Docker Alternatives

Docker has started a revolution with its easy access to Linux containers: Containerized applications, microservices, DevOps, GitOps, and Kubernetes are noticeably spreading. But then suddenly it says “Docker support in [kubernetes] is now deprecated and will be removed in a future release”.

What does this mean for you and your work with containers? With Kubernetes? For starters, the good news is that you don’t have to change much at all. This blog briefly outlines existing alternatives, categorizes them, and provides a brief example for developers. Those interested in more details should take a look at our Docker training.

What are the alternatives to Docker?

A Google search for Docker alternatives quickly yields an extensive list:

• buildah
• buildkit
• by hand: skopeo, ostree, runc
• containerd
• cri-o
• ftl
• img
• k3c
• kaniko
• (lxc)
• (OpenVZ)
• orca-build
• packer
• podman
• pouch
• (rkt)
• source-to-image

Which alternative is suitable for what?

Those who have already dealt with the subject know that this is a motley mix. Some of the tools listed no longer correspond to the current technical status. In addition, cri-o, for example, serves a completely different target group than kaniko. Tools that do not play a role are in parentheses. rkt had launched the company CoreOS even before Red Hat bought it. It has since been discontinued as a project. Linux Containers (lxc) and OpenVZ also do not fit into this set. Both are aimed at operating system virtualization – as opposed to the Docker-type “application containers”.

Categorization

The Open Container Initiative (OCI) has been around since 2015. This project of the Linux Foundation provides specifications for images and runtimes. Images must therefore contain the files that the application in the container requires at runtime. The runtime must create containers from it. Previously, Docker served both requirements. Now we distinguish between tools that build images and those that make these images run as containers. The OCI standards ensure that, for example, image-build with kaniko and Kubernetes with cri-o are a valid combination.

Backend in Kubernetes

From the list, cri-o and containerd are good as container runtimes in the Kubernetes cluster. And only as that. Both provide an API that addresses Kubernetes via what is known as the container runtime interface (CRI). They can download images from registries and start and stop containers. Docker can do that and more – that’s why there’s an intermediate layer for Kubernetes: docker-shim. This effectively restricts the Docker API to what Kubernetes needs and customizes the API calls. This intermediate layer was previously a core component of Kubernetes. That it won’t be in the future is the statement of the opening quote from the Kubernetes release notes.

cri-o is a completely new implementation of the Runtime. It is named after the container runtime interface and the Open Container Initiative (cri + oci = cri-o). It equips containers with fewer of the so-called capabilities than Docker – permissions that the kernel assigns to processes, such as the right to modify file owners. Those who have made use of the extended capabilities Docker offers so far might run into problems here.

In this case, containerd might be a good choice. This is more or less the core of Docker, but somewhat stripped down. The direct path leads from Docker to here: containerd uses the same libraries as Docker and you can assume that nothing changes during operation.

In Build-Pipelines

The big innovation is that different tools are used for construction and operation. The OCI specification ensures that this works. But, how smoothly does it happen? At this point, once again: Docker will continue to exist and quite excellently continue to build container images. It keeps its bugs for the most part: It is a central daemon that is allowed quite a lot. In our training, we explain, among other things, how to set up a Docker-in-Docker “rootless” service. This allows developers to build container images in isolation from the infrastructure and fellow users.

My container projects are all in the form of Dockerfiles. I am following approaches that cannot deal with this in theory only so far. Please note: There is nothing wrong with taking an approach that does not use Dockerfiles, I just prefer a way without migration. In addition, most projects – including those of our customers – are in this form, which is, in a sense, a standard.

GitLab pipeline with different executors

The Dockerfile and all other necessary data are located in a Git repository. At ATIX, we use GitLab, which comes with a CI/CD pipeline. If you add a .gitlab-ci.yml to the repository, the image build and push will start automatically after each git push. This additional file contains the instructions on how to create an image from the repository. Participants of our training set this up themselves and work with it in order to get to know the described approaches in detail. Of course, the following can be applied to other systems. I would like to present two approaches here with examples: kaniko and buildah.

Cloud-native: kaniko

A modern approach is provided by kaniko, which fits naturally into pipelines that also run in a Kubernetes cluster. The following .gitlab-ci.yml builds an image from the Dockerfile and uploads it to GitLab’s built-in registry.