Granted, I got this from Guido Appenzeller, who’s the CTO of VMware’s networking and security business unit. Those topics come up a lot with him.
The point is that VMware, which keeps saying it doesn’t view containers as a threat, is backing up those words with some container support. There’s one theory that containers could eventually supplant virtual machines — VMware’s bread and butter — as the vehicles for deploying applications, but VMware thinks the two will coexist.
VMware’s contention is that containers by themselves still aren’t adequate for production environments. In those cases, it’s more appropriate to be running containers inside of virtual machines, VMware argues.
While that conviction happens to fit VMware’s business interests, Appenzeller says it’s also backed up by enterprise behavior.
“In the enterprise, we’re going to typically see containers running inside of VMs for the time being. I don’t think that’s sunk in with everyone yet,” he said during a conversation at June’s Open Networking Summit.
The following week, VMware would shower further love on containers by announcing Project Bonneville, which extends vSphere hosts to become hosts for Docker containers as well. That followed VMware’s April release of a container-friendly Linux distribution called Project Photon and a security initiative called Project Lightwave.
Another Security Play
Security is one reason why enterprises are adopting the containers-plus-VMs strategy, Appenzeller claims.
That’s what he found when he first encountered enterprises running containers inside of virtual machines, which by definition run on hypervisors. “My first reaction was, ‘Clearly you guys are doing it wrong,'” Appenzeller said, referring to the number of pieces involved. “If you talk to them a little bit more, they’re saying it’s just a better way of deploying this for security purposes.”
Containers’ security weakness is that applications share the Linux kernel, Appenzeller said. “The downside is that if you can find a root exploit — something that gets to root-level privileges on that machine — you can hop from one container to the next.”
So, VMware is seeing some enterprises use virtual machines as isolated security zones, using one virtual machine for development containers and another for production containers, for example. “They want the hypervisor underneath to make sure that if somebody breaks into the container host, they’re not directly on the network. You can still sandbox them,” Appenzeller said.
It’s similar to the way that security became a selling point of VMware’s NSX network virtualization. The microsegmentation provided by the platform happens to isolate traffic flows from one another, which is what some enterprises want as a security measure.
Bringing IP to Docker Containers
VMware is also working with Docker Inc. to bring better networking to containers, Appenzeller said. Docker comes with some rudimentary networking that doesn’t involve IP addresses, an omission that should be corrected to make container networking more practical for production environments, Appenzeller said.
IP addresses would be necessary for doing things like attaching a firewall to an application, he said. That task requires an endpoint that has an IP address.
“It’s about figuring out what the architecture looks like, but also making sure you have a pluggable model for your network drivers,” Appenzeller said. “There’s no way Docker is going to ship out-of-the-box with full NSX integration. That wouldn’t be a fit for them. What we need is similar to what OpenStack has: a plug-in interface where you can plug your networking solution into the container framework.”
Docker Inc.’s own networking efforts are being aided by the team from recently acquired SocketPlane. “They’ve helped Docker to take their idea of networking to the next level. I really like those guys,” Appenzeller said.
And some of those people have been working with some of VMware’s Open vSwitch team on the Open Virtual Network (OVN). That project’s goal is to create network abstractions, such as Layer 2 or 3 constructions, or security groups, atop a set of virtual switches.
A “lightweight virtual networking control plane” is how Appenzeller described it. They’ve gotten OVN to run on top of containers now, and the project was the subject of a demo at the recent OpenStack Summit, he said.