Professional Documents
Culture Documents
PaaS PaaS
Virtual Virtual Virtual Virtual
appliance appliance PaaS PaaS PaaS appliance appliance
VM VM VM VM VM VM VM
OS OS OS OS OS OS OS OS OS OS
OS
Figure 2. Possible layering combinations for application runtimes.
Each Dockerfile is a script composed Appliance,2 and Bitnami (https://bitnami Those who want to deploy applica-
of various commands (instructions) and .com), provide application runtime en- tions with the least infrastructure will
arguments listed successively to auto- vironments that shield the application choose the simple container-to-OS ap-
matically perform actions on a base from the bare OS by providing an inter- proach. This is why container-based cloud
image to create (or form) a new image. face for applications with higher-level, vendors can claim improved performance
They’re used to organize deployment ar- more portable constructs. Virtual appli- when compared to hypervisor-based
tifacts and simplify the deployment pro- ances gained popularity with equipment clouds. A recent benchmark of a “fast
cess from start to finish. manufacturers who wanted to provide data” NewSQL system claimed that in an
Containers can run on VMs too. If a a vehicle for distributing software ver- apples-to-apples comparison, running on
cloud has the right native container run- sions of an appliance—for example, a IBM Softlayer using containers resulted
time (such as some of the clouds men- network load balancer, WAN optimizer, in a fivefold performance improvement
tioned) a container can run directly on or firewall. Virtual appliances can run over the same benchmark running on
the VM. If the cloud only supports hyper- on top of a VM or a container (native Amazon AWS using a hypervisor.3
visor-based VMs, there’s no problem—the LXC-based or running on top of a VM). Software developers tend to prefer
entire application, container, and OS For even more isolation from the using PaaS, which will use a container if
stack can be placed on a VM and run just OS, especially desired by application available for its runtime, to maximize per-
like any other application to the OS stack. programmers, application runtimes can formance as well as to manage application
be reconfigured into total platform-as- clustering. If not, the PaaS will run a con-
Abstractions on Top of VMs and a-service (PaaS) runtimes. Readers will tainer on a VM. Consequently, as PaaS
Containers remember that last issue I discussed gains in popularity, so do containers.
Both VMs and containers provide a rath- Cloud Foundry PaaS, and mentioned However, using containers for secu-
er low-level construct. Basically, both that it uses container technology for de- rity isolation might not be a good idea.
present an operating system interface to ployment. It’s for precisely this reason In an August 2013 blog,4 one of Dock-
the developer. In the case of the VM, it’s they do so—the distribution can be tar- er’s engineers expressed optimism that
a complete implementation of the OS; geted precisely for the container engine containers would eventually catch up to
you can run any OS that runs on the and Linux OS on the cloud, and like the VMs from a security standpoint. But in
bare metal. The container gives you a virtual appliance can also run on top of a presentation given in January 2014,5
“view” or a “slice” of an OS already run- a VM. the same engineer said that the only
ning. You access OS constructs as if you As Figure 2 shows, there are many way to have real isolation with Docker
were running an application directly on possible layering combinations, depend- is to either run one Docker per host, or
the OS. Developers often build on this ing on the OS’s capabilities, the deploy- one Docker per VM. If high security is
level of abstraction to provide more ap- ment/portability strategy, and whether a needed, it might be worth sacrificing
plication runtime constructs, so users PaaS is used. the performance of a pure-container de-
don’t feel like they’re running on a bare How does one choose? As men- ployment by introducing a VM to obtain
machine or a bare OS, but on an appli- tioned earlier, the virtual appliance more tried and true isolation. As with
cation runtime of some kind. approach is a favorite vehicle used by any other technology, you need to know
Virtual appliances, such as Virtu- network equipment manufacturers to the deployment’s security requirements,
alBox (www.virtualbox.org), Rightscale create a portable software appliance. and make appropriate decisions.
Open Source Cluster Manager for and therefore Docker and containers— introducing-rightscale-cloud-appliance
Docker Containers as a core cloud deployment technology.7 -vsphere.
