Containers were the only thing anyone could talk about at VMworld this week, and yet the discussions were not about how great they are. Rather, the discussions were about, “How do we use this stuff in an enterprise?”
VMware has a very distinct answer: Run the container inside of a virtual machine. And it is a great stopgap answer while the container systems of the world mature, add security controls, and gain governance capabilities.
(Related: Other container news at VMworld)
Kit Colbert, CTO of cloud-native apps at VMware, said that security is a major concern already for containers. “We’re seeing a lot of exploits come out of the woodwork around [the basic container]. That might calm down over time. The challenge with Linux containers is that it is a very wide interface and it changes. Then there are these issues around container identity,” he said.
Colbert said the VMware team is working with Docker to solve some of these problems. “Docker has supports in Notary to solve that. We’re working with the Notary guys, and working on Project Lightwave, which does container authentication and certificate management.”
That being said, Colbert added that the container capabilities introduced at VMworld will help in the shorter term. “What we do offer with vSphere Integrated Containers is you can run that wrapped inside a VM. It also enables IT to validate and audit. A lot of tooling they’ve built out around VMs can be leveraged in the vSphere containers model.”
In the longer run, however, there is at least one detractor saying that running containers inside a virtual machine misses the point entirely. Late last year, Joyent began releasing the source code for its Smart DataCenter Project, the software that runs its hosting platform.
Bryan Cantrill, CTO of Joyent, said that this platform, known as Joyent Triton, uses Docker directly and effectively eliminates the need to install a Linux distro or run a virtual machine.
“We run Docker, and we virtualize the Docker CLI endpoint,” he said. “The entire datacenter looks like a single Docker host. You’re no longer paying the VM tax. Our belief is that that containers should be secure. When you do that and solve the security problem, and when you solve the network problem, you can truly [join] the container revolution. Containers are stuck in the birth canal because they are on the VM substrate.”
In the past, Joyent had been tied to the Solaris model of hosting by using DTrace, ZFS and Zones. While these are all still included in the Joyent stack, Cantrill said that the company realized about a year and a half ago that it had to find a way to allow users to run unmodified Linux binaries on this decidedly Solaris-like infrastructure.
As a result, he said, Joyent has been able to bring full Docker application-hosting support to its platform, as well as eliminate the need for a virtual machine entirely. “We’ve seen what running containers on the metal does to your infrastructure,” said Cantrill. “Now, with Triton, you don’t have to pick between Docker running on the metal, or Linux on the metal. You can do that in the cloud or on premises.”