e-guide abandoning the narrative of containers vs...
TRANSCRIPT
E-Guide
ABANDONING THE NARRATIVEOF CONTAINERSVS. HYPERVISORSAND VMS
▲
SearchServerVirtualization
PA G E 2 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
T pros ofTen pit hypervisors against containers—but is the debate really that simple? In this expert guide learn about the current state of these technologies,
and why the 2 systems are far more productive when synchronized. Read on to see why containers currently out-perform hypervisors, how VMs are quickly closing that gap, and much more.
I
PA G E 3 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
THE DEBATE ISN’T CONTAINERS VS. VMS; IT’S HOW TO BEST INTEGRATE THEMNick Martin, Executive Editor
Many early adopters find containers and VMs pair well together -- like choco-late and peanut butter. But instead of chocolate-covered peanut butter, the future convergence of these two technologies may look entirely different and result in something more comparable to Nutella.
Both containerization and hypervisor-based virtualization of-fer the ability to abstract applications from the underlying server hard-ware, but organizations aren’t looking at containers vs. VMs. More often, they’re deciding how to best converge the two -- often in surprising ways. Docker, the company whose technology renewed interest in containers, has said it plans to remain neutral on the question of exactly how to run contain-ers. But other organizations are staking out firm stances to find a balance that emphasizes the advantages of both.
The premise behind the containers vs. VMs discussion stems from the theory that bare metal containers -- those that are created from operating
PA G E 4 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
systems running on physical hardware -- can maximize resource efficiency by reducing redundant operating system information. Unlike a VM, each con-tainer instance does not need its own independent operating system, reducing overhead and allowing administrators to pack more workloads onto less physi-cal hardware. In practice, there are still many hurdles to running production workloads at scale on bare metal containers.
Because containers on the same physical host share an operating system kernel, a security breach of one container could compromise others that share the same physical host. Additionally, robust VM management tools, such as VMware’s vSphere, offer complex production quality management functions and reliability features -- e.g., Live Migration and High Availability -- unavail-able on containers.
A FAMILIAR FAÇADE
One way to address many of these challenges is to simply package a container within a VM. Administrators can manage each container separately with a one-container-per-VM model and use existing virtualization management software. And, since each container relies on a VM as an additional abstraction layer, administrators can avoid the security concerns of multiple containers
PA G E 5 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
sharing the same OS kernel.Unsurprisingly, VMware, which has a vested interest in ensuring that VMs
remain the focal point of tomorrow’s data centers, claims that VMs and con-tainers are better together. The company is currently developing two different approaches, both of which emphasize a container nested within a VM.
“The question we’re trying to answer is how can you deliver this new tech-nology -- allowing developers to go fast, but still [maintaining] that control, governance, resource isolation and SLAs [service-level agreements] in a way that’s tractable,” said Kit Colbert, vice president and general manager of the cloud-native apps business group at VMware.
“Once you’ve created this virtual container host, everything else is nor-mal vSphere from there on out,” Colbert said. “The goal is to enable our core vSphere audience to be able to leverage what they already have without signifi-cant retooling.”Last year, VMware introduced a technology preview, vSphere Integrated Containers (VIC), which allows administrators to deploy and man-age containers from VMware’s familiar vSphere interface. VSphere Integrated Containers allows for the creation of what the company calls a virtual container host -- a VM running a lightweight Linux OS on which a container can be rap-idly provisioned.
PA G E 6 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
While it’s still in the technology preview stage and not yet generally avail-able, it shows promise as an option to bring containers to their existing infra-structures, VMware customers say.
Containers, specifically vSphere Integrated Containers, are on the near horizon for Arc Innovations, a New Zealand electrical utility provider, said system engineer Darran Provis.
“Containerization on VMware, especially VIC, will help with distributing memory and CPU resources by allowing us to move various site components to balance the workload,” Provis said. “If you are using a heavy application -- for example, Tomcat/Solr with Apache -- you are often stuck with a single VM with large resource requirements. By containerizing Tomcat/Solr separately from Apache, we can balance that load across the estate.”
Provis, who also recently worked for a hosting provider, said the technology has a strong draw for service providers.
“Being able to auto-deploy a container host into a resource pool and ex-pose the container host to a customer is a great advantage and all billable on the resource pool usage. The rest is then up to the customer -- to deploy their containers -- which can be done remotely,” he said.
PA G E 7 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
THE HOSPITABLE HOST
Another advocate of the container within a VM approach is Intel’s Open Source Technology Center. Intel’s Clear Containers project approaches the containers vs. VMs conversation from a different angle, asking the question: How can VMs serve as better container hosts?
Arjan Van de Ven’s team at Intel talked with container users about their performance requirements and found that boot time was the primary con-cern, followed by memory consumption. Start-up time and density are key for containers because most containerized workloads don’t live long, he said. In a microservices architecture, containers are spawned to perform a specific task and then removed once they’re finished. His team then set out to build tools to measure how a VM spent the first seconds of its infancy to see if they could find a way to improve start-up time.
