Brian Jackson - Fotolia
When to use Docker alternatives rkt and LXD
Docker can't meet the needs of every IT scenario. LXD and CoreOS rkt are additional container formats to try out when Docker doesn't make sense.
There are probably five to 10 times more Docker containers in use than the total of all the other container options available, but Docker alternatives prove a better approach for some applications.
Before an IT organization deploys containers -- and at any point where its container use suggests they revisit the selection of platforms and tools -- the team must evaluate available technologies against deployment factors, such as security and OS overhead. Docker isn't the walkaway winner for every application, compared to alternatives.
Fly a rkt ship to containers
The prime Docker alternative is the CoreOS rkt framework, designed to improve container security and operation of the container environment. CoreOS rkt also takes a more Linux-friendly, distributed approach to container deployment and management than Docker.
The rkt container platform addresses two major problems with Docker security. Docker creates privilege escalation by starting new containers with a root process that allows malware to break out and obtain root or administrative privileges, which opens everything to hacking. In rkt, new containers don't launch from a root process and can't break out to become privileged. The rkt catalog is secure by default; with Docker, users must take extra steps to authenticate containers. The open catalog process in Docker could allow an organization to catalog malware containers for use.
Operationalization of rkt container deployment relies on the CoreOS Linux distribution and the popular container orchestration tool Kubernetes.
The CoreOS Linux distro is lightweight and optimized for container hosting. There's no incentive or capability to mix in other missions than containerization, and there's no need to administer other features. CoreOS rkt can reduce the rate of changes to OS and middleware, as well as the risk of version compatibility problems.
CoreOS pods are a version of the pods that Kubernetes uses, which makes it easier to develop a uniform container and component clustering strategy for such applications.
No app delivery -- no problem
LXD, pronounced lex-dee, is a Docker alternative for Canonical's Ubuntu Linux distribution. The primary virtue of LXD is simplicity; it's a container hypervisor that doesn't include the application delivery framework as seen in both Docker and rkt. LXD is easier to integrate with virtualization frameworks, such as OpenStack, or with general DevOps tools, such as Chef and Ansible. LXD is a functional expansion of the LinuxContainers.org LXC container infrastructure project.
LXD provides low-level platform features, such as online snapshots and live migration for container redeployment -- features that Docker or rkt handle less elegantly external to the container hosting. LXD also uses unprivileged container deployment, and it has similar container security and operationalization benefits to rkt.
LXD represents a sort of midpoint between containers and VMs -- a way to deploy a container that is a complete machine image. The application context of that deployment is entirely outside of LXD. In other words, LXD is not a container option for beginners.
LXD users must wrap this lower-level tool into their own higher-layer application delivery framework to deploy, redeploy and manage application containers. An organization with an app delivery framework already in use, for example, with virtual machines, should consider LXD containers. Otherwise, expect to invest significant effort to reap the benefits of this Docker alternative.
Open container laws
Docker and CoreOS both contribute elements of the companies' software to the Open Container Initiative (OCI). Neither has contributed the entire platform, and the OCI's goal at present is not to create a single, standard container model. But it's likely the work will at least make migration between these two container approaches easier.
The right container platform
Containers are just one element in an application delivery strategy. The right container choice depends on the app team's specific strategy, including deployment and redeployment, security and governance, and application performance management. Understand how each container option -- Docker, rkt or LXD -- fits into that strategy, and what additional tools each would require.
From this summary of Docker alternatives, it should be clear that, for most users, a container model selection process should begin with the question: Why not Docker? It's the most popular container architecture, and the technology is actively evolving to address the issues where Docker alternatives excel, such as security.
The deciding factor on whether the rkt or LXD approach is better than Docker is whether a prospective user has a sophisticated application delivery framework and experience with the tools to sustain it. It's possible that a Docker alternative will integrate more easily with that framework. Look at CoreOS rkt if you have intermediate-level skills and tools, and LXD if you're an expert with a highly sophisticated application delivery framework.
Evaluate the rationale for a highly secure container architecture, weighed against the downsides. The security features of rkt are more natively available than those of Docker; LXD's are even more so. The cost of the additional LXD security is that complex add-on set of application delivery tools. If you can't pay that price, look at rkt as the best Docker alternative.