Joyent Defends Docker, Adding Closer Ties

Following a tumultuos two days in the Docker community, Joyent has announced two open source initiatives and a container service that further its ties to Docker. With the news, Joyent CTO Bryan Cantrill also has some choice remarks about CoreOS “full-frontal assault” on Docker. First, there is the sheer brazenness of the remarks, but also reflects something that could have been predicted.
“It’s pretty clear that containers, specifically Docker, are going to be the future of infrastructure. What’s not clear is how that’s going to shake out,”Cantrill said. “Who will be the winners and who will be the losers? Can the pie be shared?”
“I think CoreOS came to the conclusion that the pie cannot be shared. That either Docker or CoreOS will succeed, but not both, and they had to attack Docker in order to succeed.”
Independent of this week’s drama, Joyent is addressing what it calls “limitations” in security, virtual networking and persistence for companies wanting to deploy Docker for production applications.
The offerings:
Linux Branded Zones (LXz), a platform for container deployments. It means you can run Linux applications, including those running in Docker containers, natively on secure OS virtualization without an intervening hardware hypervisor. That boosts security and performance, too, according Cantrill, who says the two are related.
Each container is given its own virtualized network stack and a persistence layer based upon the ZFS file system. LXz is built on SmartOS containers and its Crossbow network virtualization layer.
“This substrate has been proven in production for nearly a decade, providing true network isolation while also delivering line performance. So … the answer is both: public cloud-grade multi-tenant security and on-the-metal performance.”
Extending Docker Engine to SmartDataCenter — the Docker run time is being integrated into Joyent’s Unix-based cloud orchestration that serves as the backbone of Joyent Public Cloud. Users can choose between Joyent Public Cloud, SmartDataCenter or the open source code for their deployments. The beta is available today and is to become broadly available in the first quarter of 2015.
Cantrill defends the Docker approach in a blog post, saying “it is their API-centric approach that allows them to achieve their stated goals of ‘batteries included, but removable’ and ‘infrastructure should be pluggable and composable to the extreme.’… Our implementation is relatively new and rapidly evolving, and while we’ve found some small opportunities for improvement, we know enough to know that Docker’s API is fundamentally sound.”
Joyent Container Service will provision and manage Docker hosts and containers in the Joyent Public Cloud. The service includes a security gateway, private registries and integrated logging and monitoring of Docker containers and hosts.
Joyent made the code for SmartDataCenter and its multi-tenant ZFS-based Manta Object Storage Service open source last month. It announced in late October that it had raised an additional $15 million from existing investors Intel Capital, Orascom TMT Investments, and others, bringing its total investment to $120 million.
CoreOS on Monday unveiled a prototype alternative to Docker, calling the Docker process model – sending everything through a central daemon – “fundamentally flawed.”
“We cannot in good faith continue to support Docker’s broken security model without addressing these issues,” CoreOS CEO Alex Polvi wrote in announcing the project.
While CoreOS raised some legitimate issues with Docker in production, it doesn’t explain how its alternative Rocket, technology Cantrill describes as “much lower-level and very nascent,” will solve those problems, he says.
“Take the security concern in particular, the only real substance there seems to be their criticism of the Docker daemon—a single daemon running on a host. But Docker has the remote API and you can implement a different implementation of that API without throwing out the Docker baby with the bathwater,” Cantrill said.
“If their goal was to improve Docker and effect change, they absolutely need to do it within the Docker tent. That’s not their goal. … There’s kind of a Pearl Harbor feel to it, a kind of orchestrated sneak attack on Docker when it’s still young enough to do so, because in six months or nine months, a year, given the momentum that Docker has, it’s not going to be assailable at this level. I personally don’t think it’s assailable at this level now.”
He says the security problems in containers are related to Linux, not Docker, and Rocket will be just as bound to Linux as Docker.
At the same time, he says Joyent’s new offerings address those problems and he’s confident the Docker community will create an effective ecosystem for innovation.
“It’s on the SmartOS substrate. It allows you to run the Linux binaries, but you’re actually running on a SmartOS kernel that has deep support for containers, very rich network virtualization support, industry-leading persistence support via ZFS,” he said.
“So you’re on this industrial substrate, but on top it is an interface that allows you to run your arbitrary Linux images. But it’s not because we were able to solve [the Linux problems] in a month, six months or even 18 months; this took years to design and years to perfect.”
Feature image via Flickr Creative Commons.