VMware’s Photon Platform and How it Treats Containers

Last April, when VMware announced what it was calling Project Photon as a miniaturized Linux for use inside Docker containers, a number of observers wondered whether Photon could act as some kind of conduit for another VMware technology. Monday at the company’s VMworld conference in San Francisco, their speculations were justified: Photon OS, as it will now be called, will serve as the agent that gives VMware’s vSphere management system visibility into the operations inside containers.

It means containers that include Photon OS will be somewhat different from containers that don’t include Photon OS. It is an alternative platform to vSphere. This new Photon Platform, as VMware has dubbed it, is intended for “cloud-native” containers only — for data centers intending to deliver SaaS where vSphere is not already established, nor intended to be established.

“What we are going to look at here is … an extension of an existing technology called vSphere Integrated Containers,” stated Ray O’Farrell, the newest of VMware’s two CTOs, during a Monday morning keynote session at VMworld 2015 in San Francisco. “What this allows us to do is attack this challenge of visibility and management of containers within the existing infrastructure.”

The Consumable Coating

VMware CTO, Kit Colbert, then continued, and as an on-screen diagram plainly demonstrated, a vSphere Integrated Container will be a contained container. There will be a wrapper of sorts around containers, enabling them to behave in an existing vSphere environment as VMware virtual machines. This wrapper will provide admins, Colbert said, “with the security, the visibility, and the management that they require to run these applications in production.

“We’re doing that by making containers first-class citizens on vSphere,” Colbert went on. “That means you can manage both traditional applications inside of VMs, and next-generation applications inside of containers, side-by-side, fully consistently, on one platform.”

The container wrapper is something VMware has dubbed “jeVM,” for “just enough virtual machine.” Not only does jeVM wrap itself around the container component, but it also isolates that component unto itself. You might say to yourself, isn’t that really the whole idea of containers anyway: process isolation?

Maybe, but insofar as data centers insist on running their production-class container environments inside of VMs anyway, then that process isolation is only beneficial within the containers’ native context.

New versions of vSphere will actually serve as the Linux kernel and as the Docker engine, for the benefit of vSphere containers. These resources will become available within a resource pool inside the vCenter monitoring portal, as “Virtual Container Host.” The jeVM wrapper will include the new version of Photon OS, which effectively “knows” it’s being run within vSphere. It’s Photon OS that serves as the vSphere container’s link with vSphere.

It will also contain the component VMware introduced last year as “Project Fargo,” now dubbed Instant Clone. This should enable vSphere containers, said Colbert, to clone themselves and power themselves on in less than one second, without consuming any memory overhead from the host system.

Technically speaking, the format of the container itself need not diverge from the standard specified by the Open Container Initiative (of which VMware is a member). It’s the inclusion of Photon OS that gives containers what VMware executives are referring to as the “special sauce.”

It’s Photon OS that enables containers to effectively run on VMware’s NSX hypervisor, and use VMware’s vSAN storage.

“Think about the 50,000 ecosystem partners we have, all the tooling and technology they’ve built, the hundreds of thousands of users … and the millions of scripts that you’ve collectively written. All that stuff now just works with containers,” remarked Colbert.

A More Solid Photon

Photon Platform (other than including the “Photon” brand) looks surprisingly more generic and open source, promising to include Docker, Cloud Foundry, Mesos, and “just what you need” to get an API-centered container platform running. It’s a more compact culmination of VMware’s efforts to produce a truly “Docker-oriented vSphere,” as The New Stack’s Susan Hall put it two months ago, that doesn’t look so much like vSphere.

But it does include the internals of the ESX hypervisor — in this case, relocated to a new compute host called Photon Machine, where it resides alongside Photon OS. “What we see Photon Machine being is a convergence of the hypervisor and a Linux OS, to a lightweight, very secure package that you can install on your physical hosts,” explained Kit Colbert.

Photon Machines are designed to be stackable, distributable, and perhaps a slight bit more ephemeral than the typical vSphere hard-wired to the hypervisor. One communicates with a Photon Machine via its API, suggesting that open source tools may be devised by third parties to manage them. Overseeing these machine stacks is a Photon Controller, which manages access control to and between containers by way of the identity management system called Project Lightwave.

“We wanted to make sure that it [Photon Platform] sits in the stack, right at the point that still allows you the flexibility to leverage the open frameworks and the data platforms, that you’re used to using for deploying your cloud-native applications,” explained Ray O’Farrell (at first, he said “OpenStack frameworks,” and then corrected himself). “Frameworks such as Cloud Foundry, Docker, and Mesos — all of those can still be used with the Photon Platform.”

“Freedom of Choice”

For Docker, the angle this week has been about how its technology allows container portability, making it relevant for vSphere and through Photon. Docker is also working with VMware in the realm of orchestration and networking.

Docker, for that matter, also works with IBM, Microsoft and Red Hat. Each of these companies has separate agendas. But for Docker, each provides it with a way to engage with the market that few small companies ever get the opportunity to do. Just as an example, in the admin’s world, according to 2014 IDC survey numbers released this year, VMware has the largest single slice of market share in both cloud systems management and data center automation software.

Docker VP for Enterprise Marketing David Messina wrote a blog post this week addressing VMware ‘s announcement at VMworld.

“The approach that VMware is taking is an interesting dual-strategy; one that makes their existing vSphere solution even better for Docker, while offering a new generation of applications through a solution that is centered on their minimalist Linux OS Photon … The application portability that the Docker platform provides has created the freedom of choice for both developers and sysadmins to choose the right infrastructure at the right time for any given application.”

According to the same blog post, VMware’s work with Docker Machine allows developers and sysadmins to leverage a single command to run Docker on Fusion, vSphere or vCloud Air.

According to the post, VMware’s NSX team has partnered with Docker to provide a “batteries included swappable” option for Docker multi-host networking.

The post also made efforts to show how Docker works in a Windows environment:

We know that many of your are not only vSphere admins, but also Windows IT Pros and in that capacity we are very excited to brief you on and show you how Docker can run natively on a Windows Server environment.

VMware Chief Technology Strategy Officer Guido Appenzeller told us a few months ago that VMware’s customers were running container environments within separate VMs anyway, especially in production. Also important to consider: IT administrators, who constitute the bulk of VMworld’s attendees, are still somewhat unfamiliar with containers. Indeed, VMware’s keynote speakers still take a moment to define the concept before talking about it.  Despite how rapidly the Docker ecosystem’s “tooling” is evolving, a good deal of it is still geared towards developers, not administrators.

The Fight for Relevance

“If you look at what VMware is preaching, it’s basically coming down to, ‘Let’s take containers as the most exciting thing, and push it as a square thing through a round hole,’” remarks Lars Herrmann, Red Hat’s general manager for integrated solutions, as part of an interview for an upcoming podcast on The New Stack. “Because they’re basically saying, containers can only be trusted if you run them inside a virtual machine, because this is how you get the tools, and this is how you can rely on the security attributes that the hardware provides, and the hypervisors provide already, and that you trust already for virtualization.”

Once containers become relegated to just another form of VM, Herrmann fears, “God knows what people will put into these virtual machines.”

Apcera CEO Derek Collison, who was also interviewed for this forthcoming podcast, notes that VMware is not alone in fighting for relevance against a technology that could, if left unchecked, obsolete it.

“Both OpenStack and VMware are trying to be relevant in a container-dominated future landscape,” states Collison. “The original stance was, ‘Containers are kind of interesting, but VMs are where it’s at.’ And when the container ecosystem was going from a blip in the rear-view mirror to, all of a sudden, just passing them, both the themes at OpenStack [Summit] and VMworld are, ‘No, no, we’re still relevant in a container-driven world.’ So you’re going to see things like stripped-down OSes, lighter-weight, smaller memory footprints.”

Collison believes the potential Achilles’ heel for these systems, as they scramble for containerized relevance, is the networking layer. True microsystems require a software-defined network that responds almost exclusively to their needs, he points out. If that same SDN is also tied up catering to the needs of conventional VMs, “that’s still way too slow.” Of course, Apcera does provide its own container-specific SDN, called Continuum, for which there would arguably be no room in either VMware’s vSphere Integrated Containers architecture, or in Photon Platform.

“Software systems are going to continue to be decomposed into smaller moving pieces,” Collison continues. The networks that enable these systems “have to be very fast and very lightweight,” he says — two properties that are not readily attributed to modern commercial hypervisors.

At any rate, the die is now cast, and VMware’s bid to leverage its hypervisor to capitalize, one way or the other, upon a new architecture that would otherwise not require a hypervisor, has now been placed.