Introduction
Docker is considered "the standard" when it comes to containers. Almost everyone knows the term "Docker" and often uses it as a synonym for containers. Docker itself had quickly gained widespread use due to a good product and good timing. Container images are often also referred to as "Docker Images" - but this is not correct:
These are OCI images which work with any (OCI compatible, the actual standard for containers) container runtime - like CRI-O or containerd.
Docker itself is a complete technology stack. The container runtime itself is "containerd". However, a lot has been developed around it, such as a user interface for developers and much more. These things, on the other hand, we do not need in scalable container and Kubernetes environments.
Docker is currently (still) relatively widespread - however, this product has an expiration date in the Kubernetes environment. Specifically, Docker has been deprecated since Kubernetes v1.20 and support for Docker via "dockershim" will be discontinued in Kubernetes v1.24.
What is "dockershim"?
The first Kubernetes versions were based on Docker as the container runtime. However, due to its great openness, which is also the basis for its innovative ability, the Kubernetes project changed to a construct based on plug-ins and interfaces. This change gave rise to, among other things, the Container Runtime Interface, or CRI. The CRI has been the interface for container runtimes in Kubernetes since 2016 - and Docker does not support CRI.
For this reason, "dockershim" was implemented. Via dockershim, the container runtime "containerd" can be addressed as a kind of "wrapper" via the CRI:
This setup is not very efficient and can be made leaner and more efficient:
SUSE Rancher RKE1 and RKE2
SUSE Rancher RKE1 is a rock-solid, mature and decent, but (relatively) old Kubernetes distribution based on Docker technology. FullStackS has used RKE1 so far for reasons of robustness and consistently had very good experiences with it.
The successor to RKE1 is RKE2 - also robust and mature - and also very strongly hardened in terms of security (FIPS-140, CIS 1.6) and RKE2 is based on containerd.
Why did FullStackS previously use RKE1 and now recommends using RKE2?
The reason is that the new cluster API for deploying Kubernetes downstream clusters in SUSE Rancher was in the so-called "Tech Preview" until version v2.6.3:
With the following SUSE Rancher releases, the new cluster API based provisioning of RKE2 (and K3S) clusters became "GA".
The new provisioning is also perfectly integrated into our modular Infrastructure as Code platform for SUSE Rancher on any environment (on-prem, edge and cloud) and can be used immediately.
In our lab, we have developed, tested and finalized the integration over the last few months.
We consistently recommend using RKE2 and actively avoiding Docker in new projects for building new downstream clusters starting with the release of SUSE Rancher v2.6.4.
In addition, our FullStackS Terraform modules meet all requirements for CIS 1.6 "hardened / restricted" & FIPS-140 compliant Kubernetes clusters.
Interested? Please contact us!
TL;DR
Docker does not support CRI the interface for container runtimes in Kubernetes
Docker has an expiration date in terms of support and technology
RKE2 offers higher security in addition to "robustness".
Comments