|Cloud Foundry Containers - a comparison of Warden and Docker||James Bayer||10/9/13 5:48 PM|
Primarily Alex Jackson from the Cloud Foundry engineering team has put together analysis that we believe presents a very objective comparison of the capabilities of Warden and Docker . There is also a brief mention of the new lmctfy project from Google . If you are interested in this area, please review and let us know if you have adjustments or additions that should be made. The doc should be available for public comments using GDocs or you may reply on this thread.
The Cloud Foundry team has no immediate plans to take action in code based on this analysis, but it will help inform future direction options. We are currently using Warden in several places:
- end user app process isolation in DEAs
- the recently usable bosh-lite  development env for BOSH that targets a Linux Host with Containers for BOSH development instead of an IaaS with VMs
In the past, several data multi-tenant data services like Redis, Mongo, etc that are not planned to be maintained actively by the CF Team had used Warden to isolate the service processes provisioned for dedicated tenants.
We welcome any input from the community on the current analysis and also as to what additional container capabilities are requested.
|Re: [vcap-dev] Cloud Foundry Containers - a comparison of Warden and Docker||Dr Nic Williams||10/9/13 6:01 PM|
The cf-services-contrib-release & cf-services-release are also using Warden for some of the services to provide isolation (especially for those services that do not have multi-tenancy).
|Re: [vcap-dev] Cloud Foundry Containers - a comparison of Warden and Docker||Dr Nic Williams||10/9/13 6:02 PM|
Sorry, couldn't Undo that fast enough after reading the disclaimer sentence on services.
|Re: [vcap-dev] Cloud Foundry Containers - a comparison of Warden and Docker||Andrea Campi||10/9/13 7:09 PM|
Can you or Alex elaborate on:
How does Docker handle users and the “root” user in the container?
Docker runs processes as root inside the container. If you want/need a different user, you can create it when preparing the image and then use 'su' as usual.
Did you have a more complex scenario in mind?
|Re: [vcap-dev] Cloud Foundry Containers - a comparison of Warden and Docker||solomo...@dotcloud.com||10/9/13 7:26 PM|
On Wednesday, October 9, 2013 7:09:36 PM UTC-7, Andrea Campi wrote:
Docker can drop privileges to the uid of your choice with 'docker run -u' (there is a corresponding configuration field in the remote api). As a convenience it will also lookup non-numerical user ids by parsing /etc/passwd in the container's filesystem (if it exists).
The default uid is 0.
|Re: Cloud Foundry Containers - a comparison of Warden and Docker||Christopher Ferris||10/10/13 11:50 AM|
Awesome, thanks James for bringing this forward.
I know there's a lot of interest here, in IBM, in this subject as I am sure there is with others in the community.
|Re: Cloud Foundry Containers - a comparison of Warden and Docker||Brian Martin||10/10/13 12:06 PM|
Thanks James, I added some comments to your google doc.
IBM Cloud Services