As mentioned earlier, one of containers’ In addition to a host of start-ups (such 3. B. Kepes, “VoltDB Puts the Boot
nicest features is that they can be man- as CoreOS, MesoSphere, and Salt- into Amazon Web Services, Claims
aged specifically for application clus- Stack), Kubernetes supporters include: IBM Is Five Times Faster,” Forbes,
tering, especially when used in a PaaS 6 Aug. 2014; www.forbes.com/sites/
environment. Answering this need, at • Google (for Google Cloud Engine, benkepes/2014/08/06/voltdb-puts
the June 2014 Google Developer Forum, GCE), -the-boot-into-amazon-web-services
Google announced Kubernetes, an open • Microsoft (for Microsoft Azure), -claims-ibm-5-faster.
source cluster manager for Docker con- • VMware, 4. J. Petazzoni, “Containers & Dock-
tainers.6 According to Google, “Kuber- • IBM (for Softlayer and OpenStack), er: How Secure Are They?” blog,
netes is the decoupling of application and 21 Aug. 2013; http://blog.docker
containers from the details of the sys- • Red Hat (its OpenStack distribution). .com/2013/08/containers-docker
tems on which they run. Google Cloud -how-secure-are-they.
Platform provides a homogenous set of Although HP, Canonical, AWS, and Rack- 5. J. Petazzoni, “Linux Containers
raw resources . . . to Kubernetes, and in space are “Docker friendly,” they haven’t (LXC), Docker, and Security,” 31 Jan.
turn, Kubernetes schedules containers explicitly endorsed Kubernetes. Industry 2014; www.slideshare.net/jpetazzo/
to use those resources. This decoupling speculation is that once a more neutral linux-containers-l xc-docker-a nd
simplifies application development since governance/collaboration structure is put -security.
users only ask for abstract resources like together around Docker (a start-up com- 6. C. Mcluckie, “Containers, VMs, Ku-
cores and memory, and it also simplifies pany) and Kubernetes (still controlled bernetes and VMware,” blog, 25 Aug.
data center operations.” by Google), organizations will agree on a 2014; http://googlecloudplatform
Google goes on to describe network- common packaging and deployment ap- .blogspot.com/2014/08/containers
centric deployment improvements in proach—and here we have practically ev- -vms-kubernetes-and-vmware.html.
Kubernetes: “While running individual eryone already thinking about it. I’m not 7. B. Butler, “Containers: Buzzword du
containers is sufficient for some use cas- aware of any cloud project with this level Jour, or Game-Changing Technol-
es, the real power of containers comes of alignment on anything! ogy?” NetworkWorld, 3 Sept. 2014;
from implementing distributed systems, w w w.networkworld.com /article/
and to do this you need a network. How- 2601925/cloud-computing/container
ever, you don’t just need any network. CONTAINERS, DOCKER, AND -party-vmware-microsoft-cisco-and
Containers provide end users with an KUBERNETES SEEM TO HAVE -red-hat-all-get-in-on-app-hoopla
abstraction that makes each container a SPARKED THE HOPE OF A UNIVER- .html.
self-contained unit of computation. Tradi- SAL CLOUD APPLICATION AND
tionally, one place where this has broken DEPLOYMENT TECHNOLOGY. And
down is networking, where containers are that, my friends, qualified it to be this DAVID BERNSTEIN is the managing
exposed on the network via the shared issue’s Cloud Tidbit. I hope you enjoyed director of Cloud Strategy Partners, co-
host machine’s address. In Kubernetes, it! founder of the IEEE Cloud Computing
we’ve taken an alternative approach: that Initiative, founding chair of the IEEE
each group of containers (called a Pod) References P2302 Working Group, and origina-
deserves its own, unique IP address that’s 1. P. Mell and T. Grance, The NIST Def- tor and chief architect of the IEEE In-
reachable from any other Pod in the clus- inition of Cloud Computing: Recom- tercloud Testbed Project. His research
ter, whether they’re co-located on the mendations of the National Institute of interests include cloud computing, dis-
same physical machine or not.” Standards and Technology, NIST Spe- tributed systems, and converged commu-
cial Publication 800-145, 2011. nications. Bernstein was a University of
Industry Movement around 2. U. Thakrar, “Introducing Right- California Regents Scholar with highest
Kubernetes Scale Cloud Appliance for vSphere,” honors BS degrees in both mathemat-
Shortly after Google’s announcements, blog, 10 Dec. 2013; www.rightscale ics and physics. Contact him at david@
several players endorsed Kubernetes— .com/blog/enterprise-cloud-strategies/ cloudstrategypartners.com.