SUSE: Three Challenges with Preparing OpenStack to Run Docker
Last July, Linux distributor SUSE made its support for Docker official in the latest edition of SUSE Enterprise Linux. The distro included Portus, the company’s portal for interacting with Docker Hub and other registries. And last Tuesday at OpenStack Summit in Tokyo, the company trumpeted that its forthcoming OpenStack Cloud 6 would support Docker as well and that beta testing for this SUSE Linux-based package, built with the Liberty version of OpenStack, is now underway.
The open source ecosystem moves fast. As recently as last year, the whole idea of OpenStack supporting Docker seemed about as mind-boggling as Windows supporting Android. And yet, SUSE, among others, is making it happen, giving its customers the tools to transition into the cloud-based microservices era. There are benefits to the pairing: Running Docker on OpenStack could provide better resource utilization and overall superior performance, compared to Docker with traditional hypervisors like KVM and VMware’s, according to research from Intel.
But supporting Docker on OpenStack is not without considerable challenges, so we learned in a frank discussion with Vincent Untz, a project manager with SUSE and the openSUSE Project. Untz provided details on three specific challenges he and his team faced when equipping SUSE’s implementation of OpenStack Liberty to enable the deployment and management of containers. Each challenge centered on a different component of OpenStack:
1. Nova
As OpenStack veterans know, Nova (also known as OpenStack Compute) is the platform’s main fabric controller. For it to be able to utilize different classes of virtual machine, Nova uses pluggable drivers. So far, those drivers have dealt with specific hypervisors (KVM, Xen, Hyper-V, etc.). Such drivers are named with the prefix “libvert,” so the Xen hypervisor driver, for instance, would be libvert/xen.
But there’s an unofficial, “out-of-tree” project that’s floating around for building a nova-Docker driver. With it, Nova instances can effectively be Docker containers, as Untz explained.
“There’s also a libvirt/LXC driver that also allows starting containers,” Untz noted, referring to the original LXC method for partitioning workloads that gave rise to containers in the first place. “The Docker one is easier to use, and has also the upsides of making it possible to use containers from Docker Hub, as well as using the Docker tools to interact a bit more with the instances — although they should not be used to start containers, otherwise OpenStack won’t know about them.”
Untz acknowledged some definitive downsides to using the nova-Docker driver, at least in its present state. One is very critical to SUSE: Nova uses Glance as its image registry, which means containers have to be uploaded there instead of to Docker Hub. That means Portus can’t be used in this setup, at least not right now, according to Untz. Also, because Glance lacks a versioning feature as sophisticated as a container registry, versioning would have to be a kind of kludge involving snapshots.
Right now, some OpenStack features aren’t compatible with Docker container images, Untz said, such as Ceilometer for tracking telemetry and performance data. “But the most annoying bit is that you cannot attach volumes to containers,” he wrote. “Some things also just work differently, like networking. You don’t need to bind container ports since you actually get an IP address for your container.” (More details about incompatibilities between OpenStack and Docker can be found here.)
2. Heat
Heat is the name for OpenStack’s template-based orchestration engine. Untz told us Heat can be used to orchestrate Docker containers as though they were VM instances, by way of a plug-in that adds a new resource type for Docker. Conceivably, he said, one could use a Heat template to launch a VM instance, and then from within that VM, use whatever one wishes to use to launch Docker containers on a virtualized platform.
“It’s a kind of a nice way to do the ‘secure container’ magic (containers inside a VM) in a high-level orchestrated way,” wrote Untz. “The goal here is to be able to start using containers and benefit from some Docker features. The advantage compared to VMs is that you’re supposedly able to start containers faster, and they’re also supposedly less resource-hungry, plus you have all the containers from the Docker hub as a good starting place for images to upload in OpenStack.”
3. Magnum
Cue the Mike Post music. Magnum is the OpenStack component that opens up the infrastructure for use not only by a container system such as Docker, but whatever orchestration system that a customer would want to oversee that system.
It’s the “whatever” part that’s the challenge right now for SUSE, Vincent Untz told us.
“The benefit here is that [Magnum] doesn’t force Docker containers in the OpenStack model,” Untz wrote. “It instead uses OpenStack as a way to get CPU, network, storage, etc., in order to do something that is more native for Docker.”
However, he added, “SUSE does not ship this, and it’s actually not on the road map yet. But we expect it will appear.
“That being said, from a product perspective, this needs tight collaboration with what’s happening in the containers module, since there’s no decision on what orchestration tool to use there (I suppose it’ll end up being Kubernetes, though)” Untz wrote. “And we want to align what we allow in Magnum with that. This is something worth looking into further, as there are customers who are really serious about Docker and OpenStack — they will want this. This is an area that needs to be further explored, in order to fully understand why people want to use it.”
These are frank admissions from an engineer for an open source vendor that takes seriously its commitment to the “open” part of the formula. Untz is acknowledging that there’s some hard work that requires community participation, in order for SUSE to determine the best architectural direction for a final rendering of Docker support in OpenStack Cloud 6.
The point is, as has always been the case with SUSE — or any open source software worth a damn really — many of the best engineers for a project are outside the company. Which is why SUSE has released OpenStack Cloud 6 as a beta.
Docker, IBM and VMware are sponsors of The New Stack.
Feature Image:“Longevity Tower” by G. Stolyarov reproduced here under Creative Commons license.
