Could security concerns around Docker images be overstated? Microsoft’s Gossman doesn’t think so. “We are super paranoid about security here. It’s one of our highest goals. I don’t ever dismiss any sort of security questions. You need good security practices. You don’t download an image without running any tools on it to make it secure. That may be fine for dev and test, but not for production. In the multi-tenant cloud, we assume there’s a very sophisticated hacker there. They can sign up for Azure and they’re going to be sitting right next to customer data.”
Calling for containers at Microsoft and Amazon
As the cloud market matures, it’s interesting to observe the relative positions and philosophies of Microsoft and Amazon, two cloud providers with distinctively different offerings, but both are scrambling to react to an onslaught of customers who began asking to run Docker on their respective platforms in 2013.
In Amazon’s case, much of the action was around batch processing, encapsulating tasks in Linux containers, then running those containers on a fleet of instances. The biggest challenges? Cluster management, scaling, configuration management, container sprawl, availability, security (enforcing isolation) and scheduling. Their answer? Amazon EC2 Container Service, which provides a cluster-management infrastructure for Docker containers and provides existing features like security groups, Elastic Load Balancing, Elastic Block Store volumes and Identity and Access-Management roles.
“Amazon is a strange animal,” said JFrog’s Simon. “They are Infrastructure-as-a-Service, most popular for public cloud, but they already solve quite a lot of the issues of virtualization: The ability to create a VM, spawn a new exact copy of VM, orchestration. They’ve already met the appeal for containers. I don’t know how many people will actually use containers on top of Amazon.” Similar questions abound for Microsoft. The answer, in both cases, is portability.
“The big thing we hear is that people don’t mind running on AWS, but they don’t want to use native tools because what if they want to move it? You can just move Stackato over to Azure, HP Cloud or in-house,” said ActiveState’s Smithurst.
Cross-technology compatibility is definitely a motivation for Microsoft. “I wrote the original thought piece on containers at Microsoft,” said Gossman. “Our strategy is pretty simple. If we wanted to be, two or three years back, the Windows and .NET cloud, we wouldn’t even have succeeded at that. People want to run Java and Oracle on Windows. Customers have asked us to run Docker on Azure, and they’re also asking to run it on Windows. Windows is incredibly popular in private data centers and local clouds and competitive public clouds. Developers really like using Docker. We don’t want to have people choose.”
Getting the Docker command-line interface to run in a Linux VM on Azure wasn’t hard, Gossman said. A bigger effort was needed for the Docker extension, which makes it easy to install Docker and images. Microsoft is working on integrating Docker Compose, and is working on Docker Swarm for Azure, as well as Mesos and CoreOS on Azure. Nano Server, a minimal-footprint installation option of Windows Server optimized for cloud and container-based deployment, is also being prepped for release.
As for orchestration, “We don’t have an exact plan there,” said Gossman. “If you look at the tools, in most cases they haven’t even reached 1.0. We could build our own service, but it’s not clear which version is what the customer wants. We want to expand the Service Fabric that we announced recently to Linux and other languages.”
Finally, with regard to porting the Docker management experience, Gossman said, “There will also be a native API because other people will want other management experiences—even though we believe all the action is for Docker.”