Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hot_Topic_CT_Final_v1

99 views

Published on

  • Be the first to comment

  • Be the first to like this

Hot_Topic_CT_Final_v1

  1. 1. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 1 of 28 Executive Summary The use of Software Containers is rapidly emerging as a critical feature of modern operating systems on servers, personal computers and mobile devices, and is driving new patterns in both system design and operations practice within all sectors of IT. Software Containers, hereafter simply referred to as Containers, are based on using virtual machines sharing underlying hardware and an operating system kernel, but configurable sharing of all other system resources. Containers emerged from earlier work on multi-programming and virtualization, and came to be used extensively in the Hosting industry by the late 1990’s. Container based virtualization was quickly adopted by the Data Centers of large Internet Cloud Service pioneers such as Google in the early 2000’s. Containers and related ‘Sandbox’ technology have been a basis for security features of mobile device operating systems applications, which have spread rapidly since the release of smartphones based on iOS and Android, each of which leverage containerization of security. Based on success with Containers in the Data Center problem space, Containers have recently begin a rapid adoption in the Enterprise computing market, driven by the adoption of open source standards for Containerization now being added to both Linux and other popular operating systems. Perhaps the most visible example of the rapid interest in Containers is the sudden adoption of the branded suite of open source Container tools provided by Docker, now finding adoption by both Linux and Windows Enterprise users for packaging and managing IT software suites in many Enterprise IT departments.
  2. 2. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 2 of 28 Container technology is now integrated into both the Linux and Windows OS platforms, and there is a convergence between the application and data isolation security approach used on mobile, personal and server platforms based on isolated execution of code in a virtual instance of an OS. Containers allow developers to leverage multi-core hardware to efficiently and securely horizontally scale applications even when they were not explicitly designed for parallel operation. Isolated execution offers operations teams the ability to deploy multiple heterogeneous business application suites on hardware infrastructure while preventing problems created by incompatible configuration specifications. Containers do this faster using fewer resources than other virtualizations options. Containers are creating a more efficient, scalable, capable, and secure enterprise and those benefits are also being transferred to personal and mobile computer devices. Any Enterprise needs to consider a transition from a Virtualization strategy based on purely hardware virtualization to adapt to and leverage the benefits of Containers in the development and operations of IT systems. Understanding the technology, setting rational policies, and taking advantage of business efficiencies and new opportunities provided by Containers will be a key challenge as this technology evolves. The details below are designed to assist in providing the technical background and insight to assist in this task.
  3. 3. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 3 of 28 What is a Software Container? – History and Research of Container Technology Software Containers are a form of virtualization. Virtualization is a very old concept in computer science dating at least to the late early large computers of the '50's and efforts to server many users, via technics like multi-programming and timesharing. Virtualization provides the ability to run many separate instances of an OS at the same time, on a single physical server. Virtualization originated from partitioning computer hardware resources, dividing a single physical server into multiple logical servers. Each logical server runs an OS independently managed by the Virtual Machine Monitor (VMM) or Hypervisor, responsible for providing resources to the guest OS. The online article by Vilmar Travassos “Virtualization Trends Trace Their Origins Back to the Mainframe“ provides a good overview of this early history: "In 1959, computer program language pioneer Christopher Strachey published “Processing Time Sharing in Large Fast Computers” at the International Conference on Information Processing at UNESCO in New York….”.1 The paper goes on to describe multiprogramming on the Atlas supercomputer project, which provided: "...pioneering concepts of demand paging and supervisor call, which is referred to as “extra codes.” According to its designers, the supervisor routines extra codes were formed mainly depending on the supervisor calls. They were activated by interrupt routines or extra-code
  4. 4. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 4 of 28 instruction occurring in a program object. Thus, a virtual machine (VM) was used by the Atlas supervisor while another VM executed user programs." 1 IBM picked up Virtualization research ideas in the early '60s. One of the original hypervisors for IBM was the Control Program CMS, a bare metal hypervisor, developed by IBM in the 1960s which: “…Allows multiple OSs to run simultaneously on a single computer. The hypervisor presents guest OSs with a virtual platform and monitors the implementation of these OSs.”1 IBM continued to explore VM concepts including Hardware Partitioning and released a form of logical partitioning in 1976.which divides the resources of the physical server into multiple logical partitions (LPARs). “An LPAR is the division of a computer (processor, memory, disk and network) in multiple sets of resources so that each set of features can be operated independently with its own OS. “1 Other approaches to virtualization included the Hosted Hypervisor. A Hosted Hypervisor is a layer of software on the host OS. As may be expected, there is considerable controversy about performance of a Hosted Hypervisor vs. Bare Metal Hypervisor, since clearly calls to the hardware are going to pass through the hypervisor and then the native OS before reaching the hardware. It can also be tricky to tell if your hypervisor is a Type 1 or Type 2
  5. 5. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 5 of 28 since you can launch a Type 1 hypervisor from inside another OS, as noted in this paper about KVM on Linux by IBM: “Myth #1: KVM is type 2 hypervisor that is hosted by the operating system, and isn’t a bare metal hypervisor. This is a persistent myth, but the truth is that KVM actually does run directly on x86 hardware. People assume it is a type 2 hypervisor because one of the ways that it is packaged is as a component of Linux - so you can be running a Linux distribution and then, from the command-line shell prompt or from a graphical user interface on that Linux box, you can start KVM. The interface makes it look like it is a hosted hypervisor running on the operating system, but the virtual machine is running on the bare metal - the host operating system provides a launch mechanism for the hypervisor and then engages in a co- processing relationship with the hypervisor. . In a sense, it is taking over part of the machine and sharing it with the Linux kernel. On x86 hardware, KVM relies on the hardware virtualization instructions that have been in these processors for seven years. Using these instructions the hypervisor and each of its guest virtual machines run directly on the bare metal, and most of the resource translations are performed by the hardware. This fits the traditional definition of a “Type 1,” or bare metal hypervisor.”2 In spite of negative considerations of speed of execution for Type 2 Hypervisors, they can offer compelling functional advantages such as very easy initiation from inside OS user space. It may not always be possible or desirable to use full Type 1 virtualization especially
  6. 6. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 6 of 28 on an existing server already configured for some set of business processing. Since you would need to reinstall and re-configure the entire system to support a Type 1 Hypervisor. Containers descend from hypervisors, but provide the potential to initiate virtual instances of an OS or parts of it, from within OS user space like Type 2 hypervisors. The creation of this ability stems from attempts to allow finer grained control of running applications on an OS, particular UNIX. In UNIX systems, many users may be supported, or a few users may need to run many processes yet still require that these processes stay isolated from other users or user processes for both management and security concerns. To support this approach, the command CHROOT or ‘change root’, or CHROOT was added to UNIX Systems 7 in 1979. Bill Joy, added CHROOT to BSD in about 1982, as noted in an excellent blog post by Joe Topjian 3. CHROOT is used to segregate a part of a current file system off as its own file system, so that any activity on that segregated portion would not affect the rest of the system. It is very important to note that CHROOT is not secure - it is easy to get out of the new root context returning to a ‘real’ root prompt and permission set. In reality with just CHROOT, there really is still really only one root on the OS. CHROOT was an ancestral start at containers, but was very far from complete. Clearly there was still a need to isolate the actions of processes using the new copies of the file system. The security implications of malicious use of root level permission were clear. By the late 1990's there was considerable discussion of security on networks and multi-user systems, the roll of root
