Joyent Plans To Run Docker In Multi-Tenant Clouds

7 Cloud Service Startups To Watch

Joyent, a San Francisco-based cloud supplier, is already running thousands of applications in Unix containers and has been for nine years. But what it really wants to do is run Docker containers, which are different.

The rising popularity of Docker among its customers has prompted Joyent to rethink its position that its SmartOS Unix is the only option you will need as a cloud operating system. SmartOS will still power Joyent, but the company wants Docker containers holding Linux applications to be able to run under it.

Joyent announced Friday that it has collected $15 million from investors to add support for Docker Linux containers to the Joyent cloud. That's on top of $120 million already invested in Joyent. The task of becoming Docker compatible would be much more difficult but for the fact that Joyent runs an open source variant of Sun Microsystems' Solaris, SmartOS, that already has a lot in common with Linux.

Under SmartOS, containers are often referred to as "zones," but they function on the same principle as Docker when it comes to multiple containers sharing one operating system. The containers run simultaneously without stepping on each other's toes. A container is software that builds a box around an application, enforced by the operating system. It limits what resources an application may use, how the application and its related software will work together, and how it can be moved around. It's a sort of a cargo-loading crane for the data center.

Containers provide isolation for applications at the operating system level. Virtual machines, on the other hand, provide isolation at the hardware level. They take a defined slice of a server and build an imaginary machine in software around it. Unlike a container, that "machine" will need its own operating system. One result is that, while dozens of virtual machines can be run on a host, advocates say hundreds to thousands of containers can be run on a similar host.

"We routinely run 400 containers on a 48 GB server. We could run more," said Bryan Cantrill, CTO of Joyent, in an interview prior to the announcement. Cantrill was the developer of the DTrace feature in Solaris -- the ability to inspect what resources each process in an application was using. DTrace needed to be geared to work with Solaris containers, or "zones," as they were called in 2002. He has worked with containers since then.

[Want to learn about how even Microsoft likes Docker? See Microsoft Brings Containers To Windows.]

In addition, the software engineer who led development of containers on Solaris in 2002, Jerry Jelinek, is now a senior software engineer at Joyent. (Jelinek's team to some extent took its cues from the earlier developers of FreeBSD, who produced a version of containers called Jails.)

Furthermore, Cantrill said Solaris and then SmartOS were designed to be secure users of containers, able to run them in a multi-tenant fashion on a single host. Even Docker Inc., the company sponsoring the Docker container project, urges caution in the use of containers in a multi-tenant setting. Containers running on the same host need to be trusted by each other. If they are strangers, or coming from a variety of owners, the cloud operator can't be sure there's no code hidden in one of them to snoop on what the host is doing with the others. Security experts worry that Linux containers are leaky or capable of allowing a process in one to escape into another.

Virtual machines have more impermeable boundaries via their hypervisor, which has a limited number of functions it can provide each VM under the watchful eye of a virtual firewall.

VMware, for example, recommends using containers for application isolation, if you're inclined to, but to run them inside a virtual machine for security reasons. Containers inside virtual machines work better together, its executives say. Critics say VMs impose too large a resource penalty and the most efficient use of containers is on bare metal servers. It's a debate that won't be completely resolved anytime soon.

Cantrill isn't enlisting in that debate. He said the real solution is SmartOS, with its ability to run multi-tenant containers. From the first day of its design, it was meant to be a secure operating system, one that avoided some of Linux's developer-friendly features. As Linux became popular with developers, many of them liked its ability to be ordered to reboot "by writing a text string to a certain file in the flash proc [procedure]," said Cantrill. That option has been tightened down, but at one time it would have been a tempting target for a renegade process in a container, he suggested.

SmartOS containers sandbox, or build a logical perimeter around the application in a container. It won't allow code in a container to spoof an IP packet or pretend to be someone that it is not. Processes in a SmartOS container can't grab additional IP addresses; they're bound to the ones with which they arrived. They're also limited in how they can use the host file system.

"I know I can say with confidence that Joyent has attracted people who have tried to violate the integrity of SmartOS containers. We have never had a problem. There has never been a security notification on zones," he said.

Joyent's operation over the years has included a free service to developers, and such offerings are known hotbeds of attempted security violations.

Joyent is now engaged in "building a bridge to Docker containers" that implement the same secure features, said Cantrill. "We can create a multi-tenant Linux container environment more easily than can the Linux clouds," he said.

Whether the security features hold up when applied to Docker remains to be seen. If Joyent succeeds, it will have transformed itself into a safe harbor for running Linux containers and leave competitors scrambling to catch up. It will have a price/performance advantage over most clouds, such as Google Compute Engine, Rackspace, and Amazon Web Services, which run Docker inside a virtual machine on a multi-tenant server.

Joyent will use its newly garnered $15 million to invest in engineering over the next few months to make Docker Linux containers compatible with SmartOS.

"Just as virtual machines replaced individual servers, we believe there will be another ten-to-one consolidation in the data center, thanks to containers," said Cantrill. "For Joyent, that's not a new belief. We now have an opportunity to apply it."

You've realized the easy gains from SaaS. Now it's time to dig into PaaS, performance, and more. Get the new Your Next Cloud Move issue of InformationWeek Tech Digest today. (Free registration required.)