InformationWeek | July 1, 2014

What Docker Needs From PaaS: Apprenda’s Take

Enterprise platform-as-a-service provider discusses Docker’s role in a future, developer-driven, Linux-container world.

Many observers see the emergence of Docker’s container format as disruptive to virtual machine systems. That will be true in some cases; others, not so much. But Docker is also likely to disrupt platform-as-a-service, says Rakesh Malhotra, VP of product at enterprise PaaS vendor Apprenda.

Malhotra has his eye on Docker developments, even though Apprenda is a Microsoft partner and the main PaaS system with built-in Windows and .Net compatibility. In April, Microsoft began hosting Apprenda on its Azure cloud service and linking to enterprise Apprenda users, even though Azure, in its first iteration, was also PaaS and continues to compete with Apprenda. Malhotra is the former product manager for Virtual Machine Manager in Microsoft Systems Center; he spent 10 years as a software executive inside Microsoft.

That makes it all the more impressive that Apprenda has decided to support Docker in a release that will be out before the end of the year. There is no direct equivalent to Linux containers in Windows, so of course Docker doesn’t run directly on Windows Server, although Malhotra says Windows APIs can be used to do some container-like things. Apprenda serves Java developers as well, and many Java apps are built to run under Linux.

Apprenda itself has been using Docker “for several months” because Malhotra recognizes that developers like what can be accomplished with it and it’s likely to be part of developers’ outlook in the future. The developer “momentum and excitement around containers is very real,” he tells us.

Virtual machine systems are a tool of IT governance. They come from IT and are good for managing datacenter resources. Developers, however, don’t need IT to put their finished code into a Docker container, and that means they can finish their workloads for various runtime scenarios without further intervention by IT.

“Why do developers flock to Docker?” asked Malhotra, then answered his own question: “It’s empowering. Instead of meeting with IT for servers and a software stack to run their application, you put it in a container. Developers like to get things done quickly. They’re not interested in meetings and other bureaucracy.”

Docker changes in some ways the things that developers do, and Apprenda can ease the difficulty of those changes on its PaaS system.

Some existing PaaS systems apply their own packaging and workload preparation as part of the final steps of producing an application on them, Malhotra notes. If they do, it will collide with the strict file format that Docker wants to impose. Apprenda does not do the packaging step. With the future release of Apprenda, Java developers will be able to turn their code over to Docker at the finish line to get a containerized version, capable of being deployed into various clouds or enterprise environments, without further IT or developer configuration.

(Source: Wikimedia Commons)
A container-sensitive PaaS can also play a role in helping either the developers or the target operations group decide how much efficiency they want versus how much isolation and security they need. Linux containers are closer to a bare-metal way of running applications because they don’t each require their own version of an operating system; they use the host’s. But they’re still believed to be less secure than virtual machines.

In the future, a PaaS system will have “a sliding scale” of efficiency versus security, and where the workload falls on that scale will determine whether it will be finished as a container system or a virtual machine, says Malhotra. Because there are fewer barriers between them, an active malicious agent on the same container host might be able to play havoc with other containers. Virtual machines are more severely cordoned off.

“Even the folks at Docker have been good about not over-promising on security. The only thing worse than no security is the illusion of security.”

At the same time, containers do away with the overhead associated with virtual machines. They not only don’t need a copy of the operating system, they use only the memory they need, as opposed to being over-provisioned for comfortable operation. Because of that, they boot quickly and can be concentrated in the hundreds on four-way x86 servers. Joyent CTO Bryan Cantrill reports running 800 and “could run thousands” at a time.

Containers do other things as well, not all of them efficient in light of the way developers are used to doing things. “There’ll be trade-offs,” he warns.

For example, if a container connects to multiple services and applications outside itself, a developer may find that shutting one of the services — say, a database server — and changing its IP address can jeopardize how the workload will run. The layers of software images in containers want to think of the IP address as immutable, and a whole series of connections may be misaligned if it changes.

What’s needed, says Malhotra, re-inserting the possible future role of PaaS into the discussion, is an outside service, like the DNS system on the Internet. The Domain Name System lets the physical location of a website change, but its address remains the same to users. PaaS can do that for containers, and Apprenda hopes to do it for many Docker users in the future.