In-Depth
Containers: Beyond Virtualization
The open source lightweight Docker runtime environment for Linux could someday supersede the traditional virtual machine. Among its many supporters is Microsoft, which just announced a deep partnership with Docker Inc. to bring containers to the next version of Windows Server.
As system virtualization gives way to evolving and more elastic cloud-based platforms and services, the applications that run on these new infrastructures could someday push the outer limits of today's virtual machines (VMs) and even the underlying OSes -- notably Linux and Windows. There's growing consensus that software containers will provide the portability, speed and scale needed for these applications and infrastructure components.
Containers are frequently described as lightweight runtime environments with many of the core components of a VM and isolated services of an OS designed to package and execute these micro-services. While containers have long existed as extensions to Linux distributions (there are no native Windows commercial containers yet), each has come with its own flavor.
The rise of open source Docker containers over the past year has created a de-facto standard for how applications can extend from one platform to another running as micro-services in Linux server and OpenShift PaaS environments such as Cloud Foundry. Docker containers have recently become available with major Linux distributions and are supported in key cloud services. Similarly, Microsoft's longstanding effort to develop its own native Windows containers, code-named "Drawbridge," is poised to come out of incubation. And at press time, Docker Inc., a Silicon Valley startup formed in 2012, and Microsoft announced a deep partnership that will result in Docker containers running in the Microsoft Azure public cloud and in the next version of Windows Server.
Over the past year, Docker has risen from obscurity to potentially one of the fastest-rising new players in the world of enterprise application and infrastructure software. In many ways, Docker and similar lightweight containers promise to transform the role of the OS and the VM much like the VM has done to the physical bare-metal server environment. That's because in order for emerging Platform-as-a-Service (PaaS) clouds to scale and software to interoperate, there's too much overhead in today's VMs, particularly when more are needed than is feasible for specific services.
Nearly every major enterprise infrastructure software and cloud provider has jumped on the Docker bandwagon including Google Inc., IBM Corp., Red Hat Inc., Microsoft, Rackspace and VMware Inc., among others. Red Hat is currently the leading outside open source contributor and Docker containers are already available with the latest distribution of Red Hat Enterprise Linux. Users of the most recent openSUSE and SUSE Linux Enterprise Server and Ubuntu Linux server distributions can also install Docker containers.
Like Linux and other open source software, the Docker container and runtime environment are free. "We plan on building on top of the core stuff, with the same open APIs that anyone can do, and build a bunch of services," says Docker Engineering Manager Ken Cochrane. "Because we're using the same API that anyone else can use, there can be competitors that we'd have to deal with, but at least it will force us to make a better product. That's the services model. We also have the traditional model with support and training."
"Microsoft has the huge server footprint and the desktop footprint, so they have the ability to make a lot of people happy if they provide the solution that would work with Docker."
Ken Cochrane, Engineering Manager, Docker Inc.
Indeed, venture capital investors have eyes for Docker, as well. Sequoia Capital in August pumped in $40 million of Series C funding. That brings Docker's total funding to $66 million and estimated valuation at $400 million. Early investors in Docker include Benchmark, Greylock Partners, Insight Ventures, Trinity Ventures and Yahoo Cofounder Jerry Yang.
Analysts and established software and cloud providers say enterprise IT decision makers have taken a growing interest in containers, thanks to Docker. "I know there's great interest among large enterprise customers," says 451 Research LLC Analyst Jay Lyman. "We're getting substantial inquiries, which tend to trail the hype of a new technology like this. I've counted out more than two dozen vendors and probably just as many open source software projects that are popping up around Docker," Lyman says. "And a lot of it's around management and orchestration of containers."
Containers including Docker are taking hold in a lot of pockets within Rackspace, says CTO John Engates. "Some of our customers are starting to use them," Engates says. "I think containers will be big. I don't know how big in terms of money spent on them."
"I think containers will be big. I don't know how big in terms of money spent on them."
John Engates, CTO, Rackspace
To be sure, it's early days for Docker and alternative distributed container technologies, Lyman and others are quick to point out. Docker 1.0 containers are less than a year old and they're just part of the picture. As they become more mature, containers promise software portability, automation, orchestration, speed, and scalability of applications across clouds and VMs.
One key technology for the management and orchestration of Docker containers that has recently emerged is Kubernetes, developed by Google for its Google Cloud Platform. Released in June, Google describes Kubernetes as an open source orchestration cluster manager for Docker containers and is the basis of its own Omega cluster management and scheduling platform. Kubernetes is designed to run Docker containers at scale on the Google App Engine public PaaS. Like Docker, many cloud vendors, including Microsoft and VMware, have said they're supporting Kubernetes.
Microsoft's contribution allows Azure to be the back-end for Docker container deployments, Mark Russinovich, Microsoft Azure CTO, tells Redmond magazine. "To be a viable cloud platform, we recognize we need to make it possible for customers to run the software and tools they want to run in our cloud," Russinovich says. "If they want to run Kubernetes to orchestrate containers in Azure on Linux VMs, we want to help them do that."
"To be a viable cloud platform, we recognize we need to make it possible for customers to run the software and tools they want to run in our cloud."
Mark Russinovich, CTO, Microsoft Azure
Microsoft Turns Up 'Drawbridge'
Microsoft's embrace of Kubernetes comes just a month after the company joined the chorus of players that said in May they would support the Linux-based Docker containers. In Microsoft's case, the company is supporting Docker containers in the Infrastructure-as-a-Service (IaaS) component of Azure. Docker isn't available on the Azure PaaS because it doesn't currently support Linux. Russinovich indicates it will be a short-lived limitation. "We hear customers want Linux on PaaS on Azure," he says.
Russinovich also confirmed Microsoft is looking to commercialize its own container technology, code-named "Drawbridge," a library OS effort kicked off in 2008 by Microsoft Research Partner Manager Galen Hunt, who detailed in a 2011 paper a working prototype of a Windows 7 library OS that ran then-current releases of Excel, PowerPoint and Internet Explorer. In the desktop prototype, Microsoft said the securely isolated library OS instances worked via the reuse of networking protocols. In a keynote address at the August TechMentor conference (produced by Redmond magazine parent company, 1105 Media Inc.) on the Microsoft campus in Redmond, MVP, Pluralsite Author Evangelist and Redmond columnist Don Jones described the Drawbridge effort and questioned its future.
During a panel discussion at the Interop conference in New York in late September, Russinovich acknowledged Drawbridge as alive and well. Microsoft to date hasn't said much about Drawbridge, but Russinovich revealed the container technology is in use within the company internally and is now available for customers that run their own machine learning-based code in the Azure service. Why is a Drawbridge container more suitable than a VM? "Obviously spinning up a VM for [machine learning] is not acceptable in terms of the experience," Russinovich said during the panel discussion. "We are figuring out how to make that kind of technology available publicly on Windows."
Russinovich says Microsoft intends to support Docker APIs when running Linux containers in Azure, saying, "We're not going to create a new container technology on Linux or create new APIs to create Linux containers when everyone seems to be using Docker APIs and its packaging format."
Indeed, Microsoft has been working behind the scenes with Docker to enable the Docker engine, originally architected only to run in a Linux server, to operate with Windows Server, as well. The two companies announced last month they're working together to enable the Docker engine to work in the next version of Windows Server.
The two companies are partnering to enable Docker engine images for Windows Server that will be available in Docker Hub, an open source repository housing more than 45,000 Docker applications via shared developer communities. As a result, Docker images will be available for both Linux and Windows Server.
Furthermore, the Docker Hub will run in the Azure public cloud accessible via the Azure Management Portal and Azure Gallery. This will allow cloud developers including Microsoft ISV partners to access the images. Microsoft is also contributing code that will enable Docker open source orchestration APIs, designed to ensure portability among multiple applications running on containers. The Docker engine for Windows Server will be part of the Docker open source project where Microsoft said it intends to be an active participant. The result is that developers will now be able to use preconfigured Docker containers in both Linux and Windows environments. The two companies disclosed this partnership at press time.
"Microsoft has the huge server footprint and the desktop footprint, so they have the ability to make a lot of people happy if they provide the solution that would work with Docker. I know there are developers out there -- we get a lot of e-mails that ask us, 'Do you support Windows?'"
Windows Containers: A Must-Have
Sam Ramji, who left his role as leader of Microsoft's emerging open source and Linux strategy five years ago, says if Windows Server is going to remain competitive with Linux, it needs to have its own containers. "It's a must-have," says Ramji, who is now VP of strategy at Apigee Corp., a provider of cloud-based APIs.
"Containers are a 'must-have' in operating systems."
Sam Ramji, VP of Strategy, Apigee Corp., and Former Head of Open Source Strategy, Microsoft
Others agree. "I think over time, any operating system or virtualization vendor will have to introduce a container-like technology in their stack," says Sinclair Schuller, CEO of Apprenda Inc., a supplier of private PaaS software that works for both Windows and Linux server environments.
Indeed, Russinovich doesn't dispute the notion that Microsoft must deliver a Windows container. "I wouldn't disagree," he says. "We've heard a lot of customers ask for it." Asked how Drawbridge is different from Docker, Russinovich explains: "It has its own packaging standard. It's a secure container, built on top of Windows. It uses a different approach to containerization to make it secure."
At Interop, he underscored that it's an important differentiator. While emphasizing Microsoft's support for Linux Docker containers, Russinovich described Drawbridge as more secure containers for deploying micro-services.
"In a multi-tenant environment, you're letting untrusted code from who knows where run on a platform and you need a security boundary around that," Russinovich said. "Most cloud platforms use the virtual machines as a security boundary. With a smaller, letter-grade secure container, we can make the deployment of that much more efficient. That's where Drawbridge comes into play."
Ramji agrees the ability to provide secure micro-services is a key differentiator between the open source Docker and Drawbridge. "It's going to make bigger promises for security, especially for third-party untrusted code," Ramji says.
Krishnan Subramanian, director of the OpenShift strategy at Red Hat, argues isolating code to make it more secure shouldn't be the sole responsibility of Docker or containers. "Security comes with the underlying operating system that the container uses," Subramanian says. "If they're going to use one of those operating systems in the industry that are not enterprise-ready, probably they're not secure."
Docker vs. Drawbridge
Russinovich has a different take. "The thing is, if you look at what you would need to do to take a Linux container and make it secure, what makes it insecure, or too high a risk, is you're sharing the whole Linux kernel underneath the containers," Russinovich says. "And that's a huge surface area. The risk of a vulnerability being in that huge surface area is high, and it's kind of the risk in the public cloud, especially with a brand behind it like the Microsoft brand, we can't afford to take. And I don't think Google or Amazon would, either." Microsoft isn't saying if any of the Drawbridge technology will be included, noting it's a community effort.
James Bottomley, CTO of server virtualization at Parallels, which has provided its own container technology to services providers and is a partner with both Docker and Microsoft, says Parallels already can run Windows Server VMs with its Virtuozzo Containers offering. He adds that a large portion of the demand for Windows containers is driven by resource-constrained environments and the need for large-scale virtual desktop infrastructure. "Trying to use hypervisors in those scenarios is hard on a single large machine, whereas containers can do it easily because of the density improvements," he says.
Replace the VM?
While the ecosystem and early deployments of containers are likely to just come to life in the coming year or two, most agree it could be five or more years before they become a core component of any datacenter or cloud service. Experts liken it to where server virtualization was a decade or more ago. And there are many unknown variables that must play out. But Apprenda's Schuller believes over time there's potential for containers to replace the VM.
"Ultimately, for a big class of applications, containers are a fine remedy when it comes to isolation compared to hypervisors," Schuller says. "I can envision a bunch of bare metal servers, with Windows and Linux sitting on them as hosts, and then containers on those as guests and then there's no hypervisor at all."
For Microsoft, the potential rise of containers brings with it a sense of hypervisor déjà vu. "Microsoft was late to the hypervisor market not because they didn't have the technology but because they had endless arguments on how to sort out the licensing," says Bottomley. "Containers could go the same way, where they could be delayed by business problems, not by technology problems."
Apprenda's Schuller sees it differently. "VMware is likely more threatened by containers than Microsoft," he says. "I don't think Microsoft is threatened at all, because to them, whether it's a hypervisor or a container, it's all about driving the Windows operating system. VMware doesn't have an OS, all it has is a hypervisor and management tools."
No one thinks containers will replace VMs or OSes anytime soon. Rackspace CTO Engates doesn't see containers displacing VMs. "In some cases they might replace them, but not in all cases," he says. "I think there's a big opportunity for containers to run inside virtualization. I think there's a very complementary aspect where we don't need to throw away what you've already got, you just make it better with the use of containers."