If you haven’t heard of Docker, I’m not sure what cave you’ve been living in but here’s the short story:
Hardware level virtualization, like you are used to (VMWare, Virtualbox, KVM, Xen, Amazon, Rackspace, Azure, etc.) is slow and awful. Virtualization at the OS level, where processes share isolated access to a single Operating System kernel, is much more efficient and therefore awesome. Another way of saying OS level virtualization is “containers” such as have existed in FreeBSD and Solaris for over a decade.
Docker is hacking together a whole slew of technologies (cgroups, union filesystems, iptables, etc.) to finally bring the concept of containers to the Linux masses. Along the way, they’ve also managed to evolve the concept a little adding the idea of running a container as very portable unit which runs as a process.
Instead of managing dependencies across multiple environments and platforms, an ideal Docker container encapsulates all the runtime dependencies for a service or process. Instead including a full root file system, the ideal Docker container could be as small as a single binary. Taking that hand in hand with the growing interest in developing reusable microservices, we have an amazing tech revolution on our hands.
That is not to say that everything in the Docker world is all roses. I did say that Docker is hacking together a slew of technologies so while marketing and demos portray:
You are more likely to start with something like this:
Either way, tons of containers per host is great until you realize you are lugging them around on a huge, slow, whale of a cargo ship.
- Currently, Docker’s level of isolation between containers is not that great so security and noisy neighbors are issues.
- Containers on the same host can’t easily run on the same ports so you may have to do some spaghetti networking.
- On top of that, if you are running Docker in Amazon, Google, Azure, etc. you are missing the whole point which was to escape the HW level virtualization.
Joyent to the rescue!
Joyent is the only container based cloud provider that I’m aware of. They have been running the vast majority of my cloud instances (possibly yours as well) on OS level virtualization for years now (years before Docker was a twinkle in Shamu’s eye). As such, they are possibly the most experienced and qualified technical leaders on the subject.
They run a customized version of Illumos, an OpenSolaris derivative, with extremely efficient zone technology for their containers. In January Linux and Solaris are Converging but Not the Way you Think, I wrote about the strides Joyent made allowing Linux binaries to run inside Illumos zones.
Triton May Qualify as Witchcraft
The love child of that work, announced as GA last week, was Triton- a Docker API compliant (for the most part) service running zone based Docker containers on bare metal in the cloud. If running on bare metal weren’t enough of an advantage, Joyent completely abstracted away the notion of the Docker host (ie. the cargo ship). Instead, your Docker client speaks to an API endpoint which schedules your bare metal containers transparently across the entire cloud.
Addressing each of the points I mentioned above:
- Zones in Illumos/Joyent provide complete isolation as opposed to Linux based containers so no security or noisy neighbor problems.
- Every container gets it’s own public ip address with a full range of ports so no spaghetti networking
- No Docker host and no HW virtualization so every container is running full speed on bare metal
Going back to the boat analogy, if Docker containers on Linux in most clouds looks like this:
Docker containers as zones on bare metal in Joyent look like this:
Enough of the hype
I’m not a big fan of marketing hype so I’ve been kicking the tires on the beta version of Triton for a while. Now with the GA, here are the pros and cons.
- Better container isolation
- Better networking support
- Better performance
- No overhead managing a Docker host
- Great pricing (per minute and much lower pricing)
- User friendly tooling in the portal, including log support and running commands on containers using docker exec.
- The API still isn’t fully supported so things like build and push don’t work. You can mostly work around this using a docker registry.
- Lack of a Docker Host precludes using some of the patterns that have emerged for logging, monitoring, and sharing data between containers.
Docker is a game changer but it is far from ready for prime time. Triton is the best choice available today for running container based workloads in general, and for production Docker workloads specifically.