As promised in my previous blog (ContainerCon: exercises in fact-finding), here’s my report from LinuxCon+ContainerCon 2016.
We had a great conference! John’s talks on container scanning and SECCOMP were well attended, and there was a clear indication from the representatives of various companies that container isolation and security is something that they are concerned about. They are looking for a solution that integrates with their existing CI/CD workflows easily and the solution doesn’t come with any additional burden in terms of dependencies on the underlying infrastructure.
In the expo hall, we met with developers, devops, architects, product managers and representatives from large and small vendors. Importantly, we were able to connect with IT professionals from enterprises using containers. The following findings are based on those first-hand discussions.
- Which industries are containerizing their existing applications faster than others?
No clear indication on this one. There are two aspects to adopting containers, or ‘containerization’: one at the infrastructure level and the other one at the application level. By application level, I mean adapting existing applications to the container architecture paradigm — that of microservices-based server-less architecture. The latter adoption requires re-architecting the applications, some of which could be so old that they were architected as a monolithic application.
The adoption for such monolithic applications is happening only at the infrastructure level, which leads to treating containers as another form of virtualization, and running the entire application in a container. The applications that were already architected as N-tiered applications or by using Service Oriented Architecture (SOA) are more amenable to adopting containers at the application level, with potentially each application tier running in a different container – assuming that the interfaces between the tiers were already well defined and followed during implementation.
When it comes to adopting the microservices based containerization, SOA-based applications are more attuned to that, as they already support the concept of certain pieces of the application carved out as services and a clear set of protocols and APIs defined to interact with those services. It then, in most cases, boils down to further breaking down those services into granular atomic services and defining the APIs for each one of them.
- Which industries are creating new containerized applications?
This one was very clear: Internet of Things (IoT). The reason being that this space is new and hence the new applications are being developed using the latest stack — python or Go based, on top of an immutable LDK (Linux/Docker/Kubernetes) infrastructure, and making use of the microservices infrastructure offerings such as Amazon Lambda or Google Cloud Functions.
- Which domains and types of applications are re-architecting their applications with microservices?
Again, didn’t get a clear indication on this one either. For existing applications, as explained above, the containerization is either happening at the infrastructure level, or is happening at the application level on the fringes of applications – those pieces of applications that are already undergoing changes due to various business reasons. Enterprises seem to be using those required changes as opportunities to try out containerization.
- Which industries and enterprises prefer running their applications in native containers (those running on the host OS), versus those that prefer to run containers within virtual machines?
Pretty much everyone we talked to said that they would have gone straightaway to native containers if: a) they hadn’t invested in the VM-based IaaS; or b) didn’t have to worry about the security concerns pertaining to container isolation.
Specifically, enterprises operating in the regulated domains, such as finance, healthcare etc., are definitely concerned about getting better run-time visibility and isolation. Even those enterprises that are hosting their applications in private cloud are concerned about isolation, as they would like to have the flexibility of being able to run containers of different applications (with different data privacy requirements) together, without requiring another management layer on top of the Container-as-a-Service (CaaS) layer to manage that segregation of containers.
- Are the existing private cloud applications getting containerized faster than their public cloud counterparts?
The short answer is ‘Yes’. Given that there’s a lot to learn and understand about the containers (both at the infrastructure level and at the application level), enterprises are looking up to their existing vendors, either private cloud service consulting companies or managed service providers, to help them with transitioning to containers. With so much happening in the container space (containers and OpenStack, LDK, orchestration, lifecycle management, groups of vendors aligning together and offering a packaged offering etc.), it’s hard not to get confused trying to keep up.
In the public cloud area, enterprises are either looking up to Amazon, Google etc. for guidance or are trying out offerings that do not have any dependencies on, or requirements from, the underlying IaaS stack.
From a security perspective, following are the takeaways:
- Adoption of native Container-as-a-Service (CaaS) offerings, such as Carina from Rackspace
With another very large IaaS vendor working on offering a native container service, bare metal containers are definitely seeing a lot of traction. Unfortunately, we didn’t get a chance to chat with anyone from the Carina team to get further details on the adoption.
- Security concerns around the adoption of native CaaS
Container Isolation, with deep run-time visibility and easy-to-use-and-apply controls for enforcing corporate data privacy policies are what the companies (especially those companies in the regulated industries) are looking for.
- Limitations and challenges of using containers within virtual machines
A couple of issues consistently popped up during our conversations: a) having to manage both the VM-based IaaS layer and the CaaS layer on top while paying for both of them, and still not being able to exploit the full compute power of the underlying hardware (interestingly enough, the realization of this issue came up as we started getting into the details of what it means to run containers in VMs. Microsoft’s containers running in Hyper-V and Intel’s hardware assisted Clear Containers are interesting digressions on this topic, but that’s a topic for another blog); b) their current visibility and monitoring solutions are VM-based, which is why they are forced to continue using the VM-based IaaS layer.
- Container isolation: what are security experts looking for?
Deep visibility and enforcement that’s baked in the containers, with no dependencies on the underlying stack. The baked-in security enables the developers to pick the application stack of their choice, the devops to choose their immutable infrastructure stack, and the secops to apply their visibility and security control policies without interfering with the other two groups.
This is in line with the key attribute that enterprises like about containers: workload portability.
So while the container community and the industry figures out what the immutable infrastructure stack should look like (the open source community seems to be gathering around the LDK stack – Linux/Docker/Kubernetes), enterprises can adopt the isolation solution without worrying about any future migration overhead.
- Monitoring and analytics of container behavior
Everyone seems to like it and want it, but SysDig was the only company with a monitoring solution for containers. Interestingly enough, NewRelic had a booth, but they were demoing just their application performance monitoring solution.
- How existing VM-based security solutions are being applied to containers?
Didn’t find any of the traditional VM-based security vendors on the Expo floor.
- Run-time container integrity protection
Again, no offerings from anyone in this area – at least no names came up in any of the conversations or we found any such vendors on the expo floor.
So, a lot of good pointers from attending the conference that we, at Layered Insight, can use to focus our business on. It was also good to get further validation on the approach we are using for addressing the container isolation and security concerns, by baking the security in containers.