[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Publicity] Docker Open Source Container Virtualization on the Rise




On Wed, Feb 12, 2014 at 11:58 AM, Tzach Livyatan <tzach@xxxxxxxxxxxxxxxxxxxx> wrote:



On Tue, Feb 11, 2014 at 9:36 PM, George Dunlap <george.dunlap@xxxxxxxxxxxxx> wrote:
There does seem to be a really big push for containers, and I do think we need to think about how to get a counter-message out.

The basic facts are that containers probably are lower overhead, in terms of memory and cpu overhead, than virtualizing a full OS (though probably not for cloud OSes like OSv or Mirage -- particularly if running in PV or PVH mode on Xen).

But they are absolutely less secure than hypervisors.  The system call interface is much more porous than the hypervisor interface.  There have been dozens of Linux privilege escalation vulnerabilities through the system call layers over the years: any one of these vulnerabilities would give an attacker control of all containers on the system.

By contrast, Xen has had only one vulnerability that allows a guest to break into the hypervisor, and that due to a processor bug: and it only worked in PV mode, on Intel boxes.  I don't know what KVM's record is, but I'm sure it's similar.

So containers are completely inappropriate for a public cloud environment, where users who don't trust each other share the same hardware.  Nor are they appropriate if you want to make sure that successfully attacking one server cannot easily attack other servers.

The place where they make the most sense is in private clouds, particularly if there aren't any public-facing services, or if the public-facing services are lower value, where security is less critical than performance.

Just tossing this out there -- would it make sense at all to coordinate with KVM (or even VMWare) people about this?  Are RedHat or Canonical doing anything with containers?  I think the OSv guys should be on-side; particularly if it gives them an opportunity to make a case for their approach.

We are on-side!
Our own Glauber Costa (cc) gave a talk at on the subject of HV vs Containers which can be found here https://lwn.net/Articles/524952/
Some points to use from this are:
- OS is traditionally bad at truly isolating basic resources like CPU and memory usage between groups of tasks
- Containers comes with a  price paid in complexity. 
- HV take advantage of continues HW improvements (containers do not)

Glauber, feel free to add relevant points.


Hi

So that talk I gave was not really an HV vs containers, it was more a containers overview when I was working in the containers side.
When I joined Cloudius, I have published the following text:
https://plus.google.com/107787008629542080430/posts/fgzsepcScTa

My main message was that an OS like OSv changes the game, because it bridges the duplication gap without giving up the rest. When I
published, it reached a small audience because we had very little followers. If you have a broader channel, it would be good to broadcast
or link to it.

Other aspects for consideration: It depends really which audience we want to reach.
-For more sophisticated audiences, it is worthwhile to point out (although obvious) that using containers will restrict your ability to be in control
of your kernel (even talking cross-OS), and once you start using it, it's harder to maintain an heterogeneous environment. This makes it a no-go
for whoever is selling IaaS.

- The performance thing with containers is *not* true. They use cgroups, which are expensive. As much as I have succeeded to make that cost go down,
it is still expensive. We are doing benchmarks against Linux as a guest, maybe we should start looking at doing benchmarks against a container environment?

- I am following the follow up of my work closely (kmemcg shrinking), and this is not yet complete in Linux. What it means is that it is still impossible
to properly control kernel memory used by each container. It is still trivial for a malicious containers to destroy everything. There are many other holes to gap,
and while they are there containers are particularly insecure.

The advantage of containers that we do need to be aware of, is that it allows for greater flexibility of resource sharing. For instance, you can leave
all processes to use the disk cpu freely, while they are restricted for memory only. This can be handy in some cases, but it is probably not that broadly
relevant.


Tzach 



 -George


On 02/11/2014 07:08 PM, Sarah Conway wrote:
FYI,

Below is VARGuy coverage of the latest Docker release. (1.0 version is
expected in April.) With these new releases, supposedly Docker can now
"meet the demands of cloud computing and PaaS solutions." They are
positioning it as the next logical step for PaaS, pigeon-holing
hypervisors as only beneficial to IaaS.

The article goes on to say: "Unlike the virtualization hypervisors that
power most virtual servers today, Docker doesn't virtualize an entire
operating system. Instead, it provides virtualized application
containers that run on top of a "bare-metal" host operating system. By
virtualizing at the application level, Docker can offer greater
portability, efficiency and security."

http://thevarguy.com/virtualization-applications-and-technologies/021014/docker-open-source-container-virtualization-rise?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheVarGuy+%28The+VAR+Guy%29

An article from Dec. 2013:

http://www.networkworld.com/community/blog/containers-new-hypervisors

Some additional messaging from their web site:

Seven months after launching, the Docker ecosystem is expanding rapidly:
Docker has been downloaded over 200,000 times, has received over 7,500
Github stars, and is receiving contributions from more than 200
community developers. Over 2,500 "Dockerized" applications are now
available at the Docker public index, and third party projects and
partnerships built on top of Docker span PaaS, operating systems,
hosting services, CI platforms, and more. Over 50 user-created case
studies are available from companies such as eBay, Cloudflare,
Rackspace/Mailgun, Yandex, Cambridge Health Care, and RelateIQ.

I suggest we finesse our messaging against container technologies like
Docker, which are gaining traction in the press right now. Feedback from
the AB on this point would be appreciated. It will likely be a question
that comes up in the near future. We could also try to piggy-back any
Docker 1.0 coverage that might be coming out in the April timeframe,
offering reporters a counter opinion/view on containers vs.
virtualization, etc.


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.