Notes on Docker

Docker is a set of tools and wrappers around Linux namespaces, cgroups, and networking.

It can be a very useful tool for CI builds. Providing an advanced caching mechanism, ephemerality, and composable build environments.

You can define containers which are baked into images, from text files called “Dockerfiles”. They are similar in some ways to both makefiles and shell scripts, though with a far more limited syntax than either.

A core feature of docker is “layer caching”, which is used extensively throughout its tooling.

We can take advantage of docker’s caching abilities to speed up our CI builds.

Another benefit of using docker is the ability to run the build in different ABIs, toolchains, and distro environments without having to virtualize an entire machine.

Of course, there are some less favourable things to be aware of concerning Docker:


Though it is possible to create docker images completely from scratch, it’s common practice and generally more useful to build your containers ontop of so-called “base images”. A base image is usually just a basic rootfs. Almost all Linux distros have official base images which are maintained upstream. Unfortunately is where most of these are stored, which is a centralized service run by Docker the company.

It is possible to build base images ourselves from source. We could do this in the future to improve security, by removing Dockerhub from the pipeline.

Host kernel

Even though you may be using a Debian 10 rootfs, with Linux containers you are just running in a different namespace of the host kernel. If you are trying to do any kernel-specific testing, you cannot switch kernels using docker.

Docker “weirdness”

Even though docker containers are running on the host system’s Linux kernel, and there is not machine virtualization occuring, there are ocassionaly situations where a program behaves differently inside a docker container than it does in a regular Linux environment. This can be for many different reasons, sometimes related to bugs with cgroups, or namespaces themselves, and sometimes due to docker’s tooling. Bugs like these typically present themselves when running programs which heavily interact with the underlying kernel, and less so with userland programs.


Further discuss security