.
Your Docker needs the best support!
Here we’ll take a look at the top 5 tiny operating systems that could be a good fit for your Docker infrastructure.
1. CoreOS
CoreOS is a production-ready operating system optimized for container hosting. Some of the key features are:
- Service discovery : CoreOS automatically detects a new Docker container that is brought online in the network. So, if a new Docker container running a web server is booted, CoreOS adds it to the production service cluster, enabling faster scaling up of the infrastructure.
- Cluster management : Managing production services spread over a lot of Docker containers can be a pain. CoreOS uses Google’s Kubernetes to tackle this problem. It can be used for load balancing, container replication, and other cluster management functions.
- Auto-updates : CoreOS can be configured to automatically update itself. Using a service called “Locksmithd”, upgrades in a Docker-cluster can be configured to avoid service downtime.
High-tech – Handle with care
Hurdles in CoreOS setup : CoreOS is built around a series of bleeding edge web technologies such as service discovery, virtual networking, and distributed services. So, setting up a working CoreOS cluster can get quite complex.
Some common issues that we’ve faced during setup are broken clusters, boot failures, and Docker networking errors. We help customers resolve these errors on a case-by-case basis and build a Docker-CoreOS system that’s tailored for their business needs.
CoreOS maintenance challenges : While things like OS updates, cluster management, etc. are easier in CoreOS, it does throw some unique maintenance challenges. Some of the common ones are authentication errors, storage drive errors, network splits, and more.
Bobcares helps customers maintain a healthy CoreOS environment by monitoring network health parameters 24/7, and providing emergency assistance in case a cluster function fails.
[ Setting up a Docker infrastructure need not be hard or costly. Our Docker experts are here to help you with everything from setup to maintenance. ]
2. Project Atomic / RHEL Atomic Host
Atomic Host is Red Hat’s contribution to minimal operating systems. It is available in RHEL, Fedora and CentOS releases, and has out-of-the-box support for Docker. If you have Red Hat compatible servers, Atomic Host could be the easiest to integrate into your network.
Atomic Host based infrastructure has the following features:
- Fix broken updates : The package manager in Atomic Host (called rpm-ostree) can be configured to allow a software roll-back. We’ve found this feature quite useful in production systems where system updates can sometimes break containers. A roll-back allows a quick fix that helps restore services.
- Strong security using SELinux : SELinux is a proven Access Control technology that can be configured to prevent security exploits. Atomic Host has built-in support for SELinux, with which we’ve been able to setup strong container isolation that’s close to hardware based security.
- Easier management using Cockpit : Cockpit is a web front end to manage Docker containers across multiple servers. This tool makes it easy to monitor and administer your infrastructure from a central location.
Still evolving – Expect system hiccups
Atomic Host setup challenges : Much like CoreOS, Atomic Host also uses a bevy of complex keywords like Flannel bridges, overlay networking and Kubernetes pods to setup just a basic system. On top of that, many of the steps mentioned in the installation guide may not work for all server environments.
While setting up Atomic Hosts, we’ve faced issues with SELinux permissions, storage setup, and DNS configuration. These errors are specific to the kind of servers used in each infrastructure. When we setup Atomic systems for our customers, we customize the service settings, so that these errors are avoided.
Maintenance issues with Atomic Host : Atomic Host is a project that’s still evolving. So, there are occasional system hiccups that can prevent a smooth system operation. For eg. SELinux prevents the Cockpit management UI from restarting. So, unless you know of this issue, you’ll end up scouring Google hours on end.
Our techs face these kind of system glitches all the time. So, when managing Atomic Host systems for our customers, we are able to quickly resolve or prevent these issues, there by ensuring high system uptime.
[ Running a Docker infrastructure is easy, if you hire the right support team. Get world class Docker management services at affordable pricing. ]
3. Snappy Ubuntu Core
Ubuntu joined the container native operating systems market with the release of Snappy Ubuntu Core. Their stated goal is to deliver a fast, reliable and secure platform for large-scale cloud container deployments.
If your current server infrastructure is based on Debian or Ubuntu, switching to Snappy Ubuntu should be familiar territory for you. The main features of Snappy Ubuntu are:
- Recovery from failed updates : Ubuntu Core can be configured to back up Docker app data before an update. So, even if something goes wrong with an update, it is possible to roll back the system to a previous working state.
- Transactional updates : When updating the system, Ubuntu Core downloads only those parts of the software that changed in the new version. So, updates are fast, and versioned for roll-backs, which improves system reliability.
- AppArmor kernel security : Ubuntu Core uses AppArmor kernel security that completely isolates applications running on Docker containers, using configurable security profiles. So, even if one container has a vulnerability, other accounts are shielded from it.
Low adoption – Issues hard to resolve
Ubuntu Core setup challenges : Unlike CoreOS and Atomic Host, adoption of Ubuntu Core as a Docker host is not yet widespread. So, if you encounter a setup error, there isn’t likely to be a solution defined in the docs. You’ll have to trace the issue yourself using logs.
Bobcares helps server owners integrate Ubuntu Core into their infrastructure. Since the issues faced in setup vary from one kind of infrastructure to another, we resolve these errors on a case by case basis.
Maintenance issues with Ubuntu Core : Ubuntu Core is a very thin OS, and lacks the usual toolkit of diagnostic packages. In addition, there’s not enough documentation on Docker issues faced in Ubuntu Core. So, if the network fails, or the storage throws an errors, it’s hard to trace what’s causing it.
We help our customers prevent Docker infrastructure downtime by closely monitoring Ubuntu Core system parameters 24/7 and by quickly fixing any anomalies.
[ Never let your business be affected by container issues! Our Docker experts take care of your infrastructure and promptly safeguard the containers. ]
4. VMware Photon
VMware is a competitor of Docker. So why would VMware build Photon?
Photon is best suited for cloud hosting providers who already have an extensive VMware based infrastructure. The resource usage savings won’t be as good as a true light-weight container host, but it’s a good trade off in case you want to avoid a major overhaul, but want to use container technology to streamline devops. Some of the features of Photon are:
- Container security : Photon is coupled with Project Lightwave which delivers authentication and authorization mechanisms that support LDAP, Kerberos, SAML and OAuth. Through Lightwave you can make sure that only authorized users can run authorized containers on specific hosts.
- Container isolation : Using Project Bonneville, Docker containers are started in separate hardware virtualized machines, so that it is fully isolated from one another. A security compromise in one of the containers in the Photon server cannot affect your container under any circumstance. For businesses that have stringent security guidelines, this feature would come as welcome news.
- Central management : If you are already familiar with VMware vCenter Server, you already know how to manage the Photon infrastructure. You can manage the whole Docker infrastructure from a convenient web interface.
5. RancherOS
As they say in their website, “If your primary requirement for Linux is to run Docker, RancherOS might be a good fit“. It is essentially and OS made of Docker containers. It boots up using a Docker container called “System Docker”, and then gives the users ability to create new containers using a sub-process called “User Docker”. Its total size is only 20 MB, which makes it super secure, and very stable. The main features of RancherOS are:
- Security through minimalism : It was surreal for me to see that the OS was only 20 MB. With its tiny footprint, RancherOS offers a very small surface area for vulnerabilities and thereby exploit opportunities. Even if a vulnerability is detected, it can be patched in a jiffy and the container rebooted in less than 5 secs. From a security point of view this is pretty impressive.
- Simple updates and rollbacks : RancherOS uses Docker packaging to deliver updates to the operating system and all its packages. This makes updates very fast, and easy roll back if needed.
Conclusion
Major vendors are realizing the importance of container native operating systems to power Docker based infrastructure. Depending on your current server technology and DevOps capabilities, there’s now a range of minimal operating systems to choose from.
However, none of these systems offer a smooth ride, and if you want to try these out, you’d be well advised to seek the services of an experienced server management company. Click here to know more.
0 Comments