I'm excited for rkt. The first time I spun up docker, it complained about the daemon not running. Huh? Ok, spun up the daemon (root, of course) and now the main docker commands work.
Wait, I have to run a daemon as root to run my containers, which all are also going to be run under the same root process? Alarm bells are ringing.
Having a tool that runs containers in isolated processes is much more appealing to me, and seems much more correct and true to the very nature of containerization.
Containers are isolated processes, and don't need root. Docker needs root to give them elevated privileges if you require this, and to set up iptables and so on.
Please don't shrug this off so easily. With a vulnerability in the Docker daemon (an no software is 100% free of bugs) he is in more danger than before containerization.
This 1000 times. It's also an issue being a single failure point more generally.
If the daemon doesn't perform, it can affect every single container running on the system. Competing systems that use a less monolithic approach are very, very welcome.
Wait, I have to run a daemon as root to run my containers, which all are also going to be run under the same root process? Alarm bells are ringing.
Having a tool that runs containers in isolated processes is much more appealing to me, and seems much more correct and true to the very nature of containerization.