“It turns out most of the time went to emulate the floppy drive,” van de Ven said. “Two or three seconds for the BIOS to initialize it, and then the OS would try to find the floppy drive for two or three seconds. So a lot of time was spent on things that, for containers, we don’t care about.”
Both Clear Containers and VMware’s vSphere Integrated Containers ad-dress management and security concerns while retaining container portability
PA G E 8 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
and ensuring faster boot-up time compared to a traditional VM. However, neither can match the pure efficiency of multiple containers sharing the same physical host, said Lars Herrmann, GM of the integrated solutions business unit at Red Hat.
“Containerization is an amazing application delivery methodology around which we can build application models and workflows -- basically getting to a DevOps world,” Herrmann said. “However, the architectural paradigm would typically be that you don’t have a single container running within a single vir-tual machine. That would leave a lot of money on the table.”
Virtualization will continue to play an important role in the foreseeable future, Hermann said, but the advantages of running containers that aren’t tied to individual VMs outweigh many of the drawbacks. Today, it’s common for organizations to use different tools to monitor and manage in-house and cloud applications.
“Containerization can provide a standardized fabric around the application that works the same way across different environments,” Hermann said.
Rather than develop new tools to manage and secure containers -- when robust tools already exist for VMs -- Intel’s van de Ven said it may make more practical sense to evolve VMs to better serve as container hosts. That advice
PA G E 9 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
isn’t likely to fly with the bouquet of budding startups looking to enter the con-tainer management scene. One of those startups has instead embraced the idea of flipping the container-within-a-VM construct on its head.
CONTAINING THE VM
Rancher Labs, a container management software provider based in Cupertino, Calif., offers customers a way to manage their VM-bound workloads alongside their containers from the company’s existing platform -- instead of following a containers vs. VMs approach. RancherVM is an open source project the com-pany developed that packages KVM images inside Docker images and manages these VM containers using familiar Docker commands.
Given the open source roots of containers, the technology has also seen smaller experiments from organizations and even groups of private users. Enteon, a cloud management and provisioning software provider based in St. Louis, Mo., developed an approach to lend VMs the portability advantages in-herent to Docker containers.
The approach, which it calls the cloud-native VM, effectively allows users to run legacy applications designed for a VM within a container and -- with the help of other open source projects, including Weave and CRIU -- seamlessly
PA G E 1 0 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
migrate that workload across different platforms, including public cloud providers.
While the cloud-native VM isn’t a true VM in the fullest sense of the word -- it still shares its host OS kernel, meaning you cannot install an independent Windows Server operating system, for example -- the net effect is that “it looks, acts and quacks like a VM from a user’s perspective,” said Jim McBride, chief cloud architect at Enteon.
“We thought the idea of cloud provider independence was strong, but we had a hard time getting people to bite on that,” McBride said. “I think something like this has the ability to massively disrupt cloud hosting or the way vendors deploy and support cloud services.”
Many of these open source projects, such as CRIU, blur the boundaries of what containers are capable of and how they’re used, McBride said. Develop-ment continues on Intel’s Clear Containers project, for example, with future updates such as the ability for a container to directly access hardware -- such as a network interface card -- or support for live migration, van de Ven said.
“Some people want a hybrid of a container and a virtual machine, and we’re going to help support that idea with this technology,” van de Ven said.
Some users can look past the containers vs. VMs debate and see this blend
PA G E 1 1 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
of the two technologies as the best of both worlds. Arc Innovations’ Provis expects more innovations on both sides -- new tweaks to hypervisors to allow VMs to better serve as container hosts and updates to container technology that will address management and security concerns.
“Containerization is an exciting technology that we will see evolve over time,” Provis said. “In what direction will be anyone’s guess.”
NICK MARTIN is executive editor of Modern Infrastructure. Contact him at [email protected].
PA G E 1 2 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORSJim O’Reilly, Cloud consultant
Most of the discussions that address the two core technologies for virtualiza-tion -- containers and hypervisors -- prominently feature the word versus. This line of thinking wants to pit the two technologies against each other, containers vs. hypervisors, as if there were a battle that might be won by one or the other.
In reality, there’s much more to the issue than a contest. It isn’t an issue of containers vs. hypervisors. In fact, it’s conceivable that containers and hypervi-sors will coexist and even thrive together.
The great value of containers is that they remove the need for multiple im-ages of the OS, which in hypervisor virtualization is needed in each VM. Clearly, this means much less memory is required for overhead, and so more space is freed up for applications and their data.
The gains in memory space aren’t small. Typically, three times the number of instances can be hosted by a server using containers. In some cases, such as with the uniformity of virtual desktops, the gain can reach 10X. Looked at
PA G E 1 3 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
another way, the number of servers needed for a given workload drops signifi-cantly. Licensing is also affected. Only one license is needed per server. As ap-plications become part of the shared image, this benefit extends to them, too.
CONTAINERS BOAST PERFORMANCE AND SECURITY
Containers deliver other benefits. They start faster than a hypervisor instance, mainly because the image doesn’t need to be loaded from scratch. Images are more portable and easier to construct, which brings benefits to deployment and agility in operations. Moreover, benchmarks consistently show contain-ers beating hypervisors in performance by as much as 15% in time needed to complete jobs.
With all these plusses, it’s reasonable to wonder why, other than indus-try conservativeness, containers haven’t displaced the hypervisor. After all, Docker is providing strong leadership, and the technology is basically sound.
Container technology is fairly new, and is evolving rapidly. The hypervisor approach, on the other hand, is mature and proven. It is hardened for security, with hardware assists in the form of x86 VTx operations that make cross-tenancy hacks almost impossible. There were early concerns that containers were much more vulnerable, with attacks on the underlying OS opening up all
PA G E 1 4 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
instances on a server to compromise.The result was that containers usually were run on top of a hypervisor. The
container instances for each tenant could be segregated into a single VM with hardware protection, preventing cross-tenancy attacks. The drawbacks of the approach are somewhat obvious. Not only is it much more complex, it also involves licenses for hypervisor-related code and more copies of OSes. And performance suffers. And you lose agility -- but at least the instance is secure.
The container ecosystem has risen to the occasion. Thin hypervisors, such as Intel’s Clear Containers, are being designed to protect containers and take advantage of the hardware -- without using much space or unduly diminishing performance. Other security improvements, especially in image certification and authentication, mean that containers are now closing the security gap with hypervisors.
HYPERVISORS RESPOND
Hypervisor developers have not been idle. While initially in denial about the container threat, they eventually began to address the attack points in con-tainer technologies. For example, memory minimization is addressed with page deduplication in VMware; this replaces whole memory pages that are
PA G E 1 5 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
duplicates with pointers to a single copy. This is a post-load operation, how-ever, and doesn’t address how much quicker containers start up. Still, there are ways to reach parity in operations. For example, memory page deduplication could evolve to a method where an index that’s kept with the image is loaded and checked against files already present on a system. This obviates any load operations and drastically speeds deduplication. We tend to compare today’s hypervisor against expected future evolutions in containers, forgetting that hypervisor virtualization isn’t standing still.
Irrespective of the memory and performance issues between the two choices, there seems to be stratification in use cases between the alternatives. Jobs that scale a lot but don’t interact much with each other -- at least directly -- are a good match for containers. Containers, for example, fit the web services model pretty well. Microservices, too, align well with containers, and we can expect a good deal of use in the cloud.
When it comes to containers vs. hypervisors, hypervisors are a better fit for big, monolithic apps. Network and storage structures around the app can be better controlled, and because these larger apps are often mission-critical, saving space and boot time aren’t major considerations -- especially when compared with potential downtime or security breaches.
PA G E 1 6 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
Scientific computing, which entered the virtualization realm just a few years ago, has dramatically boosted productivity. The tools are often custom-ized, though, and they cater to big jobs.
As for the economic issues involved, app and OS licensing approaches need to evolve so that all parties find virtualization affordable, regardless of which method of virtualization is chosen. Per-instance-minute billing may become the norm.
With a robust ecosystem and large installed base, hypervisors will remain important contributors to IT operations. In the battle of containers vs. hyper-visors, containers will become the clear winners only if hypervisor designers don’t respond. That’s most unlikely. In fact, the probable future path looks to be a convergence of hypervisor and container technologies, at least in features and benefits. IT shops that are already heavily invested in hypervisor infrastructure may wish to continue using the approach, either with streamlined hypervisor instances or containers within hypervisor instances. Greenfield installations, on the other hand, likely will head directly to Docker or alternatives. Stratifica-tion by app is also likely, as hypervisor virtualization seems to best suit more monolithic apps.
PA G E 1 7 O F 1 7 S P O N S O R E D B Y
Home
The debate isn’t containers vs. VMs; it’s how to best integrate them
Abandoning the narrative of containers vs. hypervisors
ABANDONING THE NARRATIVE OF CONTAINERS VS. HYPERVISORS AND VMS
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALSTechTarget publishes targeted technology media that address your need for information and resources for researching prod-ucts, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analy-sis and the Web’s largest library of vendor-provided white pa-pers, webcasts, podcasts, videos, virtual trade shows, research
reports and more —drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you ac-cess to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts.
WHAT MAKES TECHTARGET UNIQUE?TechTarget is squarely focused on the enterprise IT space. Our team of editors and net-work of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face op-portunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets.