A fresh approach is needed to manage containers properly

Rawpixel - Fotolia


Container support grows to combat security issues

As container technology evolves, so do container security methods. From VMware to Microsoft to Intel, vendors are getting in on the container market in a big way.

Containers are among the hottest items in IT today. The concept behind containers is simple: You can build virtual instances that share an OS. This comes with a number of benefits, including faster spin-up time, a lower memory footprint and an expansion of a server's operating capacity.

While there are some downsides to using Containers, the last year has seen some major improvements to this rapidly evolving technology, with more and more vendors offering container support. The first concern was security; since containers share an OS, they don't offer the same hardware-emulated partitions as VMs. In order to combat this, many administrators run containers inside VMs, which provides an additional layer of isolation. This approach segregates different parts of a tenant environment, which may increase security and control.

This container security approach does, however, increase the overall footprint and may reduce agility, so the industry is looking to thin hypervisors, such as Intel's Clear Containers or CoreOS, and even bare-metal container products. This approach to security will evolve throughout 2017, providing users with very secure, very lean container environments. Ideally, this will lead to an increase in container adoption over the next few years.

Many administrators run containers inside VMs, which provides an additional layer of isolation. This approach segregates different parts of a tenant environment, which may increase security and control.

Containers already offer great advantages for edge applications, such as web servers. However, shared network storage challenges remain a problem, preventing organizations from containerizing some complex applications. Products like Flocker from ClusterHQ help address this problem, and container technology continues to evolve.

Intel has developed a series of additions to their core CPU architecture to stop cross-tenant access in virtualized environments. Unfortunately, these can't separate the tenants in containers. A common resolution to this problem is to layer a hypervisor on bare-metal and give each tenant one or more VMs, each isolated from other VMs by hardware. Tenants can build up as many containers as they want within the VM.

Intel Clear Containers

Although running containers on a hypervisor resolves security issues, it comes at the price of an extra layer of complexity and management, which could potentially translate to lower memory efficiency. Hypervisor instances also take much longer to start up than containers. Intel developed Clear Containers to address this problem and to make the container approach faster and more memory-efficient.

Clear Containers use the containers within a VM approach, but offer a much faster startup time, and drastically reduce the hypervisor footprint, thanks to their fast and lightweight hypervisor, QEMU. Intel estimates that Clear Containers can start up in a matter of microseconds, which is comparable to containers, and much faster than the typical hypervisor. Clear Containers also optimize shared memory through kernel same-page merging and direct access bypassing of the page cache. Clear Containers currently only support Linux hosts.

More vendors get in on container support

Microsoft offers strong container support. The company has had a close partnership with Docker since 2014, and it delivers Hyper-V-based containers in Windows Server 2016. There are some limitations to this offering: There is no support for Active Directory membership for containers, and dynamic addressing for networks is standard. Azure also offers container support, and we can expect the Azure Pack product for private clouds to provide support.

VMware came late to the cloud game, but is notably more responsive when it comes to containers. VMware built support for containers into vSphere 6.5. VSphere Integrated Containers (VIC) aim to address the lack of control over container instances within an ESXi instance by nesting each container within a VM.

Unfortunately, VIC is far more complex than other container offerings, which means it has a slower container spin-up time.


Kubernetes has gained a lot of support as a tool for creating containers in hybrid clouds because of its portability. It's ported to OpenStack and has support from companies such as IBM, Red Hat, VMware and Huawei. Amazon Web Services (AWS) and Azure will likely offer support for it in the near future, setting Kubernetes up to be the lingua franca of the container world.

Other container environments

There are many other tools for the hybrid or private cloud. Mesosphere Marathon and Apache Mesos are used with Azure and have strong credibility as a result. CoreOS Fleet and Cloud Foundry Diego are also good alternatives. With the evolution of containers moving at breakneck speed, the features of these tools tend to shift rapidly, so determining your best approach for production requires some hands-on testing.

Tools for other tasks

There are good tools for building container images, such as Docker Hub and VMware Harbor, and for automating update distribution to keep all the virtual instances in sync, such as VMware Admiral. It's best to build images in layers, keeping the OS, definitions, runtime tools and apps separate, as this makes updating easier.

Finally, remember that containers are intended to be cheap, lightweight and plentiful. Be sure to run only one app in each container and to keep extraneous tools and other junk out.

Containers and the cloud

Major cloud service providers have embraced containers. Running containers internally can help improve service provider efficiency, which could be passed down to customers in the ongoing cloud price wars.

If you're interested in trying out containers, the public cloud is a great place to start because the cost and risk are relatively low. Companies like AWS, Microsoft and Google already offer strong container support. AWS has EC2 Container Services (ECS), which comes with a broad set of tools, including CloudFormation, EC2 Container Registry and Docker, among others. ECS supports continuous delivery.

Next Steps

Secure each layer of the container software stack

Making persistent storage for containers a reality

Looking to the future of virtualization

Dig Deeper on Application virtualization