Docker containers, which over the past two years or so have been enjoying a lot of popularity in the world where IT operations intersect with application development, have had one disadvantage when deployed on traditional public cloud infrastructure: server virtualization.
Virtualization impedes performance of applications running in Docker containers, according to Bryan Cantrill, CTO of Joyent, a San Francisco-based cloud service provider. The company announced today a new Docker cloud architecture, which takes that virtualization layer out of the equation.
Joyent has been talking about its plans to bring Docker containers as a bare-metal cloud service to market since last year. In October of 2014, the company raised $15 million to push forward its business strategy that included Docker cloud services.
Application containers in Joyent’s Docker cloud run directly on bare-metal servers. The company will provide containers as a typical public cloud service, hosted in its data centers, but users will also be able to deploy the architecture privately, in their own facilities.
The software that makes it possible is open source and available on GitHub. Users that want to deploy it in-house have the choice of downloading it and setting it up themselves or buying it as a commercial product from Joyent, in which case the company will provide documentation and support.
The open source software package is the same software that runs Joyent’s cloud, called Triton. “The stack that’s up on GitHub, that’s the stack that we run in production,” Cantrill said.
In creating Triton, Joyent has solved some technological problems with running Docker containers in a multi-tenant environment. One of them is isolation – a problem the company has actually solved a long time ago.
The public cloud services Joyent has been providing for years runs on its SmartOS operating system, which also uses application containers. “With our SmartOS history, we’ve got totally secure zones, containers,” Cantrill said.
The difference between what has been in place and Triton is Joyent’s cloud hasn’t been executing Linux binaries in its containers, and it hasn’t been plugged into Docker. Triton adds the ability to execute Linux binaries directly “on metal” and is connected to the remote Docker API interface, through which developers can provision containers in the data center.
Triton’s security comes from its fundamentally different substrate than the Linux one Docker containers usually run on. “Docker security problems, they are not Docker problems. They are Linux kernel problems,” Cantrill said.
Joyent’s cloud has been designed with multi-tenancy in mind from the beginning, so those problems are simply not there.
Major public cloud providers, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform, offer Docker containers as a service running on top of their clouds. But in addition to lower performance, the big problem with running containers on their infrastructure is network management, Cantrill said.
Because containers are being deployed in cloud VMs, networking between containers is not a “first-class citizen,” he said. “Management is just brutal.”
In Joyent’s Docker cloud, containers are connected with VXLANs (virtual extensible LANs).
For the public cloud service, Joyent will charge per container per minute. The service will be hosted in its Ashburn, Virginia, data center (within an Equinix facility), but there are plans to expand it to other locations.