Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Virtual container
technology options
for management,
security
Your expert guide to lorem ipsum dolor sit amet
E-guide
In this e-guide
Introduction
Introduction
Containers are not just for development and testing. Companies such as
Docker, Amazon, Google and Microsoft offer some compelling and full-
Container Choices featured virtual container products aimed specifically at enterprise
IT production environments. But are these offerings a sign that containers
are ready for enterprise deployments, or are businesses not ready to make
Virtual container managment
the necessary changes to switch to containers?
Virtual container security Use this guide to learn about the current virtual container choices and
technologies, proper tools for management, and the level of security
achievable for different container options. Not sure what some of the lingo
Glossary means? Head down to the glossary section to brush up on key container
terms
Page 1 of 99
E-guide
The seeds for this Holy Grail of server virtualization were planted here at
DockerCon with the unveiling of a new Microsoft Azure integration with
Docker's Datacenter product. On the keynote stage, Microsoft Azure CTO
Mark Russinovich demonstrated a new integration between the Azure cloud
platform (including the Azure stack, which remains in technical preview) and
Docker Datacenter, showing an app operating across public and private
Azure clouds.
Page 2 of 99
E-guide
To this week's IT pro audience, containers appear set to keep the promise
In this e-guide VMs couldn't: move apps smoothly between operating environments.
"If you stay with Docker containers as the minimal unit of infrastructure, it
Introduction
was demonstrated today that you can get this portability," said Nirmal
Mehta, senior lead technologist for the strategic innovation group at Booz
Container Choices Allen Hamilton Inc., a consulting firm based in McLean, Va., who works with
government organizations to establish a DevOps culture.
Virtual container managment While Docker portability creates less friction for cloud partners to move
customer workloads onto their infrastructure, it also makes it easier to leave.
Virtual container security Still, a rising tide of moving workloads will raise all boats in the market,
Mehta said, and he predicted most cloud players will jump on the portability
bandwagon in time.
Glossary
"The real race is for features other than infrastructure, things like API
gateways, security, CDNs, DDoS protection, and serverless computing,"
Mehta said. "A whole other world is fast approaching."
Other new Docker products released into beta this week, Docker for AWS
and Docker for Azure, hold the potential for simultaneous multi-cloud app
deployments, though it remains to be seen how these products will assist
migration of workloads between different public cloud providers in practice.
Page 3 of 99
E-guide
Nevertheless, that's the goal being pursued by some of the largest and most
In this e-guide advanced enterprises in the world.
While some of the technology is still being sorted out, one thing is clear:
Enterprise organizations want this kind of Docker portability in their data
centers yesterday.
Page 4 of 99
E-guide
"That's PaaS rather than containers, but it shows people are interested,"
Introduction
Berkholz said.
Container Choices But interest has yet to translate into action, according to Berkholz.
"What we see right now is a lot of interest in portability, but not a lot of
Virtual container managment people doing portability yet," he said.
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtual container security
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Glossary
Next Article
Page 5 of 99
E-guide
Container Choices The majority of cloud deployments today are based on virtual machines, but
it's become clear that containers offer significant benefits to cloud users.
However, before choosing one technology over the other, it's important to
Virtual container managment understand the key differences between containers vs. VMs. The big
question is whether VMs or containers are best suited for public, private or
Virtual container security hybrid cloud strategies. And the answer depends on three primary factors:
the functional differences between VMs and containers, the level of
interdependence between private and public cloud components, and users'
Glossary willingness to customize their own cloud platform.
VMs and containers represent two different ways to create virtual resources
that run applications. With VMs, a special software system -- a hypervisor --
partitions a server below the operating system (OS) level creating true
"virtual machines" that share only hardware. With containers, virtualization
takes place at the operating system level, so the OS and possibly some
middleware are shared.
Page 6 of 99
E-guide
Functionally, VMs are more flexible, because the "guest" environment where
In this e-guide applications run is similar to a bare-metal server. You can pick your own
operating system and middleware, independent of what other VMs on the
Introduction
same server might use. With containers, however, you need to
accommodate a common OS and middleware elements when you choose
applications, since each container uses the core server platform and shares
Container Choices it with other containers.
Page 7 of 99
E-guide
Users can gain all the benefits of containers in private cloud deployments.
Container Choices And for businesses with standardized operating systems and middleware,
container-based private clouds are likely the best strategy. However, for
public and hybrid clouds, containers are often more problematic and VMs
Virtual container managment
may be the better approach.
Virtual container security For example, one challenge for enterprises adopting containers is that
container hosting services in the public cloud are more difficult to find than
VM services. While some infrastructure as a service (IaaS) providers, such
Glossary
as Amazon Web Services, offer container services, these services are
normally an overlay to the IaaS service, and, in many cases, are only
available for customers using a dedicated server or cluster hosting. While
any user can deploy VMs via a public IaaS service, it is more complicated
with containers, in terms of setup and operations -- particularly because
container networking may be difficult to accommodate inside a public cloud.
Page 8 of 99
E-guide
Hybrid clouds based on containers are easier to build and maintain if the
Container Choices component distribution in the cloud versus the data center is fairly constant,
or if an organization cloudsources those components in a very structured
way -- for example, from a specific set of data center servers to a specific
Virtual container managment
set of cloud servers. This makes the networking and integration of the
hybrid environment easier to manage and less prone to configuration errors.
Virtual container security With VMs, however, it's generally easier to deploy applications and
components into the cloud from the data center using standardized tools
and integration practices.
Glossary
In the long term, it's likely that management tools will deploy VM- and
container-based clouds. As these tools evolve, the operational differences
between container- and VM-based clouds will shrink, and the primary
Page 9 of 99
E-guide
Next Article
Container Choices
Glossary
Page 10 of 99
E-guide
Virtual container managment For many IT pros deploying containers into existing infrastructure, VMs offer
compatibility with the rest of the environment and flexible deployment
between hosts. Others argue a Docker bare-metal deployment best
Virtual container security
matches with containers' kernel-sharing efficiencies for better performance.
Each side argues theirs is the more frugal option.
Glossary
"For VMs, you buy a chassis with an ungodly amount of CPUs and a huge
memory partition," which tends to be more expensive than groups of smaller
commodity bare-metal servers, said Gary Davidson, senior solution architect
for Vitacost.com Inc., a division of Kroger Inc. that sells vitamins and
supplements through an e-commerce site.
Vitacost is preparing to put containers into production later this year, and,
for now, runs them on a VM infrastructure, but Davidson said bare-metal
servers are his ideal deployment choice.
Page 11 of 99
E-guide
"With VMs, you can quickly spin up images, and they can offer better
In this e-guide resilience," with features like high-availability (HA) failover and dynamic
resource scheduling, said Vijay Ramanan, principal consultant with Lister
Introduction
Technologies, a multinational consultancy with U.S. offices in Fremont, Calif.
