Professional Documents
Culture Documents
Understanding The Enterprise Advantages of Application Containerization, Part One: An Overview
Understanding The Enterprise Advantages of Application Containerization, Part One: An Overview
Advantages of Application
Containerization: An Overview
FIRST IN A WHITE PAPER SERIES FROM ISACA
ABSTRACT
Application containers are transforming enterprises all over the world and, as a result,
their adoption is on the rise. Application containers allow data centers to deploy business
applications more rapidly, with reduced development overhead, lower costs, more efficient
use of resources and increased business agility. This business value is driving significant
gains in interest and market adoption of application containerization. In the first installment
in this white paper series, we examine the factors contributing to the popularity of this
innovation. In the next installment to be released in this white paper series, we turn to the
practitioners and the risk management issues surrounding this innovation.
In the second installment in this white paper series, we turn to the practitioners and
the risk management issues surrounding this innovation.
WHAT IS AN
APPLICATION CONTAINER?
An application container is a mechanism that is used to isolate
applications from each other within the context of a running
operating system instance. Although it is experiencing a
renaissance currently, containerization is not a new concept.
In much the same way that a logical partition (LPAR) segments
multiple system resources in mainframes, a computing
environment employing containers segments and isolates
the underlying system services so that they are logically
sequestered from each other.
Note: Application containerization is very different from
mobile containerization, which places enterprise data that are
on a mobile device inside a container and applies security
policies to the container to keep enterprise data protected and
separate from the mobile device users data. This white paper
focuses on application containerization and does not discuss
mobile containerization.
APPLICATION
CONTAINER BENEFITS
Users expect applications to be always available, elastic,
scalable and interoperable.5 The application service must
always be available; therefore, the logical software component
needs to be independent from the underlying infrastructure.
If a machine is down, upgraded or moved, the application still
needs to be available. Application containers solve this problem
for developers: containers are easy to update and portable
1 Docker, The Evolution of the Modern Software Supply Chain: The Docker Survey, 2016, www.docker.com/survey-2016
2 Marks, Mano; Docker Hub Hits 5 Billion Pulls, Docker, 11 August 2016, https://blog.docker.com/2016/08/docker-hub-hits-5-billion-pulls/
3 Computer Hope, Chroot, 2016, www.computerhope.com/jargon/c/chroot.htm
4 Hogg, Scott, Software Containers: Used More Frequently than Most Realize, Network World, Inc., 26 May 2014,
www.networkworld.com/article/2226996/cisco-subnet/software-containers--used-more-frequently-than-most-realize.html
5 Hykes, Solomon, Docker: The Need for a Cohesive Tooling Solution, Keynote Speech at New Relics FutureStack14 Conference, 2014,
http://thenewstack.io/the-new-stack-makers-docker-creator-solomon-hykes/
App 1
App 2
App 3
Bins/Libs
Bins/Libs
Bins/Libs
Guest OS
Guest OS
Guest OS
App 1
App 2
App 3
Bins/Libs
Bins/Libs
Bins/Libs
Hypervisor
Docker Engine
Operating System
Infrastructure
Infrastructure
Virtual Machines
Containers
CLIENT
Docker
build
Docker
pull
Docker
run
DOCKER HOST
Docker daemon
CONTAINERS
IMAGES
REGISTRY
7 Zeltser, Lenny, Security Risks and Benefits of Docker Application Containers, 1 December 2015, https://zeltser.com/security-risks-and-benefits-of-docker-application/
8 Docker, Build, Ship, Run, 2016, www.docker.com/
9 Docker, Docker Overview, 2016, https://docs.docker.com/engine/understanding-docker/
Docker includes:
ImagesAn image is a read-only template with a
filesystem and parameters. Images are the Docker build
component. Docker images are built from base images
using instructions.
RegistriesRegistries are public or private stores that hold
images. Images are uploaded or downloaded from registries.
The Docker Hub provides access to the public Docker
registry. Registries are the Docker distribution component.
