Joyent: Run Docker On SmartOS For Greater Security
Cloud service provider Joyent bids for Docker workloads by claiming a more secure container environment, with an option for use in on-premises data centers as well.
11 IoT Programming Languages Worth Knowing
(Click image for larger view and slideshow.)
Joyent's SmartOS-based cloud environment can run Linux containers more efficiently and securely than Linux can. At least that's the assertion of Bryan Cantrill, CTO of the cloud service provider.
SmartOS is based on an open source variant of Sun's Solaris and has been -- very quietly -- running containers for over a decade. But SmartOS could get a fresh look now that the cloud has made Linux containers a hot trend in data centers.
Joyent said last October it was "building a bridge to Docker containers," and that environment emerged Tuesday with the launch of Joyent's Triton Elastic Container Infrastructure. Triton emulates a Linux host server by putting a Linux call system table on top of the SmartOS operating system. It can then translate the calls coming to it from Linux applications into the correct responses from SmartOS.
Why not just run Linux containerized applications on Linux? Cantrill says SmartOS today can provide the security and management for Docker containers that are still works in progress under Docker.
One of things the SmartOS approach accomplishes is eliminating the virtual machine middleman. VMware, Amazon Web Services, Google, and Rackspace all run Docker-based workloads on behalf of cloud customers in a multi-tenant environment, but do so by putting each customer's Docker container inside the logical boundaries of a virtual machine. Using a virtual machine gives up one of the main efficiencies of containers: Many can run under one operating system. Putting the container in a virtual machine creates the need for a separate operating system to go with it.
The Joyent cloud has been running containers for a decade in "zones" under SmartOS, Cantrill said; it typically runs 400 on a single host. Now it can run Docker containers as well. The move means Linux containers can run on Joyent "at a much greater density" than in cloud infrastructure that requires placing them in a virtual machine. Joyent "has gotten rid of the virtual machine fat," said Cantrill.
On Solaris, many application zones were generated under a single copy of the operating system, and the applications were run without worries of them encroaching on each other. "The SmartOS substrate was designed for multi-tenant operations. It was designed for adversaries" or competitors to run side by side. The isolation of each is assured by SmartOS's supervision, he said.
The picture is a little different with Linux. Running containers as multi-tenants under Linux prompts security worries, since the Docker open source code project is still adding some restrictions to the environment. Some problems already solved in SmartOS design are being addressed in various and sometimes competing ways under Linux.
Containers need to be assigned access to a full TCP/IP network stack with a slice of virtualized network capacity. Under SmartOS, that can happen on a container-by-container basis, as the container is provisioned. It's assigned its own IP address as well, which stays with it after it is shut down, pending restart.
Under Docker, a container gets a TCP/IP stack as well, but with each provisioning, it will get a new IP address, Cantrill said. Thus, if there's a temporary shutdown that affects a running Docker container, it will be restored with a new IP address, leaving its whereabouts a mystery to other systems that still possess the old one, Cantrill said.
"It doesn't have to be a system failure. If only the Docker daemon (a background process) reboots, your container has got a different IP address," he added. Under Docker, the network implementation is host-centric. Under SmartOS zones, it's operating system centric and remains persistent with the container as long as it exists. "We solved the container network problem in the operating system" in the design of zones, Cantrill said. There are various ways to solve the same problem with Docker under Linux.
In addition to its cloud service, Joyent is making the Triton environment available for installation on-premises for those who wish to run Docker under SmartOS in their own environment. That form of Triton is called Smart Datacenter.
Docker has cooperated with Joyent in creating the Triton environment, Cantrill said. The Triton announcement included a comment from David Messina, Docker VP of marketing: "Joyent's innovative use of the Docker API has delivered an important service for enterprises."
Jerry Jelinek, the software engineer who led development of containers on Solaris in 2002, is a senior software engineer at Joyent. Jelinek's team took cues from a predecessor, FreeBSD zones called Jails.
"Docker connected with developers. It showed them how to take what they'd developed on a laptop and deploy it into production," Cantrill said. Now it's incumbent on cloud suppliers to take Docker containers and give them the best runtime environment possible, he said.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access Conference Passes.
Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.