Docker on bare metal might be the theoretical ideal, but it's not the existing
Container Choices infrastructure at most companies -- most of which are also not fully
containerized yet, Ramanan said.
Virtual container managment "It is different if you're talking about a 100% Docker infrastructure," Davidson
said.
Virtual container security
Still, other attendees at DockerCon 2016 here countered that running bare-
metal containers is a no-brainer.
Glossary
"Why would you run it on a VM?" said a software engineer for a customer
experience management software maker on the West Coast who requested
anonymity. "Docker does the bin packing for you and makes better use of
the hardware."
Page 12 of 99
E-guide
"When I came to Docker, everything in my life was VMs," said Mike Coleman,
Container Choices a Docker technical evangelist with a focus on IT operations. Many
enterprises approaching containers for the first time will be in that same
Virtual container managment boat, he said.
However, "It's hard to scale out 1,000 containers in a web service if they all
Virtual container security take too long to boot," which is an argument for bare metal, he added.
Page 13 of 99
E-guide
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtual container security
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Glossary
Next article
Page 14 of 99
E-guide
Container Choices Containers are lightweight, virtualization mechanisms built on features of the
Linux operating system. While they enable enterprise teams to exploit even
greater efficiencies of virtualization, management can be tricky.
Virtual container managment
Managing clusters of machines that host containers can be difficult. IT
teams have a few options: run cluster management tools, such as Docker
Virtual container security
Swarm or Kubernetes, or use container services from providers, such as
Amazon, Google and Microsoft that offer container management services in
Glossary addition to VM instances. Amazon EC2 Container Service (ECS) enables
customers to run containerized applications in an AWS-managed cluster of
EC2 instances. By running ECS containers, IT teams can take the
guesswork out of installing and managing cluster management
infrastructure.
Like other AWS products, customers use API calls to create clusters, launch
Docker containers and monitor the state of the cluster. The service is built
on EC2 instances, so developers and application administrators can take
advantage of other AWS features, such as AWS Identity and Access
Management, Elastic Block Store, security groups and Elastic Load
Balancing. AWS does not impose a separate charge for using AWS
container services; customers are billed for the underlying compute, storage
and other metered services the container applications use.
Page 15 of 99
E-guide
ECS containers are well-suited to applications that may not require the full
In this e-guide resources of an EC2 instance. Microservices, for example, are good
candidates to use in conjunction with ECS containers. IT teams can run any
Introduction
application without time limits on when an operation completes, and they
can deploy applications developed on any platform or in any language. The
service manages availability and scalability, so IT teams can adjust the
Container Choices number of ECS containers running at any time, according to demand.
Google Cloud Platform also offers a container service for Docker called
Google Container Engine (GKE). GKE uses Kubernetes as a cluster
management platform. Kubernetes is an open source platform, which gives
customers the option to run the same cluster management platform on
premises and in the cloud. Other vendors, such as Red Hat, VMware,
Microsoft and IBM support Kubernetes integration; OpenStack is also
working to support Kubernetes.
Page 16 of 99
E-guide
Virtual container security Unlike AWS, Google charges for its container service, depending on the size
of the cluster. Container management is free for up to five nodes in a
cluster. A cluster of six or more nodes is billed at $0.15 per hour per cluster.
Glossary
With Mesos, applications use resources that are running across clusters or
across data centers. Customers can also use Marathon for service
orchestration on Mesos. Chronos is a distributed job scheduler that is used
with Mesos; it is often described as a CRON job scheduler for clusters.
Page 17 of 99
E-guide
Mesos is known to scale to the order of 10,000 nodes and uses ZooKeeper
In this e-guide -- part of the Hadoop ecosystem -- to ensure fault tolerance.
Like AWS, Microsoft does not charge for container services. Customers are
Introduction
billed only for the metered resources used within the cluster.
Container Choices
Next Article
Glossary
Page 18 of 99
E-guide
For the 1-5 scale, 1 is the lowest score and 5 is the highest. A designation of
1 means the technology does not provide support for the category at all,
whereas 5 conveys that the technology meets most of the feature and
function requirements for that category. One of the requirements we looked
at for the DevOps category, is the ability for the container subsystem to
support DevOps operations, or provide an integrated repository.
Page 19 of 99
E-guide
With the AWS EC2 Container Service (ECS), we're seeing a number of
operational issues, such as the inability to monitor containers at a fine-
grained level. When looking at ECS integration with management and ops,
which should be as strong as any AWS offering, we had to knock it down to
4 points, relative to Google Container Engine (GKE)'s 5 points. ECS does,
however, include CloudWatch integration, which could give it a leg up
compared to ACS. Also, at this time, ACS supports Linux containers only.
While Windows support is coming soon, as Microsoft ports Mesos over,
.NET developers are left behind the curve for now.
On the data side of things, all of these services offer native data
connections, without forcing the use of external APIs -- but there's room for
improvement. One concern is they will bind containers with native data
Page 20 of 99
E-guide
services and not provide open data access, which enhances portability. It's
In this e-guide difficult to create portable containers if the data is tightly coupled to the
containers. This is an emerging area that we're keeping an eye on for now.
Introduction
AWS, Google and Azure container security
Container Choices
When considering security, we found Google's service, through its
Virtual container managment Kubernetes container orchestration system, has a "Secrets" functionality
and some additional resource limitations that the other two services lack. As
a result, GKE was given a higher ranking for security. Keep in mind that
Virtual container security Microsoft also uses Kubernetes, but does so in different ways. Much of the
technology itself is abstracted from the users.
Glossary
However, when looking at the host platform -- or the public cloud platform
where the container service resides -- it's interesting to note that the Google
platform, when it comes to security, is less advanced in some ways than
AWS or Azure. While Google can work with third-party identity access
management (IAM) tools, it lacks native IAM support. Although this did not
impact the rankings indicated in the table, it's something to consider as you
move forward with any of these platforms.
When it comes to DevOps, GKE and Amazon ECS have their own registries
now, but Azure Container Service does not. Google and AWS provide better
Page 21 of 99
E-guide
Note: Cloud Technology Partners' principal architects Mike Kavis, Sibu Kutty
and Jonathan Baier contributed to this article.
Next Article
Page 22 of 99
E-guide
Container Choices Systemd Linux containers offer great new possibilities and flexibility for
specific workloads. Different solutions do exist, but none are as available or
fast to deploy as systemd containers, created with systemd-nspawn. If
Virtual container managment you've got five minutes, this article shows how to get started.
To start with, you'll need a directory that systemd-nspawn can use for the
container system root. In this example, I'll use the /var/lib/container
directory for this purpose. Type mkdir /var/lib/container to create
this directory.
Before moving on, it's a good idea to switch off SELinux. Or, at least, set it to
permissive mode using setenforce Permissive before you continue. It
will be easier to change the password from within the systemd environment,
and this article is about systemd-nspawn, not about SELinux.
