Applications and data in cloud-hosted containers often represent a business's core functions and intellectual property. As large, monolithic applications start to be replaced with microservices in the cloud, Google is making its App Engine and Compute Engine a more attractive place to run workloads formatted by Docker.
Google has kicked off a Docker container registry service to expand how customers may use its existing container-launching service. Google Container Registry will store, shield, encrypt, and control access to a customer's Docker containers, offering a higher level of security for containers than has been available in the past. The service is still a beta offering.
Registry services such as this reflect Google's emphasis on making it easier for developers to build applications on its compute infrastructure and update them frequently in the cloud.
Google is also trying to stay a step ahead of Amazon Web Services as it, too, charges into cloud-container operations. Amazon launched Amazon EC2 Container Service in November to enable its customers to set up clusters on which to run Docker containers and gain simple launch and stop procedures. The service allows the resources to scale to meet a container's needs. The customer doesn't need to manage the container cluster.
[Want to learn more about Amazon's containers? See Amazon's Container Strategy Examined.]
Google, long a skilled user of containers, already had Google Container Engine and some management capabilities based on the open source Kubernetes project, which it founded last June. At Google I/O in San Francisco last year, spokesmen boasted that Google launches 2 billion containers a week.
Now it is taking steps to extend the security in storing, handling, and launching containers in either its App Engine or Compute Engine environments. Its container expertise, however, doesn't result in a drastically different runtime environment. Like Amazon and VMware, Google also says the only way to safely run a container in the multi-tenant cloud is inside a virtual machine.
The Google Container Registry stores a containerized application or "image" sent to it in Google Cloud Storage. It links the image with the development project that it's associated with. "This ensures by default that your private images can only be accessed by a member of your project," wrote Pratul Dublish, Google's technical program manager, in a blog posted last week. That also allows developers associated with the project to securely push and pull images by using the Google Cloud SDK's command line. A virtual machine running on App Engine or Compute Engine can also access the secured images, allowing automated updating via "secured images" of existing workloads.
In addition, the service automatically encrypts the Docker images sent to it on the host server, before they are written to disk, Dublish wrote. Such a move eliminates the possibility of the workload's code being accessed by an intruder or through some form of snooping by co-users of a host.
Once in Google Cloud Storage, the Docker images are replicated to alternative data centers and available for deployment by Google Container Engine to App Engine or Compute Engine virtual machines.
The Container Registry is available at no charge during the beta period, although usual charges for Google Cloud Storage and network use will be incurred. Customers must also have Docker installed, along with the Google Cloud SDK.
Dublish cited online retailer Zulily as an early adopter of the service and quoted Steve Reed, principal engineer of core Zulily engineering, as saying: "Docker registry availability, security, performance, and durability become more and more critical as more of our Compute Engine applications are containerized with Docker. Private registries help, but they need valid certificates, authentication, ... firewalls, backups, and monitoring. Google's container registry provides us with a complete Docker registry that we integrate into our development and deployment workflow with little effort."
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio