Docker
Docker is a container platform that lets applications, including their dependencies, run isolated within lightweight software containers. Within modern OT and Industrial Automation environments, Docker is increasingly used for Edge Computing, industrial data integration, protocol gateways, MQTT brokers, OPC UA services, analytics and Soft PLC platforms.
Docker plays an important role in the shift from traditional hardware-based OT infrastructures to software-defined and cloud-native automation architectures. This brings IT platforms and industrial control environments closer together within IT OT Convergence.
Unlike classic Virtualisation, Docker does not virtualise full operating systems but rather applications and processes. This makes containers significantly lighter, faster and more scalable than traditional virtual machines.
⚙️ Basic principles of Docker
Docker uses containerisation to run applications isolated within shared kernel resources of the host operating system.
A Docker container contains:
- application code
- libraries
- runtime dependencies
- configuration
- network definitions
- file systems
Application
│
Docker Container
│
Docker Engine
│
Host Operating System
│
Hardware
Unlike a Hypervisor, Docker shares the kernel of the host OS.
Benefits:
- low overhead
- fast startup
- efficient resource use
- high scalability
🏗️ Important Docker components
| Component | Function |
|---|---|
| Docker Engine | Container runtime |
| Docker Image | Read-only application template |
| Container | Running instance |
| Dockerfile | Build definition |
| Registry | Image repository |
| Docker Compose | Multi-container orchestration |
| Volume | Persistent storage |
| Network | Virtual container communication |
📦 Docker Images
A Docker image contains all components needed to run an application.
Images consist of layers:
Base OS Layer
│
Runtime Layer
│
Application Layer
│
Configuration Layer
Benefits of layered images:
- efficient storage
- fast distribution
- caching
- reusability
Within OT, images are often used for:
🧠 Containers versus virtual machines
| Property | Docker Containers | Virtual Machines |
|---|---|---|
| Virtualisation level | Application | Full OS |
| Overhead | Very low | High |
| Start time | Seconds | Minutes |
| Resource use | Efficient | Heavier |
| Isolation | Process-based | Hardware-level |
| Real-time performance | Better | Depends on hypervisor |
| Flexibility | High | High |
| Security isolation | Lower | Stronger |
Within OT, containers are often combined with Virtualisation.
⚡ Docker within OT
Docker is increasingly used in Industrial Automation.
Typical OT workloads
| Workload | Containerisable |
|---|---|
| MQTT Broker | Yes |
| OPC UA Gateway | Yes |
| Historian | Yes |
| SCADA components | Partly |
| Edge analytics | Yes |
| AI inferencing | Yes |
| Protocol converters | Yes |
| Soft PLC | Limited |
📡 Docker and Edge Computing
Within Edge Computing, Docker is virtually dominant.
Edge devices often run multiple containers:
Edge Device
├── MQTT Broker
├── OPC UA Gateway
├── Historian
├── AI Analytics
└── Dashboard
Benefits:
- local processing
- protocol conversion
- offline operation
- easy updates
- scalability
Containers make edge platforms very flexible.
🔌 Industrial communication
Docker containers commonly communicate via:
- MQTT
- OPC UA
- HTTP
- HTTPS
- Modbus TCP
- REST APIs
Common OT container services:
| Service | Function |
|---|---|
| Mosquitto | MQTT broker |
| Node-RED | Workflow automation |
| InfluxDB | Time-series database |
| Grafana | Visualisation |
| Telegraf | Data collection |
| Ignition Edge | Edge SCADA |
☁️ Docker and cloud-native OT
Docker forms the foundation for cloud-native OT architectures.
Important concepts:
- microservices
- immutable infrastructure
- Infrastructure as Code
- CI/CD
- orchestration
- edge-native OT
Containers CAN run:
- on-premises
- on edge gateways
- in private cloud
- in public cloud
- in hybrid OT environments
🔄 Docker Compose and orchestration
For multi-container applications, Docker Compose is often used.
Example:
SCADA Stack
├── MQTT Broker
├── Historian
├── Grafana
└── OPC UA Gateway
Larger environments use orchestration platforms:
- Kubernetes
- K3s
- OpenShift
- Docker Swarm
Within OT, lightweight orchestration at the edge is growing especially fast.