When users build an image, they can push that image to a
public registry, such as Docker Hub, or to their own registry
that runs behind a firewall. Through the Docker client, users
can search for published images and pull them down to their
Docker host and use them to build containers.10
ContainersA container is a running instance of an
image and holds everything the application needs to run.
Containers are a Docker run component.
Orchestration
Although containerization functionality is useful on its own, any
large-scale or distributed use of containers can be impracticable,
inefficient or challenging without the addition of ancillary tools
to support that usage. Therefore, application containerization
infrastructure often involves or includes cluster management
software, configuration management systems and monitoring
solutions that need to be installed, operated and scaled.
Architecting and managing the availability and scalability of
these systems can be difficult. Container orchestration integrates
and manages containers at scale. Container orchestration
tools are available that simplify container management and
provide a framework for deploying containers and managing
multiple containers as one entity, for availability, scaling, and
networking.11 These tools are described in the Orchestration
Tools section of this white paper.
Clustering
A cluster combines multiple engines and their capabilities
(container applications) and allows them to interface with each
other in a simple way. Clustering allows administrators and
developers to create a pool of engines that are container hosts
and scale out their applications as if they were using a single
engine.12 Most orchestration tools provide clustering capabilities.
OTHER CONTAINERIZATION
PRODUCT EXAMPLES
This section describes some of the major application
containerization products that are available in the market today.
Note that this is not intended to be an exhaustive list because
innovation in this space is high. In addition to the Docker
platform, the following examples are useful for practitioners
to understand some of the more popular and prevalent
products that are related to application containerization.
Rocket (rkt)
rkt (pronounced and sometimes written as Rocket) is a
containerization platform that was developed by CoreOS (a startup that is backed by Google Ventures) as a direct competitor
to Docker.14 Rocket was built as an implementation of the App
Container (appc) container specification, which defines security
aspects of containers, operating parameters and the generic
services that containers should implement without reference to
the specific underlying implementation. Part of the impetus for
the development of Rocket was to allow the flexibility and speedto-market advantages that are offered via containerization, but to
do so in a way that emphasizes certain security considerations
(specifically, allowing containers to be run under non-root
accounts) and that highlights a modular design approach.15
Kurma
Apcera released an open-source version of its Kurma
project. Kurma is a container runtime that is built to the appc
specification with a focus on making every system service
from clock syncing to log forwarding to console logins
run as a container.16
Note: CoreOS developed the appc specification to define a
standard application container. In June 2015, CoreOS joined
with other technical leaders to form the Open Container
Initiative, which is working toward a common application
container standard and format.
10 Ibid.
11 The Linux Foundation, 8 Container Orchestration Tools to Know, 2016, www.linux.com/news/8-open-source-container-orchestration-tools-know
12 GitHub, Inc., Working with Docker, 2016, https://github.com/Microsoft/HealthClinic.biz/wiki/Working-with-Docker
13 Rouse, Margaret and Kathleen Casey, Docker Swarm, TechTarget, November 2015, http://searchitoperations.techtarget.com/definition/Docker-Swarm
14 Willis, Nathan, The Rocket containerization system, LWN.net, Eklektix, Inc., 3 December 2014, https://lwn.net/Articles/624349/
15 Butler, Brandon, CoreOS launches Rkt- the container thats not Docker, Network World, Inc., 5 February 2016, www.networkworld.com/article/3030597/cloud-computing/coreos-launches-rkt-thecontainer-that-s-not-docker.html
16 Robertson, Ken, Apcera Open Sources New Kurma Project Built on App Container Specification, Apcera, 2 May 2015, www.apcera.com/blog/apcera-open-sources-kurma-project
Jetpack
Jetpack is an implementation of the appc specification for the
FreeBSD operating system. Note that a port of Docker is also
available for FreeBSD.17
Google Kubernetes
Kubernetes is an open-source system for managing
containerized applications across multiple Linux hosts and
provides the basic mechanisms for deploying, maintaining
and scaling applications.23 Kubernetes manages clusters
of containers. It can manage connecting and scaling
multi-container deployments across various container hosts.
Kubernetes allows a data center to orchestrate services
that are running in multiple hosts, into unified, large-scale
business applications.24
Kubernetes uses the following concepts (see figure 3):
ORCHESTRATION TOOLS
Container orchestration tools provide an enterprise-level
framework for integrating and managing containers at
scale. Container orchestration tools assist IT operations and
developers with managing container environments. Docker
Swarm and Google Kubernetes are two of the leading
container orchestration platforms. Other orchestration
solutions include Amazon ECS, Heat, Apache Mesos
and OpenShift.21 Google Container Engine is a container
orchestration system for running Docker containers on the
Google Cloud Platform.
To determine the orchestration tool that is right for a container
environment, Docker recommends that the following three key
features should be considered:
Performance: How fast can I get containers up and
running at scale? How responsive is the system when
under load?
FIREWALL
Internet
kubecfg
user commands
MINION
DOCKER
Authorization
authentication
kubelet
POD
APIs
Scheduling
actuator
REST
(pods, services,
rep. controllers)
Kublet
info service
cAdvisor
POD
Proxy
POD
MINION
DOCKER
Scheduler
Replication
controller
Distributed
Watchable Storage
(implemented via etcd)
kubelet
POD
cAdvisor
POD
Proxy
POD
SOURCE: Shalom, Nati, Orchestration Tool Roundup Docker Swarm vs. Kubernetes, TerraForm vs. TOSCA/Cloudify vs. Heat, LinkedIn Corporation,
21 May 2015, www.slideshare.net/giganati/orchestration-tool-roundup-kubernetes-vs-docker-vs-heat-vs-terra-form-vs-tosca-1
Manager
WORKER
WORKER
Manager
WORKER
WORKER
Manager
WORKER
WORKER
WORKER
SOURCE: Docker Core Engineering, Docker 1.12: Now with Built-in Orchestration!, 20 June 2016, https://blog.docker.com/2016/06/docker-1-12-built-inorchestration/
31 Docker Core Engineering, Docker 1.12: Now with Built-in Orchestration!, 20 June 2016, https://blog.docker.com/2016/06/docker-1-12-built-in-orchestration/
32 Rouse, Margaret and Stephen Bigelow, Google Container Engine (GKE), TechTarget, 2016, http://searchitoperations.techtarget.com/definition/Google-Container-Engine-GKE
33 Ibid.
CONCLUSION
Containerization is an important and potentially gamechanging technology for developers and data centers that
deploys business applications more rapidly, with reduced
development overhead, lower costs, more efficient use of
resources and increased business agility. New and unique
business opportunities can be engendered by the strategic
use of containers.
Like most new technologies, application containerization
presents some challengesparticularly, emergent behaviors
at scale, possible new risk that is not present until containers
start moving into the production environment and threat
scenarios that are unique to the usage. The second white
paper in this series, Understanding the Enterprise Advantages
of Application Containerization: Practitioner Considerations,
discusses these challenges and the risk/value equation of
application containers, and provides practical guidance for
security, auditing and governance practitioners.
10
ISACA
Phone: +1.847.253.1545
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving
Fax: +1.847.253.1443
Email: info@isaca.org
association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity
Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to
Provide feedback:
www.isaca.org/containerization
Disclaimer
This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome.
Readers should apply their own professional judgment to their specific circumstances.
Reservation of Rights
2016 ISACA. All rights reserved.
11
ACKNOWLEDGMENTS
ISACA wishes to recognize:
Expert Reviewers
Board of Directors
Madhav Chablan
Christos K. Dimitriadis
Anuj Jain
Robert Clyde
Michael R. Lawrence
Nathan McCauley
Docker, USA
Sergiu Sechel
Dan Walsh
Theresa Grafenstine
Leonard Ong
Andre Pitkowski
Eddie Schwartz
Jo Stewart-Rattray
Tichaona Zororo
Zubin Chagpar
Jeff Spivey
Robert E Stroud
Tony Hayes
Greg Grocholski
Matt Loeb