Joyent: Run Docker On SmartOS For Greater Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
12:33 PM
Connect Directly

Joyent: Run Docker On SmartOS For Greater Security

Cloud service provider Joyent bids for Docker workloads by claiming a more secure container environment, with an option for use in on-premises data centers as well.

11 IoT Programming Languages Worth Knowing
11 IoT Programming Languages Worth Knowing
(Click image for larger view and slideshow.)

Joyent's SmartOS-based cloud environment can run Linux containers more efficiently and securely than Linux can. At least that's the assertion of Bryan Cantrill, CTO of the cloud service provider.

SmartOS is based on an open source variant of Sun's Solaris and has been -- very quietly -- running containers for over a decade. But SmartOS could get a fresh look now that the cloud has made Linux containers a hot trend in data centers.

Joyent said last October it was "building a bridge to Docker containers," and that environment emerged Tuesday with the launch of Joyent's Triton Elastic Container Infrastructure. Triton emulates a Linux host server by putting a Linux call system table on top of the SmartOS operating system. It can then translate the calls coming to it from Linux applications into the correct responses from SmartOS.

Why not just run Linux containerized applications on Linux? Cantrill says SmartOS today can provide the security and management for Docker containers that are still works in progress under Docker.

(Image: Life of Pix via Pixabay)

(Image: Life of Pix via Pixabay)

One of things the SmartOS approach accomplishes is eliminating the virtual machine middleman. VMware, Amazon Web Services, Google, and Rackspace all run Docker-based workloads on behalf of cloud customers in a multi-tenant environment, but do so by putting each customer's Docker container inside the logical boundaries of a virtual machine. Using a virtual machine gives up one of the main efficiencies of containers: Many can run under one operating system. Putting the container in a virtual machine creates the need for a separate operating system to go with it.

[Want to learn more about Docker? See Docker At 2: From Shaky Start To Open Source Star.]

The Joyent cloud has been running containers for a decade in "zones" under SmartOS, Cantrill said; it typically runs 400 on a single host. Now it can run Docker containers as well. The move means Linux containers can run on Joyent "at a much greater density" than in cloud infrastructure that requires placing them in a virtual machine. Joyent "has gotten rid of the virtual machine fat," said Cantrill.

On Solaris, many application zones were generated under a single copy of the operating system, and the applications were run without worries of them encroaching on each other. "The SmartOS substrate was designed for multi-tenant operations. It was designed for adversaries" or competitors to run side by side. The isolation of each is assured by SmartOS's supervision, he said.

The picture is a little different with Linux. Running containers as multi-tenants under Linux prompts security worries, since the Docker open source code project is still adding some restrictions to the environment. Some problems already solved in SmartOS design are being addressed in various and sometimes competing ways under Linux.

Containers need to be assigned access to a full TCP/IP network stack with a slice of virtualized network capacity. Under SmartOS, that can happen on a container-by-container basis, as the container is provisioned. It's assigned its own IP address as well, which stays with it after it is shut down, pending restart.

Under Docker, a container gets a TCP/IP stack as well, but with each provisioning, it will get a new IP address, Cantrill said. Thus, if there's a temporary shutdown that affects a running Docker container, it will be restored with a new IP address, leaving its whereabouts a mystery to other systems that still possess the old one, Cantrill said.

"It doesn't have to be a system failure. If only the Docker daemon (a background process) reboots, your container has got a different IP address," he added. Under Docker, the network implementation is host-centric. Under SmartOS zones, it's operating system centric and remains persistent with the container as long as it exists. "We solved the container network problem in the operating system" in the design of zones, Cantrill said. There are various ways to solve the same problem with Docker under Linux. 

In addition to its cloud service, Joyent is making the Triton environment available for installation on-premises for those who wish to run Docker under SmartOS in their own environment. That form of Triton is called Smart Datacenter.

Docker has cooperated with Joyent in creating the Triton environment, Cantrill said. The Triton announcement included a comment from David Messina, Docker VP of marketing: "Joyent's innovative use of the Docker API has delivered an important service for enterprises."

Jerry Jelinek, the software engineer who led development of containers on Solaris in 2002, is a senior software engineer at Joyent. Jelinek's team took cues from a predecessor, FreeBSD zones called Jails.

"Docker connected with developers. It showed them how to take what they'd developed on a laptop and deploy it into production," Cantrill said. Now it's incumbent on cloud suppliers to take Docker containers and give them the best runtime environment possible, he said.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access Conference Passes.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
3/24/2015 | 10:28:43 PM
Docker containers will bridge different types of infrastructure
Cloud Foundry announced today that it is using Docker to move workloads between Cloud Foundry in the enterprise data center and Cloud Foundry as a Pivotal managed service on Amazon Web Services. That illustrates how containers are going to play a role in future hybrid cloud operations. They potentially erase some of the barriers that used to keep two different infrastrcutures from exchanging workloads.

Charlie Babcock
Charlie Babcock,
User Rank: Author
3/24/2015 | 1:39:24 PM
Special funding finances' bridge' to Docker
Docker received $15 million in venture capital funding to build the Triton environment, as we reported last October.. Total raised in support of the Joyent cloud: $135 million.
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll