Joyent: Run Docker On SmartOS For Greater Security - InformationWeek
IoT
IoT
Cloud // Infrastructure as a Service
News
3/24/2015
12:33 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Joyent: Run Docker On SmartOS For Greater Security

Cloud service provider Joyent bids for Docker workloads by claiming a more secure container environment, with an option for use in on-premises data centers as well.

11 IoT Programming Languages Worth Knowing
11 IoT Programming Languages Worth Knowing
(Click image for larger view and slideshow.)

Joyent's SmartOS-based cloud environment can run Linux containers more efficiently and securely than Linux can. At least that's the assertion of Bryan Cantrill, CTO of the cloud service provider.

SmartOS is based on an open source variant of Sun's Solaris and has been -- very quietly -- running containers for over a decade. But SmartOS could get a fresh look now that the cloud has made Linux containers a hot trend in data centers.

Joyent said last October it was "building a bridge to Docker containers," and that environment emerged Tuesday with the launch of Joyent's Triton Elastic Container Infrastructure. Triton emulates a Linux host server by putting a Linux call system table on top of the SmartOS operating system. It can then translate the calls coming to it from Linux applications into the correct responses from SmartOS.

Why not just run Linux containerized applications on Linux? Cantrill says SmartOS today can provide the security and management for Docker containers that are still works in progress under Docker.

(Image: Life of Pix via Pixabay)

(Image: Life of Pix via Pixabay)

One of things the SmartOS approach accomplishes is eliminating the virtual machine middleman. VMware, Amazon Web Services, Google, and Rackspace all run Docker-based workloads on behalf of cloud customers in a multi-tenant environment, but do so by putting each customer's Docker container inside the logical boundaries of a virtual machine. Using a virtual machine gives up one of the main efficiencies of containers: Many can run under one operating system. Putting the container in a virtual machine creates the need for a separate operating system to go with it.

[Want to learn more about Docker? See Docker At 2: From Shaky Start To Open Source Star.]

The Joyent cloud has been running containers for a decade in "zones" under SmartOS, Cantrill said; it typically runs 400 on a single host. Now it can run Docker containers as well. The move means Linux containers can run on Joyent "at a much greater density" than in cloud infrastructure that requires placing them in a virtual machine. Joyent "has gotten rid of the virtual machine fat," said Cantrill.

On Solaris, many application zones were generated under a single copy of the operating system, and the applications were run without worries of them encroaching on each other. "The SmartOS substrate was designed for multi-tenant operations. It was designed for adversaries" or competitors to run side by side. The isolation of each is assured by SmartOS's supervision, he said.

The picture is a little different with Linux. Running containers as multi-tenants under Linux prompts security worries, since the Docker open source code project is still adding some restrictions to the environment. Some problems already solved in SmartOS design are being addressed in various and sometimes competing ways under Linux.

Containers need to be assigned access to a full TCP/IP network stack with a slice of virtualized network capacity. Under SmartOS, that can happen on a container-by-container basis, as the container is provisioned. It's assigned its own IP address as well, which stays with it after it is shut down, pending restart.

Under Docker, a container gets a TCP/IP stack as well, but with each provisioning, it will get a new IP address, Cantrill said. Thus, if there's a temporary shutdown that affects a running Docker container, it will be restored with a new IP address, leaving its whereabouts a mystery to other systems that still possess the old one, Cantrill said.

"It doesn't have to be a system failure. If only the Docker daemon (a background process) reboots, your container has got a different IP address," he added. Under Docker, the network implementation is host-centric. Under SmartOS zones, it's operating system centric and remains persistent with the container as long as it exists. "We solved the container network problem in the operating system" in the design of zones, Cantrill said. There are various ways to solve the same problem with Docker under Linux. 

In addition to its cloud service, Joyent is making the Triton environment available for installation on-premises for those who wish to run Docker under SmartOS in their own environment. That form of Triton is called Smart Datacenter.

Docker has cooperated with Joyent in creating the Triton environment, Cantrill said. The Triton announcement included a comment from David Messina, Docker VP of marketing: "Joyent's innovative use of the Docker API has delivered an important service for enterprises."

Jerry Jelinek, the software engineer who led development of containers on Solaris in 2002, is a senior software engineer at Joyent. Jelinek's team took cues from a predecessor, FreeBSD zones called Jails.

"Docker connected with developers. It showed them how to take what they'd developed on a laptop and deploy it into production," Cantrill said. Now it's incumbent on cloud suppliers to take Docker containers and give them the best runtime environment possible, he said.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access Conference Passes.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/24/2015 | 10:28:43 PM
Docker containers will bridge different types of infrastructure
Cloud Foundry announced today that it is using Docker to move workloads between Cloud Foundry in the enterprise data center and Cloud Foundry as a Pivotal managed service on Amazon Web Services. That illustrates how containers are going to play a role in future hybrid cloud operations. They potentially erase some of the barriers that used to keep two different infrastrcutures from exchanging workloads.

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/24/2015 | 1:39:24 PM
Special funding finances' bridge' to Docker
Docker received $15 million in venture capital funding to build the Triton environment, as we reported last October.. Total raised in support of the Joyent cloud: $135 million.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll