Difference with Docker?

[mjk...@gmail.com]

Hi,
Could you explain to me what are the differences between Docker and Sandstorm?
I never used either, I'm interested with Sandstorm for future web apps development but I know Docker have similarities, at least in the packaging system or something like that.

My current understanding is that

As a non expert either in these techs or with linux-specific developement (I'm a c++ dev mostly, make games and digital narratives), it would be nice to have an explaination of the differences between the two, maybe on the website (like for the well documented Cap'n'Proto website.

[Kenton Varda]

Hi Joel,

Docker and Sandstorm both use the same underlying Linux kernel features for containerization, but things get pretty different above that.

Docker aims to let you put a standard Linux distribution like Ubuntu or Debian into a container.  When you run the container, the entire filesystem is mutable, e.g. you can install new packages.  You can shell into the container and use it exactly like you would a Linux VM.  The container might have multiple users, daemons that run full-time, cron jobs, etc.

Sandstorm aims to create an environment where the only way you ever interact with an app is through your web browser.  The intent is that a non-tech-savvy end user should be able to operate their Sandstorm server intuitively.  Moreover, Sandstorm is designed to allow much finer-grained containers.  When running Etherpad on Sandstorm, each document actually lives in an isolated container.

This leads to several very different design choices:

- Containers only run while you have them open in your browser.  Once you close the browser, the container is shut down, and then restarted the next time you return.  (This implies that containers have to start up very fast.)

- Most of the container's filesystem is read-only, so that all containers can share common files (such as the application binary).  Only /var is writable, and that's where it stores data specific to the particular document.

- Containers do not usually run any background daemons.  Just a web server for the app itself.

- Containers do not use OS-level user accounts.

- HTTP requests going into the container must pass through the Sandstorm front-end, which handles authentication and access control so that the application doesn't have to.  Thus apps are easier to write and many kinds of possible security bugs in apps are avoided.

You're right that I should cover this on the web site or readme somewhere.  I'll put that on my todo list.

-Kenton

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Klaim - Joël Lamotte]

Thanks Kenton, it helps.
However I will need to find a definition of "container" to clarify my thoughts because I'm having doubt about my understanding of what it actually is.

So far I considered a container (which you are talking about) as an isolated environement which allow having an application not impacting the whole system (like a browser plugin sandbox).

From what you say I understand that Docker does that by simulating the whole system inside teh container so that the application have the illusion of using the whole system.

Then Sandstorm push the concept to finer grain, by basically instantiating containers for smaller stuffs like web sessions?

And add a lot of useful stuffs for people just wanting to make web app.

Is my understanding roughly correct?

[Kenton Varda]

Right.  A container is an isolated environment in which some code runs without affecting or being affected by the rest of the system.  I actually usually use the word "sandbox", but Docker uses "container" probably because they don't emphasize the security aspects as much as Sandstorm does.

It turns out that a typical web server just doesn't need most of the stuff that is installed on a typical Linux system, so we can cut the fat inside the container in order to make containers finer-grained.

-Kenton