Joyent Plans To Run Docker In Multi-Tenant Clouds - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Infrastructure as a Service
News
10/31/2014
11:06 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Joyent Plans To Run Docker In Multi-Tenant Clouds

Joyent will apply its container expertise to Docker for secure, efficient multi-tenant hosts.

7 Cloud Service Startups To Watch
7 Cloud Service Startups To Watch
(Click image for larger view and slideshow.)

Joyent, a San Francisco-based cloud supplier, is already running thousands of applications in Unix containers and has been for nine years. But what it really wants to do is run Docker containers, which are different.

The rising popularity of Docker among its customers has prompted Joyent to rethink its position that its SmartOS Unix is the only option you will need as a cloud operating system. SmartOS will still power Joyent, but the company wants Docker containers holding Linux applications to be able to run under it.

Joyent announced Friday that it has collected $15 million from investors to add support for Docker Linux containers to the Joyent cloud. That's on top of $120 million already invested in Joyent. The task of becoming Docker compatible would be much more difficult but for the fact that Joyent runs an open source variant of Sun Microsystems' Solaris, SmartOS, that already has a lot in common with Linux.

Under SmartOS, containers are often referred to as "zones," but they function on the same principle as Docker when it comes to multiple containers sharing one operating system. The containers run simultaneously without stepping on each other's toes. A container is software that builds a box around an application, enforced by the operating system. It limits what resources an application may use, how the application and its related software will work together, and how it can be moved around. It's a sort of a cargo-loading crane for the data center.

Containers provide isolation for applications at the operating system level. Virtual machines, on the other hand, provide isolation at the hardware level. They take a defined slice of a server and build an imaginary machine in software around it. Unlike a container, that "machine" will need its own operating system. One result is that, while dozens of virtual machines can be run on a host, advocates say hundreds to thousands of containers can be run on a similar host.

"We routinely run 400 containers on a 48 GB server. We could run more," said Bryan Cantrill, CTO of Joyent, in an interview prior to the announcement. Cantrill was the developer of the DTrace feature in Solaris -- the ability to inspect what resources each process in an application was using. DTrace needed to be geared to work with Solaris containers, or "zones," as they were called in 2002. He has worked with containers since then.

[Want to learn about how even Microsoft likes Docker? See Microsoft Brings Containers To Windows.]

In addition, the software engineer who led development of containers on Solaris in 2002, Jerry Jelinek, is now a senior software engineer at Joyent. (Jelinek's team to some extent took its cues from the earlier developers of FreeBSD, who produced a version of containers called Jails.)

Furthermore, Cantrill said Solaris and then SmartOS were designed to be secure users of containers, able to run them in a multi-tenant fashion on a single host. Even Docker Inc., the company sponsoring the Docker container project, urges caution in the use of containers in a multi-tenant setting. Containers running on the same host need to be trusted by each other. If they are strangers, or coming from a variety of owners, the cloud operator can't be sure there's no code hidden in one of them to snoop on what the host is doing with the others. Security experts worry that Linux containers are leaky or capable of allowing a process in one to escape into another.

Virtual machines have more impermeable boundaries via their hypervisor, which has a limited number of functions it can provide each VM under the watchful eye of a virtual firewall.

VMware, for example, recommends using containers for application isolation, if you're inclined to, but to run them inside a virtual machine for security reasons. Containers inside virtual machines work better together, its executives say. Critics say VMs impose too large a resource penalty and the most efficient use of containers is on bare metal servers. It's a debate that won't be completely resolved anytime soon.

Cantrill isn't enlisting in that debate. He said the real solution is SmartOS, with its ability to run multi-tenant containers. From the first day of its design, it was meant to be a secure operating system, one that avoided some of Linux's developer-friendly features. As Linux became popular with developers, many of them liked its ability to be ordered to reboot "by writing a text string to a certain file in the flash proc [procedure]," said Cantrill. That option has been tightened down, but at one time it would have been a tempting target for a renegade process in a container, he suggested.

SmartOS containers sandbox, or build a logical perimeter around the application in a container. It won't allow code in a container to spoof an IP packet or pretend to be someone that it is not. Processes in a SmartOS container can't grab additional IP addresses; they're bound to the ones with which they arrived. They're also limited in how they can use the host file system.

"I know I can say with confidence that Joyent has attracted people who have tried to violate the integrity of SmartOS containers. We have never had a problem. There has never been a security notification on zones," he said.

Joyent's operation over the years has included a free service to developers, and such offerings are known hotbeds of attempted security violations.

Joyent is now engaged in "building a bridge to Docker containers" that implement the same secure features, said Cantrill. "We can create a multi-tenant Linux container environment more easily than can the Linux clouds," he said.

Whether the security features hold up when applied to Docker remains to be seen. If Joyent succeeds, it will have transformed itself into a safe harbor for running Linux containers and leave competitors scrambling to catch up. It will have a price/performance advantage over most clouds, such as Google Compute Engine, Rackspace, and Amazon Web Services, which run Docker inside a virtual machine on a multi-tenant server.

Joyent will use its newly garnered $15 million to invest in engineering over the next few months to make Docker Linux containers compatible with SmartOS.

"Just as virtual machines replaced individual servers, we believe there will be another ten-to-one consolidation in the data center, thanks to containers," said Cantrill. "For Joyent, that's not a new belief. We now have an opportunity to apply it."

You've realized the easy gains from SaaS. Now it's time to dig into PaaS, performance, and more. Get the new Your Next Cloud Move issue of InformationWeek Tech Digest today. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
10/31/2014 | 4:56:03 PM
If Joyent pulls this off, there'll be some scrambling going on
Lorna, SmartOS would be a competitor to Linux, and as such, it hasn't done all that well. And it willl need some engineering to deal with Docker Linux containers. If Joyent pulls off secure Linux containers on multi-tenant servers, you're going to see some scrambling going on by those who insist containers must be run in virtual machines. Developers will vote with their feet on that one.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
10/31/2014 | 12:56:20 PM
Docker v SmartOS
Charlie, Did Joyent attempt to promote SmartOS in the market as a competitor to Docker? If not, why? Sounds like the security is a selling point.
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll