This document discusses how Docker containers and Apcera's Hybrid Cloud Operating System (HCOS) can work together. Some key points:
- Apcera HCOS provides an enterprise-grade platform that allows running Docker containers across multiple hosts and clouds with integrated security, networking, load balancing and other capabilities.
- Containers offer advantages over VMs like higher density, portability and agility but need enterprise features for production that Apcera provides.
- Apcera integrates policy controls, image scanning, staging pipelines and other features to help securely run Docker containers in production environments at scale.
- It addresses barriers to Docker adoption in enterprises like security, multi-cloud mobility, integration
2. Apcera Hybrid Cloud Operating System
Single
Policy
Multiple
Workloads
Multiple
Clouds
Enterprise-Grade Cloud Platform
Policy is built in at the core for
providing pervasive security and
control.
Run PaaS binaries, containers,
and full OS (capsule) on same
infrastructure today. Additional
workloads in future.
Workloads mobility.
Private-to-private, public-to-
public, and private-to-public.
vSphere, OpenStack, AWS,
GCE, IBM Softlayer, Mirantis
Express.
Unified Orchestration & Governance
Unified Infrastructure
3. Why containers?
● > 10X as many containers can run on the same hardware
● Run anywhere - from your laptop to the cloud
● Faster boot enables on-demand application deployment
● Increased performance - no more hardware emulation
● Increased agility and mobility - No more full OS to move around
● Smaller attack surface
● Repository makes finding and deploying services easy.
(Postgres/MySQL/Redis/Mongo/etc)
● Growing ecosystem of developers and tools.
Server Hardware
Hypervisor
OS OS OS
Libraries Libraries Libraries
App App App
VM
Any Hardware
Container OS
App
Container
App
Libraries Libraries
Any Cloud
1 x 30 MB
n x 700
MB App
Libraries
App
Libraries
App
Libraries
WastedSpace
4. Where is Docker today?
● Containers bring speed
and agility to developers
● Containers are great for
web and greenfield apps
● Development and runtime
are siloed either in the
private or in the public
cloud
Private
Cloud
Public
CloudOR
5. What is industry trying to figure out?
● Containers moving into the enterprise
● Enterprise-grade security and reliability
● Multi cloud mobility
● Integration with existing enterprise apps
and services
● Multi workload capabilities
Hybrid
Cloud
Private
Cloud
Public
Cloud
● Container-optimized small-
footprint OS
6. Docker in poduction, barriers to adoption
This report is based on the current and planned container usage patterns of 285respondents. The survey was conducted
over the latter half of May 2015. https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2015.pdf
7. Why Apcera HCOS?
Complete enterprise-grade platform
Multi-host, multi-cloud secure
networking
Integrated load balancing and routing
Containers isolation and container-
level firewall
Images visibility, control and malware
inspection
Consistent policy across multi-cloud
environments
Authentication and authorization layer
Integration with production logging
services
Health monitoring
Container Engine
Networking
Container Scheduling
Container Orchestration
Web Console, CLI, API
Storage
Policy&Governance
Internal
Services
Integration
Multi-vendor IaaS and hybrid cloud support
(OpenStack, VMware, Amazon AWS, Google Cloud, Bare-metal)
Cluster
Installation and
Management
Advanced features
Containers linking,
semantic pipelines,
scaling, load
balancing, images
malware inspection
Multi-Workloads: Containers, OSes, Apps
External
Services
Integration
8. A couple of more reasons…
Pull images directly from Docker registries
Docker CLI options support
Policy controls to restrict packages in the system.
Layers caching for near instant launch times
Dynamic binding for container to container
communication
Active connections management
Service credentials protection with ephemeral
credentials
9. Apcera vs. DIY
+
+
+
Integration effort and competence
Integration with external systems and
services
Feature gaps/overlap between the
components
Maintenance and lifecycle management
UI and usability
Security (including policy and governance)
State of the art in industry (many
components still in alpha or beta)
No multi-tenancy
No multi-workload
Apcera
One System vs. Components
DIY
10. Apcera Policy for Docker
Workload Placement
Service Access
Resource Quota
Network Ingress/Egress
Runtime Requirement
A Docker workload
is just like any other
HCOS job
Policy is not limited just to resources, you can also control routes, packages,
service access, etc.
Semantics pipelines
11. What’s in your container? You don’t know.
And that’s a problem!
Image source: BanyanOps Blog, June 2015
General Images with VulnerabilitiesOfficial Images with Vulnerabilities
14. For more info and a FREE trial please visit
http://docs.apcera.com/setup/setup-overview/
Apcera
Editor's Notes
No more heavy hardware emulation because containers rest on top of a single Linux instance
Leave behind the useless 99.9% VM junk, leaving you with a small, neat capsule containing your application
Twice as many containers can run on the same hardware
Run virtually anywhere - from your laptop to the cloud
1. containers are much lighter-weight vs virtual machines - Each VM on a server contains an entire operating system. That OS will contain all sorts of drivers, utilities, libraries, maybe some runtimes, etc (in addition to the kernel). This translates to lots of large images and as such they consume more disk space, RAM and CPU. With containers, all the containers on a server use the same (very much slimmed down) kernel. Essentially you go from lots of independent, fat operating systems running on a machine, to one very slim kernel that is shared and provides basic services to all containers. This leaves a lot more of a server’s disk, RAM and CPU for running applications - which means many more applications per server using containers vs using VMs. Whereas you may have 10s of VMs on a server you can have 100s of containers. dramatic increase in server utilization.
2. because containers are so light weight they boot much faster than VMs. Apps can be spun up in fractions of a second vs seconds.
3. containers by definition contain the app and all its dependencies (required libraries, runtimes, etc.). This means that (other than the very basic operations that the shared kernel provides) the container contains the app and everything it needs to run. This is very useful as it solves a common problem in the development world. Often when apps move from dev to test (for example) they won’t run properly in the new (test) environment. often after much unfruitful troubleshooting of the app the problem is reported to the developer and he checks the app only to find it’s running perfectly in his development environment. So the problem is the difference between the dev and test environments. A lot of time is wasted trying to (a) keep environments in sync with various patches, updates, libraries, etc. and (b) troubleshooting problems when the environments invariably get out of sync. Big win for containers wrt reducing wasted time and frustration.
4. because an app running in a container has only what it needs to run, its attack surface is much much smaller. In other words all that extra OS code that gets carried around in VMs not only eats CPU, disk and RAM, but it also increases the the possibility of an exploit. the more code you have the greater the possibility that some of it can be exploited. Not only does this increase risk, but also maintenance since someone has to patch all those pieces of code where exploits are found.
Bottom line, containers provide many significant benefits vs VMs. This is why Google has been using them for a decade.
High level overview today and the future
Today, when a new application is placed in production, a networking team needs to select the appropriate VLAN, open ports, configure load balancing, set up port security through access control lists (ACLs)
Containers on routers, switches, load labancers, embedded systems, etc.
Free movement of containers and CI/CD into different clouds, but with enterprise-class controls.
Companies requiring enterprise-grade reliability and security for all the technologies inside a container as well as the container host environment.
Small-footprint operating system
Containers as new software delivery model for enterprise applications and hardware
Need for a specification for containers
Multiple containers topology
Apcera covers the full solution as a policy governed enterprise offering feature ranging from PaaS, integration with services and hybrid cloud capabilities.
1. Cluster management
2. Container scheduling
3. Container orchestration
4. Policy definition and enforcement
5. Multicloud runtimes - ability to span multiple clouds - with consistent policy across all clouds
6. Workload diversity - ability to run containers, non-containerized workloads and VMs together on same infra.
We provide all of the above. The first 3 are provided by lots of others, Mesos, Kubernetes, etc. However, we have unique differentiation with respect to the last 3. Nobody has as complete a policy story as we do, nor can they claim consistent policy across multicloud environments - and I’m not aware of anyone that can run all the workloads we can.
Apcera is dedicated to contribute to the Open Source community which innovates in container technologies and sometimes competes
Kurma/KurmaOS
Orchestration
Higher level of abstraction, enables micro-services architecture, repeatable and automatable deployments and software management related to updates/upgrades
Usually involves standards (manifests) for describing the application (multiple jobs)
Scheduling
Features as resource management, cluster management, health monitoring and scaling of workloads (containers)
Container engine
Container engine allows you to run your containers in isolated context (allocated CPU, RAM, disk, networking)
Typically libraries and tooling around Linux kernel features cgroups and namespaces
Storage and networking as well as multi-tenancy and isolation capabilities of the engine
Operating system is usually integral part of the engine
Our Docker policy is based upon image tags, which are not strong assertions about an image's contents. By partnering with FlawCheck we can show Continuum using Staging Pipelines to inspect Docker containers for malware and vulnerabilities that could put an organization at risk.