  7. 7. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 7 of 28 accounts (on UNIX) and some early attempts to both 'de-root' operating systems, and/or isolate the root user: "...UNIX-style access control makes it notoriously difficult to compartmentalize functionality. While mechanisms such as chroot(2) provide a modest level compartmentalization, it is well known that these mechanisms have serious shortcomings, both in terms of the scope of their functionality, and effectiveness at what they provide...In the case of the chroot(2) call, a process’s visibility of the file system name-space is limited to a single subtree. However, the compartmentalization does not extend to the process or networking spaces and therefore both observation of and interference with processes outside their compartment is possible."4 CHROOT would lead to Operating system-level virtualization is sometimes referred to as jailed services or apps running in a jail. Jailed services would eventually allow the emergence of Containers in the modern sense. Operating system-level virtualization (Jails) actually run as a service, usually protected, and it runs apps as if it were an operating system itself. System level jails started appearing around 1998-2000, especially in FreeBSD UNIX. The new jail system calls provided: "...the ability to partition the operating system environment, while maintaining the simplicity of the UNIX ‘‘root’’ model. In Jail, users with privilege find that the scope of their requests is limited to the jail, allowing system administrators to delegate management capabilities for each virtual machine environment....a strong partitioning solution,
  8. 8. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 8 of 28 leveraging existing mechanisms, such as chroot, to what effectively amounts to a virtual machine environment. Processes in a jail are provided full access to the files that they may manipulate, processes they may influence, and network services they can make use of, and neither access nor visibility of files, processes or network services outside their partition.”4 These early jails had strong use cases among the growing ranks of hosting providers who needed an effective and light-weight (as opposed to full hardware virtualization) way to provide users with what appears to be a copy of a UNIX server all their own, but is in fact a subdivision of a larger server. Operating system virtualization began to be referred to as 'containerization' and a wide number of vendors started offering solutions. In addition, many flavors of UNIX and LINUX began to offer versions of the 'jail' concept under their own branding, such as Solaris Zones and OpenVZ for Linux. This situation is well noted in the table shown below from the Wikipedia article on "Operating-system-level Virtualization." 5
  9. 9. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 9 of 28 Why Containers and not Type One Virtualization? – Development of Modern Containers It is reasonable to ask why Operating System level virtualization (Containers) would be preferred over Type 1 Virtualization which was also experiencing rapid adoption in the late 1990’s and early 2000s by many IT professionals. In some cases, it was not an “either/or” decision. For many users, the role of Type 1 Virtualization was still valid some of the time, but limited by both cost and management considerations in other cases. To understand why it is important to look inside the implementation structure of both types of virtualization. The materials below on this subject reference an excellent talk on this subject by James Bottomley CTO of Server Virtualization at Parallels, given at the OpenStack Summit: “The Future of Containers in Linux and OpenStack features” published on YouTube, May 14, 20146. Mr. Bottomley is a Linux Kernel maintainer, Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board, and hence both an expert on these topics and a prime participant in the Container discussion. For the material below I am referencing this talk and my versions of the graphic materials derived from this talk as a source. As noted earlier, Containers are a Type 2 Virtualization based on using virtual machines sharing underlying hardware and an operating system kernel, but configurable sharing of all other system resources. Type 1 Virtualization differs in that each instance of the virtual
  10. 10. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 10 of 28 machine has an essentially separate version of the hardware as well as a separate OS stack. The two systems can be represented as seen below 6: As you can see from the diagrams above, there are more layers to set up, support and control in a Type 1 Hardware virtualization situation. Every layer requires memory space for code execution, and has a cost in resources. Also, Containers can actually share (or not) stack layers, and the bottom line is they are much smaller 6:
  11. 11. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 11 of 28 This means that containers have lower overhead, and are faster to deploy, as well as more efficient than hypervisors in situations where hardware and much of the OS are identical in the run time target. A typical container can be requested, initialized and ready to run in around 500 milliseconds, where startup for hardware VM might take on the order of 20 seconds on similar host platforms. With a smaller footprint in memory and resources, more containers per host can be run, increasing the density delivered over conventional VMs. All these considerations make Containers very much more interesting to the Hosting services Containers are Light Applica on Applica on Libraries Libraries Opera ng System Opera ng System Init System Init System Kernel Kernel Virtual Hardware Virtual Hardware Opera ng System Kernel Hardware Applica on Applica on Libraries Libraries Opera ng System Opera ng System Init System Init System Opera ng System Kernel Hardware Hypervisor VM Container
  12. 12. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 12 of 28 industry where cost efficiency of a standard OS instance offering is critical since there is market feature parity among most competitors. In the 2000-2010 time frame a number of firms created Container software for internal or commercial use. Most were based on an exiting open source Linux kernel with ‘out of tree’ custom components patched into the kernel. Some vendors such as Parallels also offered Container tools across platforms for Windows as well. In each case, the vendors addressed extending the kernel to support the VM functions of Containers, security features, and some form of management tools to administer the Container system. Security was a major concern, since these Container solutions were being marketed to Hosting services that provided public and commercial computing environments hosting proprietary data. Isolation of each container from the others by isolation of resources and processes was critical, including root isolation approaches. These problems are analogous to the issues facing the emerging mobile device market in the same timeframe, but included not just application isolation, but isolation of what very likely could be active developers knowledgeable about shell and kernel programming. Two approaches were developed now known as CGROUPS and NAMESPACES. CGROUPS controls resources allocated to groups of processes, and was primarily contributed by Google. CGROUPS provide resource ‘bean counting’, quotas, and access restrictions. A quick look is provided by these slides from an online presentation by Andre Ferraz and Luiz Viana of Locaweb in Brazil 7:
  13. 13. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 13 of 28
  14. 14. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 14 of 28
  15. 15. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 15 of 28 Namespaces is a concept borrowed from Bell Labs Plan 9 OS 8 and as implemented in modern Containers provides separate resources within containers so that a resource is visible only to a process within that namespace as also shown by Ferraz and Viana 7: While CGROUPS were very mature by 2013, NAMESPACES continues to be expanded and up to 10 NAMESPACES are planned to extend more security controls in releases for 2015 and beyond 7.
  16. 16. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 16 of 28 In addition to the resource control provided by CGROUPS to control ‘hostile root’ scenarios was added to NAMESPACES. Control of a “hostile root” situation was a business requirement for the Hosting industry. Container vendors such as Parallels offered strong mitigation/controls for root for about 10 years. To allow root privilege to be granted in a Container, while stopping ‘hostile root’ attacks; Container developers implemented User NAMESPACES to gave a non-root user root capability in the container. This allowed them to control the account granter what appears to be OS level root on the host, but is in fact, a separate and limited account outside the context of the Container. This functionality was not widely available in open source Containers before versions released in 2014 6. As solutions to structured isolation and management of Containers evolved, the major players in the market decided it was in their best interest to standardize and open up container technology. Groups like Parallels, Google and other Linux Container developer/users began meet internationally and to work together, starting with the release of an open source version of Parallels Virtuozzo product as OpenVZ in 2005. In 2006 Google rapidly added many features for process isolation, which became CGROUPS technology (details below) and contributed this code to the Containers open source project. By 2008 the decision was reached to include these projects into the main Linux kernel and the Linux LXC Project was started. Even so, it was not until 2013 when the first unified ‘in- tree’ (no patch needed) 1.0 release was available in kernel v3.12 6. The Linux LXC Project is the organization bringing all the shared best of breed functions from the working group of Container developers to the greater Linux community. The goals of this project are:
  17. 17. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 17 of 28 “…to offer a distro and vendor neutral environment for the development of Linux container technologies…Our main focus is system containers. That is, containers which offer an environment as close to possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware”….”This is achieved through a combination of kernel security features such as namespaces, mandatory access control and control groups.” 9 Containers in Use – Contemporary Practice of IT using Containers To get some understanding of the use of Containers in IT outside the relatively obvious direct utilization of Hosting Service providers it is helpful to look at the use of Containers in the Web Services industry. Google, Amazon, Facebook, Twitter, and many other Web Service firms all utilize Containers in their Cloud/Datacenter daily operations in 2015. None of those firms is a better or more eye opening example of the potential of Containers to transform an Enterprise than Google. Google is famously based on principles that hark back to the approach Von Neumann took in the development of the first modern computer architecture at Princeton and its immediate descendants such as SAGE – the use of off the shelf components that are cheap and interchangeable, and a massively parallel approach to problems that merges the most advanced concepts of Turing’s work as well 10. They have literally created their own virtualized compute, network management, and storage tiers for all aspects of the business. (slides are from Compute at Google An Insider’s View a talk by Navneet Joneja) 13
  18. 18. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 18 of 28 Google provides services like search, storage, compute platforms as well as applications like mail and office functions all built on logic that is designed to allow parallel execution of user request across any number of modular application instances running on its very large and massively parallel hardware architecture 13. Google has expanded rapidly from early physical hardware systems in 1999, through a number of versions of physical and virtual machine technologies to the point in around 2006 when they made the transition to Containers based on a patched Linux kernel. Containers provided Google with the
  19. 19. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 19 of 28 additional density, and speed of initialization needed to keep up with the demands for rapid response to customer demand at growing but variable loads. (Slides below from Joe Beda of Google‘s “Containers At Scale” slide deck) 14 Since about 2006 Goggle has been scaling up this approach using Containers to the point that in 2014 they create about 2 Billion containers (OS instances) per week, or over 3000 Containers created per second on average. 16 The Containers used by Google are spread out over about 1 million physical servers in over 10 data centers around the globe connected by very high-speed WAN links 14. Google has done all this by creating the needed security
  20. 20. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 20 of 28 and management tools to automate the generation of Containers as well as secure them, administer and report on this entire Container infrastructure. They are now making these tools available to the world via open code and APIs and the Google Cloud Platform15. (Slides below are from the video presentation Google Cloud Platform Live: Compute at Google, An Insider's View.) 15 Google represents one of the most aggressive examples of leveraging Containers in an Enterprise, but by no means is it out of the direction of mainstream change. Google and Amazon, etc. may be further down the path than other firms, but only by being such early
  21. 21. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 21 of 28 adopters. Today, firms of all sized are starting to use Containers to build, package and manage enterprise software assets. This change has been in large part supported by the ability of one firm – Docker. Docker created a friendly and well documented suite of Container tools to allow IT shops to start working with Containers. Docker created a layer on top of the emerging open source Linux Container tools (LXC) for packaging, deploying, versioning, and sharing packages of applications and their required libraries and OS configuration elements. (Slide below from “What is Docker” on the Docker Website) 17 This diagram will be quite familiar by now as a simplified version of a standard Container implementation. By simplifying access to Containers, Docker captured the attention of many potential customers, the IT press and a large number of other Container developers and Cloud Service Providers such as Google and Amazon, and even Microsoft. “The big idea behind Docker, which arrived at a stable version 1.0 over the summer, is nothing new. Docker is essentially a wildly popular open source implementation of lightweight Linux containers, putting some secret sauce on top (and standardizing them in
