A
A
Anton Piskunov2016-01-04 03:54:23
Xen
Anton Piskunov, 2016-01-04 03:54:23

What are the problems if Docker is used as a replacement for KVM/XEN?

Now everyone will burn, but nevertheless :)
Hello.
So, let's say there is a cluster of ten iron machines, each of which has 30-50 virtual machines. Virtual machines for client, development, in general, a zoo, the cloud is not private. How it all works if KVM / XEN / etc is used is understandable.
The question is what can go wrong if Docker is used instead of virtualization? And Docker is used not as prescribed "one container - one service", but in the tail and mane, like a full-fledged virtual machine.

  1. What are the security threats?
  2. What are the resource limits?
  3. What are the limits on opportunities?

Everything is asked about KVM (or XEN / etc if you have no experience with KVM, also interesting)
UPD : We have set up KVM. We've had a little tinkering with iptables, but we can live with it. Works stably.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
M
mrobespierre, 2016-01-04
@mrobespierre

1. Security is not easy. You need a good person with knowledge of Selinux/Apparmor to manually isolate containers from each other. As far as I know, LSM is not enabled in Docker by default (sieve). In the KVM / libvirt bundle, it is configured out of the box, you only need to enable it in the config.
2. With limits, everything is not easy either. Docker uses cgroups. In general, they work. Especially the CPU and Memory (although when I played with them there were certain problems: for example, the memory was limited, but it was seen in its entirety, which misled some applications). The disk "controller" turned on, but in fact did not work (and it, under load, is the most important, at least for me). I could not limit the network at all (in the case of ddos, for example, it is better for the target machine to have 100 Mbps). In the KVM / libvirt bundle, everything is configured and everything works.
At this point, I refused docker and can’t say anything about the possibilities. The data could be out of date (docker is actively sawing). In my opinion, docker is a great toy for programmers, but completely unsuitable for serious production. In addition, there are excellent controllers for KVM/libvirt: OpenNebula and Cloudstack, which scale well from 10 to 1000 hosts (or more), are there any similar ones in terms of convenience and functionality for docker? - Not sure.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question