Is Docker, and for that matter containers in general full-on competition to VMware and other virtualization platforms? Docker has announced platform level features that include network virtualization and clustering. However, not every workload is suitable for containers. Containers lack much of the security, network features and management capability of full virtualization stacks. But, they are extremely efficient. Containers spin up in milliseconds instead of seconds or minutes. And just as not every workload is suitable for containers, not every workload is suitable for VM’s.
The questions of replacing VM’s with containers will come from CIO to architects and from architects to their vendors. OpenStack’s entrance into the landscape prompted similar questions. The frenzy of interest in OpenStack served as a reminder of how thirsty enterprises are for a true competitor to vSphere. XenServer, KVM and Hyper-V are all fine platforms. For whatever reasons, enterprises have not chosen to adopt these technologies at the same level as vSphere. Now we are hearing some of the same questions around Docker and containers.
It’s about use case
Containers have been around for years in both Linux and Windows. Packaging and management of containers in Linux has been a challenge. Docker helped solve that challenge by delivering a highly accepted format and management platform. The initial positioning of Docker containers was the ability to build applications that can be easily installed across Cloud infrastructures.
There’s tremendous appeal when you look at containers from a developer perspective. Docker enables a developer to create an application with a set of dependencies on their laptop. That container can then be deployed to a VM on VMware, AWS or Azure. The application could even be pushed to a Linux server running on bare metal hardware. The developer is assured that the application will run regardless of the underlying Linux distribution.
Overlap with virtualization
The overlap comes in the bare metal implementation. Container isolation occurs within a single OS instance. Multiple containers can run within a single OS. A simple example would be multiple MySQL instances running on the same OS. The ability to run on bare metal gives containers a slight bump in performance vs. VM’s. VMware has mentioned a 5% overhead to running containers within VM’s. Since there is no need to load a new kernel, containers are lighter than full VM’s. Regardless of VM or bare metal, one of the biggest advantages of containers is the ability to initiate new containers within milliseconds.
If you look at traditional application virtualization solutions such as Citrix XenApp you start to understand the performance benefits over full virtualization. If the use case requires you to serve 100 instances of Microsoft Office then application virtualization will much more efficient than full VDI. Some of the same advantages and challenges exist with Docker containers.
Challenges with containers
Some of the main advantages of full virtualization is security and support which both are direct benefits of OS isolation. Some applications just don’t play well with containers from both a memory and support perspective. If you need to isolate an application from either a memory space or network perspective, containers become a challenge. Another challenge is that most infrastructure tools work at the OS as the most granular level of control. Network control is a great example. If you want to create a rule that prevents one VM from communicating to another VM on the same host, this can be done with existing security tools. This isn’t possible today with containers. At best you can prevent a VM running a container from communicating with a VM running a different container.
Today, containers don’t compete directly with virtualization platforms. They target two different use cases. However, there is opportunity to talk about the potential integration between the two technologies. Just as desktop virtualization works best with application virtualization, containers and VM’s have the potential to work well together. In a future post, I’ll explore some of the integration I’d like to see.