Page 23 of 99
E-guide
Next, you'll need to install a minimal operating system in this root directory.
In this e-guide The command yum -y --releaseserver=7Server --
installroot=/var/lib/container/centos7 install systemd
Introduction
passwd yum redhat-release vim-minimal will do this for you. This
command ensures that the required packages are copied to the container
root you've specified. Notice that the amount of packages installed here
Container Choices really is a minimum to get a proof-of-concept up and running. After the
install part of the yum command, you can add any additional packages that
Virtual container managment
you might need.
After installing the required packages to this directory, you can start the
Virtual container security container. At first try, it's a good idea to use just the command systemd-
nspawn -D /var/lib/container/centos7 -b. This will boot the
container and ask you for a root password. The problem is that you haven't
Glossary
set a root password yet.
That is because you're in a chroot jail. From within the chroot environment,
there's no way to fetch the password of the root user on the container host
operating system. So, the only thing that you can do now is open another
shell and terminate the systemd-nspawn process.
To get yourself into a complete environment where you can actually log in,
you'll need to add the passwd command to the systemd-nspawn command.
While you're at it, it's a good idea to disable some unnecessary services. The
complete command to do all of this will be as follows:
Page 24 of 99
E-guide
You can now set the root password in the chroot environment. After doing
Introduction so, you'll get back to the prompt on your host operating system. From there,
you can now use the systemd nspawn -D
Container Choices /var/lib/container/centos7 -b command.
Within a second you'll see a running container, which you can start using
Virtual container managment immediately. You can use the systemd-analyze command to find out how
long it took the container to boot. From this container environment, you can
Virtual container security now start offering any services you want. To shut down the computer, you
can treat it like any other virtual machine. Just use the "shutdown" or
"poweroff" commands to shut it down.
Glossary
In this article you've read how to use systemd-nspawn to create a Linux
systemd container. To do this, you don't need anything complicated. All that
is required is a part of modern operating systems by default. Being so
simple, systemd-nspawn has everything it needs to become a serious player
on the market of Linux container solutions.
Next Article
Page 25 of 99
E-guide
Just as into every life some rain must fall, into every software some bugs
must creep -- and Docker is no exception.
Page 26 of 99
E-guide
"We also use New Relic and APM [application performance monitoring] as a
Glossary way to detect bad behavior in the environment, so we can automatically
block or deny a bad actor," he added.
Containers, therefore, require code evaluation before they are put into an
environment, and code security testing to ensure the possibility of this
attack is not allowed, Haletky said.
Page 27 of 99
E-guide
As the technology evolves, to track and deploy Docker containers and the
In this e-guide Docker daemon itself, FlightStats has had to get comfortable with numerous
deployments to keep up to date.
Introduction
"Docker is still very young and changing rapidly," Witherspoon said.
One update that will make frequent upgrades easier to deal with is
Glossary
backward compatibility for the command-line interface (CLI), according to a
Docker blog.
"We stick with newer versions, but this will probably be very helpful for
admins who are not constantly updating Docker," said Chris Riley, director of
solutions architecture at cPrime, an Agile software development consulting
firm in San Francisco.
The CLI also has been cleaned up with simplified commands and
restructured, which will also greatly contribute to better ease of use for
containers, Riley said.
"I have had a lot of clients complain about disk usage when using Docker,
and [some of the new] commands are meant to help this issue and will be
Page 28 of 99
E-guide
helpful," Riley said. "This is a nice refactor as they expand their API, and [it]
In this e-guide helps keep things organized and focused."
Upgrades that simplify how Docker container logs are accessed will improve
Introduction
container monitoring, and Riley said he's excited to see Docker for Amazon
Web Services (AWS) and for Microsoft Azure come out of beta with this
Container Choices release.
"The fact that [Docker is] targeting the ops side and the two largest cloud
Virtual container managment providers is smart," Riley said. "We have been waiting for this to compete
with Kubernetes on AWS and Amazon ECS [EC2 Container Service]."
Virtual container security
Another update to Docker 1.13 that wasn't mentioned in the company's blog
post is a bug fix for an irksome DNS issue in previous versions, according to
Glossary Witherspoon.
"Some containers would rarely, but very painfully, fail to resolve certain DNS
lookups for no apparent reason," he said. "It seems better now -- time and
testing will tell."
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Page 29 of 99
E-guide
Next article
In this e-guide
Virtual container managment IT operations pros faced with container management have a new tool to
evaluate this week.
Virtual container security Docker Inc. looks to catch IT operations up with developers with a new
product, called Docker Datacenter, which stitches together various Docker
Glossary management utilities to ease container deployment in production.
Page 30 of 99
E-guide
The company tests Docker with Mono because it's a Microsoft .NET shop
In this e-guide for software development, and Mono is a workaround that allows .NET code
to be used in a Linux environment.
Introduction
The concept of containers as a service makes sense, according to
Lockwood. "You don't want to have to build that capability," he said.
Container Choices
However, that doesn't mean enterprises are ready to put Docker into
production.
Virtual container managment
"I wouldn't rush into it," Lockwood said. "I am not as concerned on the
technology's maturity -- although that is a concern -- as much as the skill
Virtual container security
sets in the market available to deploy and support it."
Glossary Lockwood said he's also waiting for Microsoft's next version of .NET, which
will natively support Docker, and is currently in preview.
"We openly deploy things in the lab for testing, but I don't feel comfortable
putting it out in production, because it doesn't have the footprint yet," he
said.
Page 31 of 99
E-guide
Introduction Consultants to large enterprises said, for those on the bleeding edge,
Docker can be a "one-stop shop" for containers, as well as their
management.
Container Choices
"Companies that are moving forward building loosely coupled microservices-
Virtual container managment type architectures, they're going to be all over this stuff," said Mike Kavis,
vice president and principal architect for Cloud Technology Partners Inc., a
cloud consultancy based in Boston.
Virtual container security
A vast ecosystem of startups has sprung up since Docker debuted three
years ago to fill operational gaps in the deployment of containers. Public
Glossary
cloud providers, such as Amazon Web Services and Google Cloud Platform,
also have tried to make hay with services that abstract away many aspects
of container management.
But with Docker Datacenter, the container registry lives on premises, and
Docker orchestration is controlled from there, which fits the hybrid cloud
deployment pattern of more large enterprises than pure public clouds or
even private platform as a service, Kavis explained.
"Every vendor I've talked to in this space, they all started in public cloud and
they've all ... had to come up with an on-premises solution, because that's
just where everyone is today," he said.
Page 32 of 99
E-guide
There are still ways Docker Datacenter needs to develop this base product,
In this e-guide such as adding native live database migration capabilities -- though
customers can plug in software from partners to accomplish this -- finer-
Introduction
grained role-based access controls and compliance best practices baked in,
according to IT pros.
Container Choices People will need some time to evaluate what Docker has put out and
whether it meets their needs, said Fintan Ryan, an analyst with RedMonk,
based in Seattle.
Virtual container managment
"There are quite a lot of people [who] are doing a combination of taking
Virtual container security some sets of tools and rolling their own solution -- from a technical point of
view, people are quite comfortable doing that," Ryan said. "But from an
enterprise and CIO point of view, they'd prefer to have something that they
Glossary can have clarity and control over."
The Docker product will probably meet the needs of most IT pros, so they
could be less likely to turn to third parties for such tools -- unless they have
specific needs, such as live database migration with ClusterHQ, that are
better addressed by startups that have popped up to fill various Docker
management niches, Ryan said.
Next article
Page 33 of 99
E-guide
Container Choices Those who build and migrate applications using containers, such as Docker,
quickly realize the need for container management tools. These tools help
users manage container operations and scale, as well as monitor container
Virtual container managment performance and security.
And while managing containers can require a lot of work, one of the first
Virtual container security
steps is to choose a management tool. There are two types of management
tools for container-enabled applications: container cluster managers and
Glossary container operations managers.
To pull this off, users need to manage the cluster, or clusters, using a cluster
management framework, which typically includes a resource manager to
Page 34 of 99
E-guide
track resources such as memory, CPU and storage. When an executing task
In this e-guide needs a resource, it must go through the resource manager to obtain those
resources. Users also have access to resources, which means they can
Introduction
manage the cluster's performance, response time and other components.
This allows the cluster to scale, either virtually or physically.
Container Choices Other components of a container cluster manager include a task manager,
which is responsible for task execution and state management. Cluster
managers also contain schedulers to manage dependencies between the
Virtual container managment
tasks that make up jobs, and to assign tasks to nodes. The scheduler is a
core component of the cluster manager; without it, the manager would not
Virtual container security be able to start or stop jobs and tasks.
Page 35 of 99
E-guide
Introduction Besides picking the right tools, here are some general tips for managing
containers:
Container Choices Understand your core container usage patterns. Some container-based
applications are complex and require a good deal of monitoring and
Virtual container managment management. Others are simpler, and may not need to be scaled or
monitored. Container management tools can be costly to run and maintain,
so only implement them when you need them; the number and type of
Virtual container security containers you have will drive your requirements.
Glossary
Don't get too focused on the tools. Many organizations managing
containers focus too much on the available tools, and not the capabilities
they really need. Chances are, you'll have a mix of container management
tools that will change over time.
Next Article
Page 36 of 99
E-guide
Container Choices If you deploy containers, you may be less likely to deploy configuration
management tools alongside them.
Virtual container managment With the popularization of containers comes a new debate about the role of
configuration management tools in environments with highly automated
container clusters. Early adopters of container cluster automation, such as
Virtual container security
Google's Kubernetes or Apache Mesos, said those tools can supplant the
likes of Puppet, Chef, Ansible and SaltStack, which are widely used to
Glossary automate data center configuration management.
Users can very easily circumvent Puppet, Chef and similar competitive
products when container cluster management is offered as a cloud service,
such as Google's Container Engine, which is based on Kubernetes,
according to IT pros who have used the product.
"When you move to container orchestration, the need for automation tools
becomes somewhat different, and tools like Puppet, Chef and Ansible have a
little bit less applicability," said Mark Betz, a software engineer with 20 years'
experience in the industry. Betz recently worked for a startup called icitizen
in Nashville, Tenn., where he used Google Container Engine.
Kubernetes can spin up a fully configured server cluster using relatively few
API calls. Docker itself is responsible for the state of the file system each
Page 37 of 99
E-guide
"One of the key reasons we chose DCOS is that everything is getting more
and more complicated in terms of how you deploy and how infrastructure
works," Voorhees said. "At the same time, it's really important to build the
tooling and the capabilities around the infrastructure to make it really easy
for developers and teams to move fast."
Even when it's not the big automation suites such as Kubernetes or DCOS in
play, container management tools have gained momentum at some other
companies as well.
Page 38 of 99
E-guide
"Cloud 66 lets us remove virtual machines from the load balancer and spin
In this e-guide up a new Docker container, start the Docker container and add it back into
the stack, and that would typically be done in Chef or something like that,"
Introduction
said Scott Hasbrouck, CTO and co-founder of Convoy Inc., a consumer tech
support service company based in San Francisco.
Container Choices Cloud 66 Ltd., based in San Francisco, provides cluster automation for
Docker environments meant to automate app deployment.
Virtual container managment Very rarely do software engineers have to muck around with configuration
of the underlying infrastructure with Cloud 66 in place, Hasbrouck said.
Virtual container security
Not so fast
Glossary
This shift in the market isn't lost on configuration management tool company
Red Hat.
Red Hat owns Ansible and has also integrated Kubernetes into its OpenShift
platform as a service product.
Page 39 of 99
E-guide
"So, every application you have just got more complex, more critical, more
confusing and more complicated," Kanies said. "You need way more
management, not way less management."
Page 40 of 99
E-guide
"Your containers have to get built somehow," he said. "That's sort of where
configuration management tools can save us, by having a robust build-time
language."
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Next Article
Page 41 of 99
E-guide
Container Choices Windows shops assessing Microsoft's emerging container products are
sticking with the axiom that if you want something done right, you should do
it yourself.
Virtual container managment
Microsoft shops that have kicked the tires on the company's container
products so far favor running Windows Server 2016 containers on internal or
Virtual container security
self-managed cloud infrastructure, as opposed to using a more abstracted
offering, such as the Azure Container Service -- even though Azure
Glossary containers are generally available and Windows Server Containers are still
months away.
"We want a solution which will work for different kinds of platforms, not just
Linux-based systems," said Bala Subra, a .NET architect for a large
publishing company in the Northeast, who has done proof-of-concept
testing on Windows Server Containers, which are due out with Windows
Server 2016 in the fall.
While the company uses Linux containers already, they're not in production
yet, and Subra said he's content to wait until Windows Server 2016 becomes
generally available to deploy Windows containers.
Page 42 of 99
E-guide
base. But it's also because some shops want to tinker with running Windows
In this e-guide Server Containers on bare metal on internal infrastructures before
committing to virtual machines in the public cloud.
Introduction
"To get a monetary advantage to moving over to containers, we'd have to
look at restructuring our server infrastructure," said Marc Priolo,
Container Choices configuration manager for Urban Science, a Detroit-based data analysis
company specializing in the automotive industry. "When you're doing
containers, virtualized OSes are a lot of overhead that containers can get rid
Virtual container managment
of."
Virtual container security While VMs can consistently run dozens of containers, bare-metal servers
can pack in hundreds, if not thousands of containers, and bare metal is
where web-scale companies are going, said Jay Lyman, an analyst with 451
Glossary Research.
Page 43 of 99
E-guide
But choice here is a two-edged sword, as it also means users still need to
In this e-guide bring their own integrations for continuous integration and delivery tools, as
well as logging and monitoring. Azure containers don't have a native Docker
Introduction
registry, and Microsoft has no opinion on Docker's version of the registry,
according to Boris Scholl, principal product manager for Azure Compute,
who presented at a recent Meetup put on by the Boston Azure Cloud User
Container Choices Group.
Microsoft is fleshing out multiple tools to ride the wave of Docker hype, but
no moss is growing on its partners as all grasp for the Windows container
brass ring.
Page 44 of 99
E-guide
"Creating a test [and] dev SQL Server can be quite a lengthy process,
Virtual container security
otherwise," said Andrew Pruski, Ding's database administrator. "It can take
anywhere from 10 minutes to two hours, depending on the size of the VM."
Glossary
Tests of WinDocks have spun up SQL Server replicas in as little as 90
seconds, Pruski said.
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Next Article
Page 45 of 99
E-guide
Container Choices Supporting cutting-edge applications means working smarter, not harder.
The complexity of modern app development patterns goes well beyond even
Virtual container managment the management of containers. These are stitched together to form
microservices, which, in turn, are combined into highly complex modern
application architectures.
Virtual container security
This complexity means the infrastructure must be managed
Glossary programmatically and automatically through emerging IT automation tools.
No human can keep up with provisioning and managing thousands of
containers, their various dependencies and their composition into
microservices by hand.
All these small pieces must communicate with one another over the network,
and securing that communication can be a bear, as well.
Page 46 of 99
E-guide
Glossary
Microservices give traditional IT a
makeover
"One of the amazing things that we're seeing is how sophisticated and
almost academic computer science ideas are now being integrated into the
Page 47 of 99
E-guide
Page 48 of 99
E-guide
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Next Article
Page 49 of 99
E-guide
Container Choices Docker had a big year in 2015, and from the looks of it, 2016 is only going to
be bigger. IT pros around the world are excited about the possibilities, but
also issued a warning for those nagging sparse files. Here's a look at what
Virtual container managment the Twitterverse has to say.
Ok ... let's try to build something with Docker for our new dev
Virtual container security
server #Docker
With #docker you can run #CLUSTERS of #VPC's as honeypots, imagine the
#infosec possibilities :) @illusivenw
Page 50 of 99
E-guide
Container Choices
Virtual container managment Being able to launch a new site with #docker #nginx #cloudflare and #azure
in a few minutes feels good
Virtual container security - Derek Bekoe (@derekbekoe) December 27, 2015
Glossary
Docker pro tip: beware of sparse files when doing a `docker commit`.
#Docker #linux
Page 51 of 99
E-guide
Introduction
Universal Control Plane look too cool and easy to setup. Docker swarm
Container Choices
integration is just awesome!! #docker #docker-machine
Virtual container managment - Ajeet Singh Raina (@ajeetsraina) December 26, 2015
Next Article
Virtual container security
Glossary
Page 52 of 99
E-guide
I'm being sarcastic about containers being our savior, though. I see a lot of
parallels between Docker and Java. Java promised the ability to write an
application once and run it anywhere. That was a bold promise, and Sun
Microsystems (and now Oracle) almost completely failed to deliver on it. We
are forever mired in Java version problems, forward and backward version
incompatibility, platform incompatibilities, performance issues between
platforms, security problems, and so on.
Page 53 of 99
E-guide
We see some of these same problems with containers. Despite the promise
In this e-guide of abstraction from the underlying operating system, there still is an
underlying operating system that needs care and feeding. In particular, it
Introduction
needs updates and patching, which developers rarely do. A majority of
container images contain serious unmediated security issues, studies show.
Furthermore, there are big trust issues in the container technology world. Is
Container Choices it okay that your developers are building applications on container images
built by unknown people on the Internet? How do you know that those
Virtual container managment
images are safe, and don't contain back doors or malware?
There are versioning problems, too, just like Java. There is different
Virtual container security container software out there, such as Docker, Rocket, LXC, VMware
ThinApp, Solaris Zones, etc., and it isn't uncommon for two different
development teams to have chosen two different technologies. Each
Glossary
container technology has compatibility issues with underlying infrastructure,
too. Developers need version X of their container technology but the
operating systems my organization supports and secures aren't compatible,
or require heavy retrofitting, which increases staff time commitments.
On top of this, there are very few management interfaces for containers.
Chargeback/showback is unheard of. Security tools are nonexistent.
Backup and restore isn't possible in the normal frameworks, either, which is
a big problem not only for daily operations but also disaster recovery and
business continuity. Change management is laughed at. Given all the holes in
the process the pessimist in me starts thinking that containers are an
elaborate way for developers to shirk the responsibilities of traditional IT,
especially around risk management. And while it's clear that developers are
Page 54 of 99
E-guide
eating the free lunch that containers promise, I often wonder who is paying
In this e-guide for the meal, because it's a very expensive one.
So what do we do about it? For starters, we start asking all the same hard
Introduction
questions we've always asked. How are these things secured, and how do
we prove it? How do we handle an incident with a container? Where is
Container Choices application data stored and how is it protected? Can we standardize all
teams around one container platform? Who is building and maintaining "gold
master" container images, and if it isn't our organization, how do we know
Virtual container managment
we can trust them? How do our applications get security updates? How do
containers mesh with our change management process, and how do we do
Virtual container security capacity planning?
Because when all is said and done, there really no such thing as a free lunch.
Glossary
Next Article
Page 55 of 99
E-guide
Container Choices The rapid rise of virtualization containers in the application world cements
their growing relevance to production IT managers. Although similar in
approach to virtual machines, containers have a few core differences that
Virtual container managment prompt IT departments to review their security approaches.
Page 56 of 99
E-guide
A container has greater dependencies on the outside world, not from within
Introduction
the container itself. Although it still creates abstraction from the physical
level, virtualization containers share most of their resources in a dynamic
Container Choices manner, and a container accesses the majority of its devices via the base
platform. Containerization is more of an application approach that presumes
that the BIOS and OS are already running, unlike VMs. It creates a loose
Virtual container managment
sandbox environment of the shared resources on which each container then
layers the function, service or application.
Virtual container security
In virtualization containers, an application can be broken down into sets of
containerized functions that are pulled together practically on the fly,
Glossary creating a system that supports a process in a far more flexible manner. A
composite application can pull together a container that is set up and
optimized just to run analytics, a specific database or application logic.
Containers are better at managing this service chaining than VMs, since they
are designed to work against a shared platform and use shared functions
and devices far more effectively than VMs.
Page 57 of 99
E-guide
Although this sounds like a pretty bad design flaw, it is the only way that
Glossary containers can work, and is how they provide the density improvements over
VMs that have garnered a great deal of interest. The key for production IT's
adoption of containers is to ensure that not only are containers secure
within themselves, but also that the approach to creating the containerized
environments is secure.
Securing virtualization containers must rank high on the priority list for any
group using them. Where possible, isolate them through the use of their own
namespace. Provide virtualized containers with their own network stack,
avoiding any privileged access across different containers to physical ports.
Use control groups to manage resource allocation and usage -- this
enhances external security, as it helps in managing distributed denial of
service attacks.
Page 58 of 99
E-guide
Virtual container security Try to run services as non-root: If root must be used, be as careful here as
you would be in the physical IT infrastructure. The container is not a
sandbox -- it has holes all over it. Developers are not coding in an airlocked
Glossary
space; whatever is coded badly in one container can have major security
effects on all other containers run on the same physical platform. The vast
majority of containers do not need root privileges. Most services that require
root privileges should already be running outside of the container as part of
the underlying platform. Running with reduced privileges enables the
container to deny any mount requests, deny file creation or attribute change
activities, prevent module loading and otherwise protect the system.
The one major area in the underlying platform to treat differently than
conventional virtualization when it comes to security is the core functional
part of virtualization containers. With Docker, the Docker daemon runs with
full privileges in a physical root environment to create a virtualized container
environment. Anyone with access to the daemon has complete freedom to
Page 59 of 99
E-guide
Virtualized container security also means watching how the containers use
Introduction
application programming interfaces (APIs). It only takes small errors in how
an API call is made to allow a malicious attack to load a new container or
Container Choices change the contents of an existing one to access the root environment with
high privileges. When running containers on enterprise systems, invest in API
monitoring and management tools, such as those from Akana, Apigee or CA
Virtual container managment
Technologies.
Glossary
Page 60 of 99
E-guide
Container Choices The container market continues to heat up, as the security-centric rkt
reached its first production-ready release last week.
Virtual container managment A little over a year after the open source project was first made available,
version 1.0 of the rkt container application runtime focuses on security and a
stripped-down role in application deployments, marking yet another option
Virtual container security
for users to deploy Linux containers.
Glossary CoreOS is positioning rkt as a much more modular component into the
overall application framework than Docker, which has expanded its push
beyond just formatting and packaging containers to constructing an entire
platform for building and running containerized applications.
Rkt will still work with the Docker image, and other ecosystem partners have
put out add-on features for the 1.0 release around monitoring, networking,
and a container registry for its runtime images and to convert Docker
images to rkt images. Through a partnership with Intel, users also can launch
rkt as a virtual machine for additional security overhead.
Page 61 of 99
E-guide
"We just want something that [does] one thing and does it well," he said.
Virtual container managment
Deis has done scale testing and prototyping with rkt, and plans to eventually
Virtual container security swap out Docker for rkt for runtime, while maintaining the Docker image
format, Monroy added.
"Docker very much wants to provide a fully integrated vertical stack, and
that's the way they've built things," he said. "CoreOS [is] much more about
modular. You can take want you want and leave the rest."
Page 62 of 99
E-guide
CoreOS CEO Alex Polvi has raised concerns about the Docker model that
Introduction
requires a majority of operations to run through the Docker daemon -- a
view he maintains with the 1.0 release.
Container Choices
"Without a rewrite of Docker, that will forever be a major area of security
issues," he said. "We built rkt to address an architectural issue that can't be
Virtual container managment addressed with a light patch to Docker."
"The market is going to be absolutely huge for all this stuff, so there'll
definitely be a couple different ways to do it," Ryan said.
Page 63 of 99
E-guide
Docker and CoreOS are fighting for the same IT dollars, but they're also
In this e-guide working together alongside some of the biggest tech vendors in the world to
establish a standard around container formats and runtimes through the
Introduction
Open Container Initiative.
Analyst firm 451 Research asked 198 senior IT pros who their primary
Container Choices container supplier is, with 64% saying Docker, compared with only 10% for
rkt, according to the New York-based company's third quarter of 2015
edition of its Voice of the Enterprise survey on cloud computing.
Virtual container managment
When new technology as popular as Docker comes along, the door opens
Virtual container security for alternatives in the marketplace, said Jay Lyman, research manager at
451. Rkt has helped keep Docker honest in its progression and promoted a
greater focus on container security.
Glossary
"This is the classic open source software competitor disciplining the other
projects," Lyman said. "It helps Docker and helps rkt when there is more
than one viable alternative."
Next Article
Page 64 of 99
E-guide
Container Choices Container technology, especially Docker, continues to make its way into the
enterprise. Just as they would be for any other technology, IT pros are
tasked with building a strategy for securing Docker containers.
Virtual container managment
There are a few Docker security vulnerabilities to note. First, running
containers and applications with Docker means running the Docker daemon,
Virtual container security
which requires root privileges. But, this means you're giving those processes
the keys to the kingdom -- and this is just one example of how containers
Glossary can alarm an IT security professional.
Page 65 of 99
E-guide
Docker Content Trust (DCT), a new feature from Docker, can help IT pros
Container Choices ensure Docker security. DCT uses a public key infrastructure (PKI)
approach, and has two distinct keys: an offline (root) key and a tagging (per-
repository) key that are created and stored client-side the first time a
Virtual container managment
publisher pushes an image.
Virtual container security This takes care of the biggest vulnerability, which is using malicious
containers. DCT also generates a timestamp key that protects against
replay attacks, which means running signed, but expired, content. This
Glossary
solves the problem mentioned above about containers having different
security patch levels.
So, what if you're charged with securing Docker containers and don't know
where to start? Here are a few suggestions:
Page 66 of 99
E-guide
Next Article
Page 67 of 99
E-guide
Container Choices The Amazon EC2 Container Service takes advantage of Docker
infrastructure to run and manage containers across a cluster of Elastic
Compute Cloud instances. Docker and AWS have made strong
Virtual container managment commitments to improve container security, but new practices must be
adopted to secure ECS against weaknesses that leave an enterprise's
Virtual container security software infrastructure vulnerable.
Page 68 of 99
E-guide
Container Choices Container instances are VM instances against which tasks are scheduled.
This whole process is managed by ECS agents. A cluster is a collection of
container instances that provides the required resources for a collection of
Virtual container managment
containers.
Page 69 of 99
E-guide
Introduction It's important to implement a strategy for automating access control to the
ECS infrastructure. Amazon simplifies this process through its Identity and
Access Management (IAM) service, which makes it easier to set up, manage
Container Choices
and update roles to help secure ECS and other services.
Virtual container managment The process of changing access keys is a best practice because it limits the
amount of time that a compromised key can be used by hackers. When
some applications are running outside of EC2, this must be performed
Virtual container security programmatically and can sometimes cause applications to break.
It is also important not to use root access keys to make these changes. If
Glossary
this key is compromised, a hacker could essentially gain access to an
enterprise's entire AWS infrastructure. Amazon has published some best
practices for programmatically managing keys. IAM can do this
automatically for EC2 applications and with fewer chances of an application
going offline.
Page 70 of 99
E-guide
Virtual container security Some tools can help automate the auditing process and make it easier to
notify security personnel and developers when problems are detected. For
example, Amazon has announced a partnership with Twistlock to automate
Glossary Amazon registry of container images; this makes it easier to incorporate
auditing into an organization's continuous integration process. Twistlock
also offers the ability to monitor containers in operation to detect malicious
activity.
CoreOS and Docker have also released scanners that compare the code in
container instances against a database of known vulnerabilities. CoreOS
released the Clair service, which compares container content against
various CVE databases maintained by NIST, Red Hat, Ubuntu and Debian.
Docker Content Trust is an implementation of the Notary open source
software for certifying the validity of Docker images retrieved from public
Page 71 of 99
E-guide
One practice is to regularly rebuild container images with the latest updates.
Introduction
But this can also create new problems with side effects and instabilities that
could go unnoticed. Another practice is to analyze new images in real time
Container Choices on a regular basis using vulnerability scanners. But this requires
implementing security into the development process. However, this is an
important step if the developers modify libraries to improve application
Virtual container managment
performance or implement new features.
Virtual container security One of the biggest challenges with cloud security is that it only takes one
open door to compromise an enterprise. Automating the management of
security keys, auditing containers and testing new code can all help close
Glossary these doors. But organizations need to consider integrating security reviews
into the development, operations and testing processes to mitigate the risk
of security breaches.
Next Article
Page 72 of 99
E-guide
Container Choices It's been a well-known fact for many years that the standard hypervisor
approach to virtualizing a server has a basic flaw in its architectural premise
-- it requires each virtual machine to run a separate operating system
Virtual container managment instance. Hypervisors are designed to enable any operating system to run in
a VM, allowing for a greater degree of flexibility. This also means that
Virtual container security Windows instances can exist alongside Linux instances in the same
machine.
Glossary Once we reach scale levels found in cloud providers, it becomes apparent
that there is no real need to mix OSes on any given server, as there are so
many instances, segregating them doesn't impact flexibility. With this
realization comes the understanding that the hypervisor method wastes a
great deal of memory and I/O cycles, since as many as hundreds of copies
of the OS could exist on any given server.
The idea that we can live with a single shared copy took a while to reach
market. This is the container approach, which allows the OS and any
applications to be shared. The resulting savings in DRAM enable many more
Page 73 of 99
E-guide
instances to exist on any given server, often reaching three to five times the
In this e-guide instance count for hypervisors.
With containers running within that single copy, we lose one of the
Introduction
protections Intel built into the hardware. Multi-tenancy requires barriers to
keep instances out of the memory space of other instances. This logical
Container Choices separation adds a degree of Linux container security, ensuring that if one
VM is compromised, other VMs on the same host are not also at risk. If this
feature wasn't available in hypervisor-based systems, the cloud would never
Virtual container managment
have grown to its current size.
Virtual container security Intel provides hardware assists to solidify multi-tenancy in their processors.
Unfortunately, moving to containers meant these can no longer be used,
leaving the containers exposed to boundary-crossing exploits.
Glossary
The Docker daemons run as root, and changing the root settings requires
major modifications to Docker. Such changes include running the containers
inside VMs, placing control of the Docker daemon in the hands of trusted
users only, and using UNIX sockets. This is assisted by the recent addition of
a user namespace feature, which allows IT to separate access privileges for
containers and the Docker daemon, preventing the containers from
accessing the root.
Page 74 of 99
E-guide
In May of 2015, Intel brought Clear Containers to the market. These provide
Container Choices a very streamlined hypervisor designed to host the containers. With an
overhead of between just 10 to 20 MB per instance, we get back the
protection that hypervisors provide without the space burden of running
Virtual container managment
multiple copies of the OS stack. At the same time, Linux DAX zero-copy
sharing between the host and guest and kernel samepage merging facilitate
Virtual container security access to the OS image in DRAM.
Docker images are also a point of attack. These are build templates for the
Glossary
container, which are interpreted by the Docker daemon running in root.
Again, there is an opportunity for exploitation, so Docker has recently
released Docker Content Trust, which uses tools to guarantee the validity of
an image. This involves hardware authentication of the image using Notary --
an open source tool -- and The Update Framework to validate the content
and verify who published it.
Page 75 of 99
E-guide
Another major protection comes from containers being isolated from each
other and from physical devices. This reduces the attack surface
considerably. It's also good practice to use read-only file systems for images
and other data wherever possible. Though that's true in all computing, the
container approach shares image data more often, allowing for tighter
control on fewer images.
Page 76 of 99
E-guide
Next Article
Introduction
Container Choices
Glossary
Page 77 of 99
E-guide
With CaaS, users can upload, organize, run, scale, manage and stop
containers using a provider's API calls or web portal interface. As is the case
with most cloud services, users pay only for the CaaS resources such as
compute instances, load balancing and scheduling capabilities -- that they
use.
Page 78 of 99
E-guide
Public cloud providers including Google, Amazon Web Services (AWS), IBM,
In this e-guide Rackspace and Joyent all have some type of CaaS offering. For example,
AWS has its Amazon EC2 Container Service (ECS), a high-performance
Introduction
container management service for Docker containers on managed Amazon
EC2 instances. Amazon ECS eliminates the need for users to have in-house
container or cluster management resources. Google's Container Engine
Container Choices service offers similar cluster management and orchestration capabilities for
Docker containers.
Virtual container managment
The key difference between providers' CaaS offerings is typically the
container orchestration platform, which handles key tasks, such as
Virtual container security container deployment, cluster management, scaling, reporting and lifecycle
management. CaaS providers can use a variety of orchestration platforms,
including Google Kubernetes, Docker Machine, Docker Swarm, Apache
Glossary
Mesos, fleet from CoreOS, and nova-docker for OpenStack users.
Next Article
Page 79 of 99
E-guide
The Open Container Initiative has support from a long list of prominent
Virtual container security companies, however the project will remain independent from any particular
commercial organization. Founders include Amazon Web Services, Docker,
CoreOS, Microsoft, VMware, EMC, Nutanix, Red Hat, IBM, Goldman Sachs,
Glossary
and Google. Docker was pivotal in founding the initiative, donating draft
specifications and much of its existing code for its image format and
container runtime. The formation of OCI was driven by the rapidly rising
interest in container-based virtualization, particularly as a way to increase
application portability across multiple environments.
The core goals for the project are to ensure standards for containers and
future container platforms that preserve the flexible and open nature of
containers. Specifically, the OCI says containers should not be bound to a
specific client or orchestration stack, not be tightly associated with any
particular vendor and are portable across a wide variety of operating
systems, hardware and architectures.
Next Article
Page 80 of 99
E-guide
In this e-guide
Google Container Engine (GKE)
Introduction Margaret Rouse, WhatIs.com
Users can interact with Google Container Engine using the gcloud command
line interface or the Google Cloud Platform Console.
Google Container Engine is frequently used by software developers creating
and testing new enterprise applications. Containers are also used by
administrators to better meet the scalability and performance demands of
enterprise applications, such as web servers.
Page 81 of 99
E-guide
Container Choices Google Container Engine users organize one or more containers into pods
that represent logical groups of related containers. For example, these
groups could include logfile system containers, checkpoint or snapshot
Virtual container managment
system containers or data compression containers. Similarly, network
proxies, bridges and adapters might be organized into the same pod.
Virtual container security Generally, identical containers are not organized into the same pod. Users
create and manage these pods through jobs.
Glossary If a pod of related containers become unavailable, access to those
containers may be disrupted. Most applications in containers require
redundancy to ensure that pods are always available. Google Container
Engine includes a replication controller that allows users to run their desired
number of pod duplicates at any given time.
Page 82 of 99
E-guide
Google currently charges a flat fee for Container Engine services depending
In this e-guide on the number of nodes in a cluster. A cluster of five nodes or less is
currently free, and a cluster of six nodes or more is currently priced at $0.15
Introduction
per-hour per-cluster. However, cloud pricing is extremely competitive and
changes frequently, so it's important for prospective users to investigate
current pricing and discount opportunities before implementing containers.
Container Choices
Next Article
Virtual container managment
Glossary
Page 83 of 99
E-guide
Next Article
Page 84 of 99
E-guide
Container Choices VMware vSphere Integrated Containers (VIC) is a platform that enables
administrators to deploy and manage containers within virtual machines
(VMs) from within VMware's vSphere virtual machine management software.
Virtual container managment VSphere Integrated Containers can also be used to describe the individual
isolated container instances hosted within the platform.
Virtual container security
VMware first introduced the concept behind vSphere Integrated Containers
as a technology preview called Project Bonneville. The technology uses a
Glossary set of daemons and drivers to speed the deployment of containers within
virtual machines (VMs). Project Bonneville coupled a light-weight Linux
operating system (called Project Photon) with a VMware technology called
Instant Clone, which allows for the rapid duplication of VM images.
Administrators can monitor and manage vSphere Integrated Containers
through their existing vSphere Web Client using a plug-in that enables
control of the virtual container hosts.
Page 85 of 99
E-guide
run from within the container host, and are not duplicated per container
In this e-guide instance.
Glossary
Page 86 of 99
E-guide
The aim of the open source project is to provide administrators with a set of
Virtual container managment
tools that allows them to deploy, manage and secure containers in much the
same way that a hypervisor enables administrators to manage virtual
Virtual container security machines. Unlike some other container projects, LXD supports live
migration, snapshots, configuration profiles (CPs) and Peripheral
Component Interconnect (PCI) pass-through devices.
Glossary
LXD is currently comprised of three pieces: a daemon, a command-line
client and an OpenStack Nova plug-in. The daemon exports a REST API
locally, and also allows administrators to manage containers over a network.
The command-line client builds on the existing LXC (Linux container)
project, providing lower-level management capabilities for all of one's
containers. It can also connect to multiple container hosts to provide an
overview of all the containers residing on a network, The OpenStack plug-in
enables higher level management functions by allowing administrators to
manage containers as they would VMs within an OpenStack environment.
Page 87 of 99
E-guide
from Docker and some other popular container platforms in that it provides
In this e-guide operating system containers, as opposed to application containers.
Next Article
Introduction
Container Choices
Glossary
Page 88 of 99
E-guide
Swarm mode also exists natively for Docker Engine, the layer between the
Virtual container managment
OS and container images. Swarm mode integrates the orchestration
capabilities of Docker Swarm into Docker Engine 1.12 and newer releases.
Virtual container security
Clustering is an important feature for container technology, because it
creates a cooperative group of systems that can provide redundancy,
Glossary enabling Docker Swarm failover if one or more nodes experience an outage.
A Docker Swarm cluster also provides administrators and developers with
the ability to add or subtract container iterations as computing demands
change.
Page 89 of 99
E-guide
Virtual container security Spread -- Acts as the default setting and balances containers across
the nodes in a cluster based on the nodes' available CPU and RAM, as
well as the number of containers it is currently running. The benefit of
Glossary the Spread strategy is, if the node fails, only a few containers are lost.
Page 90 of 99
E-guide
nodes when building a container and specify one or multiple key value
In this e-guide pairs.
Virtual container security Dependency -- When containers depend on each other, this filter
schedules them on the same node.
Glossary Health -- In the event that a node is not functioning properly, this filter
will prevent scheduling containers on it.
Next Article
Page 91 of 99
E-guide
Virtual container security Amazon developed ECS in response to the rise of popularity of
containerization, which specifies rules for isolated sets of Elastic Compute
Cloud instances to increase portability and computing performance by
Glossary
running on top of a host operating system. ECS supports Docker, an open
source Linux container service.
ECS enables users to create and run Docker containers for distributed
applications using a set of APIs. ECS evaluates and monitors CPU and
memory output to determine the optimal deployment for a container. AWS
customers can also use the service to update containers or scale them up or
down. Elastic Load Balancing, Elastic Block Store volumes and Identity and
Access Management roles are also supported for further customization.
EC2 Container Service includes two schedulers, which allow users to deploy
containers based on computing needs or availability requirements. Long-
running applications and batch jobs benefit from the use of schedulers for
their responsiveness; ECS also supports third-party scheduling options.
Page 92 of 99
E-guide
Any third-party or private Docker registry can access ECS; the user needs
In this e-guide to only specify the repository in the task definition for ECS to retrieve the
images.
Introduction
There is no additional cost to AWS customers for using ECS, though users
still pay for EC2 instances in the cluster, plus any other billable AWS
Container Choices resources used. ECS limits users to 1,000 tasks per service and 10
containers per task definition.
Virtual container managment Next Article
Glossary
Page 93 of 99
E-guide
Advantages of containerization
Page 94 of 99
E-guide
Disadvantages of containerization
Page 95 of 99
E-guide
Next Article
Glossary
Page 96 of 99
E-guide
Next Article
Page 97 of 99
E-guide
When another IT team member goes to use that image, Content Trust uses
its publisher's public key to verify that the image is the latest version and
hasn't been compromised. As software developers update or change an
image, the cryptographic signature continues to ensure that the content is
original and from a trusted source.
Target and Snapshot Keys: These two keys combined are known as the
"repository key," which is made for each new repository the publisher owns
Page 98 of 99
E-guide
and can be shared with any user who needs to be able to digitally sign off on
In this e-guide content.
Offline Key: This key serves as the root of trust for the repository and the
Introduction
same key can be used for multiple repositories. This key should be kept
offline to protect from threats.
Container Choices
Timestamp Key: This key is used when content is added or removed from
the repository and is meant to prevent replay attacks, which are when users
Virtual container managment run signed, but expired, content.
Page 99 of 99