August 18, 2017

Containers are faster. Containers work only on Linux. Containers are insecure. These are all examples of myths about Docker and other container platforms that continue to persist.

Some of these misconceptions reflect popular misunderstandings of containers. Others are based on information that was once accurate, but is no longer true. Either way, these myths are important to clear up if you want to deploy containers effectively.

Myth 1: Docker is Synonymous with Containers

Docker is an open-source project that made containers popular, and Docker the company (which is not the same thing as the open-source project) has helped draw the financial support to the container ecosystem that will be necessary for making containers a commercial success.

However, Docker did not invent containers. LXC, Solaris Zones and other container technologies existed long before Docker came along. Nor is Docker the only company developing containers; Virtuozzo is doing the same thing.

This is all to say that, while Docker is an important presence in the container ecosystem, containers involve more than just Docker.

Myth 2: Containers Only Work on Linux

This used to be true. Earlier this year, however, Docker extended native support to certain Windows platforms, which means Docker containers can run directly on Windows, with no virtualization required. Other container frameworks, such as LXC and OpenVZ, remain Linux-only technologies, but this is no longer true of Docker.

Myth 3: Containers are Faster than Virtual Machines

Applications inside containers do not run significantly “faster” than they do on virtual machines. While in theory containerized processes run just as fast as they do on the host, containers introduce overhead in other areas, which impacts performance. (See this IBM report for some interesting data on this topic.) And since modern virtual machine hypervisors deliver performance that is only about 2 percent slower than bare metal, there is not much room for improvement in this regard in the first place.

What containers can do that virtual machines can’t, however, is distribute resources on the host server more efficiently. Unlike virtual machines, a container does not monopolize a certain amount of memory, storage space or CPU time whenever it is running. Containers also don’t have to duplicate an entire operating system in order to run a single app. This doesn’t necessarily translate into more speed for applications. But it can in circumstances where system resources are limited.

Containers do usually start more quickly than virtual machines. You can’t deny that. But startup time is not the same thing as application performance.

Myth 4: Containers are Hard to Set Up

In the earlier days of Docker—and before came along in the first place and simplified the LXC framework—setting up containerized infrastructure was hard. But it’s not today. Container-as-a-service, or CaaS, platforms now make it pretty easy to set up a Docker environment, whether you want to run your containers in the cloud or on premises.

To be sure, getting started with Docker is not as simple as clicking a button. You still have to understand how containers work and know how to administer Docker to use a CaaS platform. But you don’t have to build everything from scratch.

Myth 5: Containers Aren’t Secure

The notion that containers are not secure is based largely on the fact that containerized applications run under the same hood as the host operating system. This theoretically makes it easier to escalate privileges from inside a container to take control of the host server or other containers. Virtual machines are not subject to that vulnerability.

Yet, this design aspect of container platforms doesn’t make them fundamentally insecure. It just means that in a certain respect, containers lack a security mechanism that virtual machines don’t lack. Docker developers have worked hard to mitigate this risk, and there has been no evidence of people exploiting it in the wild.

Plus, in other ways, containers have become much more secure over the past year. Registries now can be secured using scanners such as Clair and Docker Security Scanning, and kernel security modules such as AppArmor and SELinux can help keep containers more secure.

Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with Fixate.io and Sweetcode.io.