Docker containerization, distribution, and orchestration are becoming standard equipment in two versions of the world’s major enterprise Linux distributions: Red Hat Atomic Enterprise Platform and SUSE Enterprise Linux 12. But does this mean the enterprise will soon be entering one Docker ecosystem? Perhaps these major vendors have their own plans.
As OpenStack was first taking its place in the enterprise, there was (and still is) a danger, from Linux providers’ perspectives, that the transition from static deployments to private and hybrid cloud platforms could upset existing Linux deployments, compelling businesses to change vendors. In a clear move to forestall the possibility of such an upset taking place a second time with the Docker movement, this week operating systems vendors SUSE and Red Hat announced bundles that include Docker containerization as a component.
In both Red Hat’s and SUSE’s case, the key distinction here is their registries, which both are portraying as their “value-add” to Docker. The standard Docker ecosystem is based around a centralized container repository called Docker Hub. Both SUSE and Red Hat are now bundling Linux distributions that let customers set up ‘private registries,’ deploying their own containers on their own platforms … using repositories that carry the vendors’ brands.
Red Hat made its bundling announcement Wednesday in conjunction with its ongoing Red Hat Summit in Boston. There, Red Hat revealed that its Atomic Enterprise Platform will bundle RHEL 7 with the Docker container runtime and Kubernetes orchestration. Docker and Kubernetes are also now part of the OpenShift Enterprise PaaS platform. Each will also have a Red Hat private container registry service that utilizes Red Hat Container Certification, first introduced in March.
SUSE’s announcement came Monday, saying that its Linux Enterprise Server 12 distribution would include Portus, a private registry that includes an open source frontend that SUSE portrays as enhancing the security of enterprises’ private containers.
The suddenly emerging need for private registries was not lost on Docker Inc. this week at DockerCon in San Francisco. Among the innovations that it launched as part of an experimental development round for Docker 1.7 was Notary, a certification service which enables users to sign and certify containers — or for that matter, any piece of content — before it gets enrolled into any repository, anywhere.
The not-so-obvious purpose of Notary is to give new subscribers to the containerization model a kind of security blanket, so they can feel confident that the containers they publish to a public registry are protected from being used by just anyone, by way of role-based access control (RBAC). This helps keep Docker in the mix as the center of container ecosystems.
Meanwhile, Linux distributors which seek to distinguish their products through customer service need a way to leverage Docker. As SUSE and Red Hat are proving, private registries are their value-add. Their message: Public repositories may be inherently insecure. And even if they are relatively more secure than, say, posting containers’ binaries to GitHub or Dropbox, certainly nothing’s more secure than hosting the repository yourself.
“Portus is a simple, easy-to-use front end for interacting with the registry,” explains Michael Miller, SUSE’s vice president of global alliances, in an interview with The New Stack from DockerCon. “Right now, it’s really hard to search a registry. Once you set up a registry, how do you search it?
“We’re integrating into Portus the ability to manage your registry,” he continued, “not just stand up a registry and put an API in front of it, but actually put an enterprise, DevOps, SecOps admin frontend that’s usable for real people, in a real enterprise environment.”
The Stack vs. the Platform
SUSE’s Linux management environment is called YaST. With version 12, said Miller, it will begin including management functions for Docker and private container registries built using Docker, but with the intent to use Portus as their front ends.
“We’ll then extend that, as we go forward, into our SUSE Manager management infrastructure,” he continued, “and also into our OpenStack distribution and tool set. From our point of view, just throwing the Docker bits into the distribution and saying, ‘Hey, we do Docker!’ is not what we’re after. The ultimate picture for us is an integrated set of tools and technologies that really address a real-world administrator’s challenges across the operating system tooling, the registry tooling, security tooling, management infrastructure, OpenStack as a private cloud — bringing that all together in a unified way, that really works in a real-world environment. Then having an enterprise company like SUSE that can back that up with training, services, and support.”
Software developers consider the stack in terms of the services that provide the functions with which they interact. The people who procure platforms for enterprises consider “the platform” as the assembly of tools and services that serve as the infrastructure for their applications. SUSE’s move here, as well as Red Hat’s, plays into the needs of the people responsible for budgeting projects and spending the money — people who see “all in one” as meaning the ability to be delivered by the same brand.
But that brand choice may impact the architecture of containerized applications going forward, as developers may soon discover their choice of repositories as having been made for them.
SUSE’s Michael Miller had a lot more to say about the Docker ecosystem, and we’ll present more extended excerpts from our interview with Miller later in The New Stack.
Docker and Red Hat are sponsors of The New Stack.