Review: Container wars: Rocket vs. Odin vs. Docker

By Tom Henderson and Tom Henderson

Network World |

Previous 1 2 3 Page 3

Page 3 of 3

At the ship/host level, processes to control the daemons that control the container’s processes must be especially protected, something that’s already a core security activity in most organizations. Then comes key control, which Virtuozzo does fairly well, but isn’t comprehensive. An architecture that correctly administers SSH keys, and controls the communications plane for the respective containers needs to evolve, and here, Virtuozzo has a start. The other software defined networking internals needed for coordination in all three products needs maturation.

But there are efficiency-through-density possibilities that have no real parallel on Type 1 hypervisors, especially where deduplication of both stored files and executed files can take place. In a way, containers are hybrid bare metal instances with skills in virtualization. Hypervisor-based VMs live in isolation, usually as discrete instances, something not necessarily true of containers. Hypervisors go to a very low level to protect instances from hijacking resources unwittingly or through malware. The walls of the sandboxes are theoretically much higher for VMs than containers, although security mistakes can easily breach policies for either type of instance.

Summary

Containers are very, very handy, and allow OS instances+executables to be exchanged in a simplified, sometimes resource-sharing (at the OS level) atmosphere. The provenance of containers, their patch/fix levels, are not entirely opaque, but unless a rigorous methodology is employed to apply audit and logging habits, they’re an explosion searching for a spot marked X.

This said, we admit the seductiveness of rapid scale-out/scale-up of instances. OpenVZ had the most mature container space in our view, and their hybrid model of onboard full-virtualization or containerizing makes sense for their target market, ISPs and Managed Services Providers.

Docker is a serious construction set with much energy behind it in terms of development. If GitHub participant counts are any indication, there’s an overwhelming amount of activity in Docker development. We noted that with the energy comes the noise of problems with Docker Registry source images, including a few we picked as samples. It makes us nervous that containers are difficult to probe, and their composite and individual components are difficult to simply view and audit for their chain-of-authorities sources—even from major organizations.

This in turn, makes us hope that the primitives associated with the appc spec, as seen in rkt, continue to evolve. There is discipline in rkt and appc compliance that merits applause, although rkt itself isn’t ready for primetime except for advanced or experimental deployments.

Tom Henderson runs ExtremeLabs, in Bloomington, Ind. He can be reached at kitchen-sink@extremelabs.com.

What are containers? And how are they different from virtual machines?

Containerized apps are “hypervisor light.” Container execution of an instance differs from traditional hypervisor execution in that they each container can share common files, rather than exist as monolithic instantiations of discrete OS/apps combinations.

Conceptually, containers are working elements comprising an instance of an operating system, application code, and communications junctures, including temporary and permanent data storage.

Like paravirtualized virtual machine instances, containers have sockets to connect communications and storage needs (where necessary) to the outside world via the container manager’s management settings.

Containers are isolated from a host’s core and root processes by intervening security walls, and often work in conjunction with other containers aboard the same host.

Containers can be formed to be independent of a specific host operating system, and can be built interchangeably, so that mixtures of containers built with Ubuntu, Red Hat Atomic, CoreOS and SUSE or other operating systems are possible. Container hosts are largely ignorant of what goes on inside a container unless purposefully connected.

In turn, the resulting appliances and processes live in an isolated world, and can be transported as an object from host to host. The hosts are largely Linux, but Docker also works on Apple, BSD, and Microsoft recently demonstrated moving Docker images using Microsoft .Net adaptations from a Windows server platform to Linux host so long as host CPU families are similar (no, you can’t develop containers on ARM and execute on Intel/AMD). Interchangeability of host platforms is a goal of systems designers using containers as essential Lego-like building blocks.

Our principal criticism: It is possible to make systems with containers of unknown origin, or whose origin in terms of chains-of-authority are unknown. As containers often share source apps, the infiltration or demise of one app may cause problems with all instances of all containers.

This is because unless a repository issuing containers has assembled each unit from scratch or an authoritative source, its building blocks must be considered suspect, and management of updates for common-file based containers require great controls.

The opposite side of this is that in one act, one can restore, upgrade or re-configure (to an extent) the functionality and even personality of a group of containers.

Next read this:

Tom Henderson is dojo of ExtremeLabs, researcher at Network World, world traveler, and friend to many.

Previous 1 2 3 Page 3

Page 3 of 3

The 10 most powerful companies in enterprise networking 2022