  22. 22. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 22 of 28 the process). The company sells services on top of these containers, in kind of a Red Hat model.” 18 Seizing a chance to create a win-win situation, many Cloud Vendors who want to provide Container based services to Enterprise IT customers added support for Docker protocols in 2014. OS vendors joined in, and now Linux, Microsoft, Apple, Google and Amazon all support Docker on PCs, Servers, Hosting Platforms, and Cloud Offerings. Combined with the rapidly evolving improvement in security features build into the OS layer of Linux, Docker has become the public face to Containers for many Enterprises looking into the technology. While not perfected yet, Docker has even gotten Gartner’s tentative blessing (with a number of conditions still in place) as reported in InfoWorld: “The Gartner report takes a step toward confirming that Linux containers in general, and Docker in particular, are not only lighter-weight forms of application isolation than virtual machines, but secure ones as well, as far as internal operations for a given operating system are concerned. They're lighter weight because they share the host server's operating system's kernel. In a virtual machine, each application is combined with its own operating system. As a result, powerful servers that can run dozens of virtual machines can run hundreds of containers, resulting in greater compute density.” 19 As a result of being in the right place at the right time, Docker has become a tool that allows Enterprises and developers at all levels to start using Containers to manage the
  23. 23. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 23 of 28 development and deployment of applications on almost any platform by learning a standard set of techniques. Conclusions and Recommendations – Starting to Containerize the Enterprise Why and how are many Enterprise firms starting to experiment with Containers, usually by getting started with Docker? There are a few common issues that reoccur in common use cases showing up on line such as this advice from CenturyLink 20: Another compelling advantage of Containers is their ability to prevent “dependency Hell” for those working with multiple open source applications or applications developed by heterogeneous vendors while integrating Enterprise workflows. Trying to get any two apps to run together and avoid library version and incompatibility errors between applications is actually hard. Being able to set up each app in a container and deploy them without interfering with each other is a very appealing benefit to Containers. Making it easier to share code configurations among developers and move development environments around
  24. 24. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 24 of 28 across OS and platform bounds (say between Linux versions) is also a huge benefit. Easing the transition between developer personal machines and the corporate or Cloud environment can also be a compelling advantage for many teams. Improving the way application versions can be managed and deployed offers IT Operations teams a chance to cut time, effort and to prevent errors when applications hit the production stage of their lifecycle. Any IT Enterprise is constantly looking to find a way to increase the density of applications supported on its infrastructure, improve the ability to scale up as needed. Containers provide these benefits to the bottom line. When the benefits to both developers and operations noted above are added to the potential cost savings from Containers, it is easy to see why 70% of the Enterprises surveyed by SD Times in early 2015 are considering Containers. 21 As a conclusion, Enterprise IT executives should consider:  Getting themselves and their development and operations teams educated about Containers and related technology, and meeting to discuss the potential they see, as well as risk and potential blockers.  Asking their Security teams to evaluate how the state of the art in Containers matches their current policies. Given that most enterprise OS versions have not yet reached the release level of the most current Container security features, there may well be gaps requiring potential holds before public facing Container applications are fully secure.
  25. 25. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 25 of 28  Consider starting pilot Container based projects with internal (and hence more secure) development teams to generate experience with the technology.  Evaluate the potential of merging Cloud transition efforts with Containers to take advantage of the increased security offered by Cloud Service Providers on top of Container features. Projects considering migration to the Cloud may offer the best fit for beginning to use Containers for process and platform improvements.  Don’t rush – Containers are not going away, and are continuing to evolve. Unless your enterprise needs to be on the leading edge, consider letting others pioneer some of the issues, and learning from their use cases. Containers represent a new phase in the Virtualization story. They offer a chance to take advantage of parallel scale techniques without radically revising the code base of an enterprise. While they now have some unfinished security issues to be resolved in pending releases, they also offer the potential to firewall apps at a structural level. The story of Containers is still being written, and has a real chance to include a re-write of how enterprises of all scales develop and operate a secure applications infrastructure.
