Docker without Docker

Even though most of our users deliver software to us as Docker containers, we don’t use Docker to run them. Docker is great, but we’re high-density multitenant, and despite strides, Docker’s isolation isn’t strong enough for that. So, instead, we tra

Thomas Ptacek
13 min readadvanced
--
View Original

Overview

The article 'Docker without Docker' discusses how Fly.io runs Docker container images on their hardware without using Docker itself. Instead, they utilize Firecracker micro-VMs for better isolation and performance, explaining the process of pulling, managing, and running OCI images efficiently.

What You'll Learn

1

How to pull and manage OCI images without Docker

2

Why Firecracker micro-VMs provide better isolation for container workloads

3

How to implement a custom Docker registry for multi-tenant applications

Prerequisites & Requirements

  • Basic understanding of containerization and Docker concepts
  • Familiarity with command line tools and APIs(optional)

Key Questions Answered

How does Fly.io run Docker containers without Docker?
Fly.io uses Firecracker micro-VMs to run Docker container images instead of Docker itself. This approach allows for better isolation and performance in a high-density multi-tenant environment, addressing the limitations of Docker's isolation capabilities.
What is an OCI image and how is it structured?
An OCI image is a standardized container format that consists of a stack of tarballs, each representing a layer of the image. These layers are created from a Dockerfile, where each command generates a tarball that contributes to the final image structure.
What steps are involved in building and running VMs from container images?
The process involves pulling the container image, creating a loop device for the filesystem, unpacking the container into the loop device, and configuring the VM with necessary components like the init system and network settings before booting it with Firecracker.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Consider using Firecracker micro-VMs for applications requiring strong isolation and fast startup times.
Firecracker's lightweight nature allows for quick scaling of applications, making it ideal for serverless architectures and environments where performance is critical.
2
Implement a custom Docker registry to manage multi-tenant applications effectively.
By wrapping Docker's registry API with authorization middleware, you can ensure secure and organized access to container images across different user organizations.
3
Utilize OCI images for better compatibility and standardization across different container runtimes.
Understanding the structure of OCI images can help in optimizing image management and deployment strategies, especially in multi-cloud environments.

Common Pitfalls

1
Failing to manage layer duplication in OCI images can lead to larger image sizes.
Since OCI images are built from layers, small changes in files can cause entire layers to be duplicated, increasing storage costs and deployment times.

Related Concepts

Oci Images
Firecracker Micro-vms
Docker Registry
Multi-tenancy In Container Management