🧪 Test and OTAP environments
Docker is ideal for:
- OTAP
- development environments
- simulation
- test labs
- protocol testing
- digital twins
Benefits:
- reproducible environments
- fast deployment
- rollback options
- easy snapshots
This allows engineers to simulate complex OT stack environments locally.
⚡ Performance considerations
Containers usually deliver better performance than traditional Virtualisation.
Benefits
| Property | Effect |
|---|---|
| Shared kernel | Low overhead |
| Lightweight runtime | Fast startup |
| Efficient memory use | High density |
| Fast scaling | Flexibility |
Possible bottlenecks
Real-time OT workloads require careful tuning.
🧠 Docker and real-time OT
Containers are not real-time by default.
Challenges:
- scheduler latency
- kernel contention
- interrupt handling
- timing variation
For real-time applications, the following are used:
- real-time Linux
- CPU pinning
- isolated cores
- real-time scheduling
- TSN networks
For high-speed Motion Control, dedicated real-time platforms often remain necessary.
🔒 Cybersecurity risks
Docker introduces new OT Security challenges.
Important risks
| Risk | Impact |
|---|---|
| Container breakout | Host compromise |
| Malicious images | Malware |
| Insecure registries | Supply-chain attacks |
| Privileged containers | Escalation |
| Exposed APIs | Unauthorised access |
| Shadow containers | Invisible workloads |
Containers significantly enlarge the attack surface of OT environments.
🛡️ Hardening of Docker in OT
Important security measures:
- minimal base images
- image signing
- immutable containers
- non-root containers
- RBAC
- MFA
- network isolation
- secrets management
- image scanning
- runtime monitoring
Additional OT measures:
📦 Docker registries
Images are stored in registries.
Public registries
- Docker Hub
- GitHub Container Registry
Private registries
Within OT often required because of security requirements.
Benefits:
- controlled images
- supply-chain control
- internal validation
- Compliance
🧩 Docker within Unified Namespace architectures
Docker is widely used within Unified Namespace environments.
Typical stack:
MQTT Broker
│
Sparkplug Gateway
│
Historian
│
Analytics
│
Dashboard
Each component runs as a separate container.
Benefits:
- scalability
- independent management
- easy updates
- fault isolation
🏭 Practical applications
Manufacturing
Docker for:
- OEE dashboards
- protocol gateways
- AI Vision processing
- MQTT infrastructure
Energy supply
Applications:
- energy analytics
- edge Telemetry
- Predictive Maintenance
Building Automation
Containers for:
- HVAC analytics
- energy monitoring
- smart building integration
Water sector
Use for:
- remote telemetry
- edge buffering
- data forwarding
⚠️ Operational considerations
Persistent storage
Containers are stateless by default.
OT systems, however, require persistent data for:
- historians
- alarms
- Audit logs
- trends
Volumes are therefore used.
Lifecycle Management
Important considerations:
- image versioning
- dependency management
- patching
- rollback procedures
- Vulnerability Scanning
Integration with:
🛡️ Relevant standards and frameworks
| Standard | Relevance |
|---|---|
| IEC 62443 | OT security |
| NIST SP 800-82 | ICS cybersecurity |
| ISO 27001 | Security governance |
| NIST CSF | Cybersecurity framework |
Container security is becoming more important within industrial compliance requirements.
📈 Trends and developments
Important trends:
- cloud-native OT
- containerised SCADA
- edge orchestration
- AI at the edge
- microservices in OT
- Kubernetes for industry
- software-defined automation
- event-driven architectures
Docker is a core component of modern industrial software architectures.
🎯 Conclusion
Docker has made containerisation accessible for industrial automation and plays a growing role within modern OT environments. Containers enable flexible, scalable and reproducible OT platforms for edge computing, industrial data integration and cloud-native automation.
Within IT OT Convergence, Docker is an important building block for software-defined industrial infrastructures, but successful implementation requires attention to real-time behaviour, persistent storage, cybersecurity and lifecycle management.
For modern edge and IIoT architectures, Docker provides a powerful foundation for flexible and scalable OT applications.