  26. 26. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 26 of 28 Citations 1. Travassos, Vilmar. "Virtualization Trends Trace Their Origins Back to the Mainframe." IBM Systems Magazine. IBM, 1 Aug. 2012. Web. 5 Apr. 2015. http://www.ibmsystemsmag.com/mainframe/administrator/Virtualization/history _virtualization/?page=1 2. Day, Mike. "KVM Myths - Uncovering the Truth about the Open Source Hypervisor." IBM Developer Works. IBM, 3 July 2012. Web. 5 Apr. 2015. https://www.ibm.com/developerworks/community/blogs/ibmvirtualization/entry /kvm_myths_uncovering_the_truth_about_the_open_source_hypervisor?lang=en 3. Topjian, Joe. "Contain Your Enthusiasm - Part One: A History of Operating System Containers." Cyberia. 13 Nov. 2013. Web. 5 Mar. 2015. http://www.cybera.ca/news- and-events/tech-radar/contain-your-enthusiasm-part-one-a-history-of-operating- system-containers/ 4. Kamp, Poul-Henning, and Robert Watson. "Jails: Confining the Omnipotent Root." FreeBSD. The FreeBSD Project, 1 Jan. 2004. Web. 5 Apr. 2015. http://phk.freebsd.dk/pubs/sane2000-jail.pdf 5. Contributors, Wikipedia. "Operating-system-level Virtualization." Wikipedia. Wikipedia, The Free Encyclopedia, 6 Apr. 2015. Web. 6 Apr. 2015. http://en.wikipedia.org/w/index.php?title=Operating-system- level_virtualization&oldid=655197802 6. The Future of Containers in Linux and OpenStack. Perf. James Bottomley. Youtube, 2014. Film. https://www.youtube.com/watch?v=_jBTHyo0mEQ&feature=youtu.be
  27. 27. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 27 of 28 7. Viana, Luiz, and André Ferraz. "Linux Cgroups and Namespaces." Slideshare. LinkedIn, 2 Oct. 2014. Web. 5 Apr. 2015. http://www.slideshare.net/locaweb/linux- control-groups 8. Pike, Rob, Dave Presotto, Ken Thompson, Howard Trickey, and Phil Winterbottom. "The Use of Name Spaces in Plan 9." Plan 9 Operating System Site. Alcatel-Lucent, Formerly Bell Labs, Computing Science Research Center, 21 Sept. 1992. Web. 5 Apr. 2015. http://www.cs.bell-labs.com/sys/doc/names.html 9. "Home Page." Linux Containers. Linuxcontainers.org, 24 Mar. 2015. Web. 5 Apr. 2015. https://linuxcontainers.org 10. Dyson, George. "ENGINEERS' DREAMS." Edge.org. Edge Foundation, Inc, 13 July 2008. Web. 5 Apr. 2015. https://edge.org/conversation/engineers-39-dreams 11. Barroso, Luiz André, and Urs Hölzle. "The Datacenter as a Computer An Introduction to the Design of Warehouse-Scale Machines." Berkeley Electrical Engineering and Computer Sciences. UC Regents & Morgan & Claypool, 1 Jan. 2009. Web. 5 Apr. 2015. http://www.cs.berkeley.edu/~rxin/db-papers/WarehouseScaleComputing.pdf 12. Ghemawat, Sanjay, Howard Gobioff, and Shun-Tak Leung. "The Google File System." Google.com. Google, Inc., 19 Oct. 2003. Web. 5 Apr. 2015. http://static.googleusercontent.com/media/research.google.com/en/us/archive/gf s-sosp2003.pdf 13. Compute at Google An Insider’s View. Perf. Navneet Joneja. Youtube, 2014. Film. https://www.youtube.com/watch?v=zZdoL5d7KC8 14. Beda, Joe. "Containers At Scale." Speakerdeck. Google, Inc., 22 May 2014. Web. 5 Apr. 2015. https://speakerdeck.com/jbeda/containers-at-scale
  28. 28. Containerization as a Emerging Hot Topic in Software Development and Operations Cecil Thornhill, ISM 6124 – Advanced Information Systems Analysis and Design eb391472-8209-473f-9b5f-c11874585ecc-160819201307 8/19/16 page 28 of 28 15. Google Cloud Platform Live: Compute at Google, An Insider's View. Perf. Google Developers. Youtube, 2014. Film. https://www.youtube.com/watch?v=zZdoL5d7KC8 16. Morgan, Timothy. "Google Runs All Software In Containers." Enterprise Tech Software Edition. Tabor Communications (TCI), 28 May 2014. Web. 5 Apr. 2015. http://www.enterprisetech.com/2014/05/28/google-runs-software-containers/ 17. Hykes, Solomon. "What Is Docker?" Docker. Docker Inc., 1 Jan. 2015. Web. 5 Apr. 2015. https://www.docker.com/whatisdocker/ 18. Weinberger, Matt. "Contain Yourself: The Layman's Guide to Docker." Computerworld. Computerworld, Inc., 21 Nov. 2014. Web. 5 Apr. 2015. http://www.computerworld.com/article/2849619/contain-yourself-the-laymans- guide-to-docker.html 19. Babcock, Charles. "Gartner Gives Thumbs Up To Docker Security." Informationweek - Cloud. UBM Tech, Inc., 14 Jan. 2015. Web. 5 Apr. 2015. http://www.informationweek.com/cloud/infrastructure-as-a-service/gartner- gives-thumbs-up-to-docker-security/d/d-id/1318612 20. Carlson, Lucas. "What Is Docker and When To Use It." CenturyLink Inc. Innovations Lab - Blog. CenturyLink Inc., 22 Apr. 2014. Web. 5 Apr. 2015. http://www.centurylinklabs.com/what-is-docker-and-when-to-use-it/ 21. Marvin, Rob. "Survey: 70% of Enterprises Adopting Docker Containers." Software Development Times. BZ Media LLC., 10 Feb. 2015. Web. 5 Apr. 2015. http://sdtimes.com/survey-70-enterprises-adopting-docker-containers/

×