Review: Container wars: Rocket vs. Odin vs. Docker

1 2 3 Page 3
Page 3 of 3

At the ship/host level, processes to control the daemons that control the container’s processes must be especially protected, something that’s already a core security activity in most organizations. Then comes key control, which Virtuozzo does fairly well, but isn’t comprehensive. An architecture that correctly administers SSH keys, and controls the communications plane for the respective containers needs to evolve, and here, Virtuozzo has a start. The other software defined networking internals needed for coordination in all three products needs maturation.

But there are efficiency-through-density possibilities that have no real parallel on Type 1 hypervisors, especially where deduplication of both stored files and executed files can take place. In a way, containers are hybrid bare metal instances with skills in virtualization. Hypervisor-based VMs live in isolation, usually as discrete instances, something not necessarily true of containers. Hypervisors go to a very low level to protect instances from hijacking resources unwittingly or through malware. The walls of the sandboxes are theoretically much higher for VMs than containers, although security mistakes can easily breach policies for either type of instance.


Containers are very, very handy, and allow OS instances+executables to be exchanged in a simplified, sometimes resource-sharing (at the OS level) atmosphere. The provenance of containers, their patch/fix levels, are not entirely opaque, but unless a rigorous methodology is employed to apply audit and logging habits, they’re an explosion searching for a spot marked X.

This said, we admit the seductiveness of rapid scale-out/scale-up of instances. OpenVZ had the most mature container space in our view, and their hybrid model of onboard full-virtualization or containerizing makes sense for their target market, ISPs and Managed Services Providers.

Docker is a serious construction set with much energy behind it in terms of development. If GitHub participant counts are any indication, there’s an overwhelming amount of activity in Docker development. We noted that with the energy comes the noise of problems with Docker Registry source images, including a few we picked as samples. It makes us nervous that containers are difficult to probe, and their composite and individual components are difficult to simply view and audit for their chain-of-authorities sources—even from major organizations.

This in turn, makes us hope that the primitives associated with the appc spec, as seen in rkt, continue to evolve. There is discipline in rkt and appc compliance that merits applause, although rkt itself isn’t ready for primetime except for advanced or experimental deployments.

Tom Henderson runs ExtremeLabs, in Bloomington, Ind. He can be reached at

Copyright © 2015 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
The 10 most powerful companies in enterprise networking 2022