Joyent this week announced two open source initiatives through which it is making it possible to securely deploy Docker containers without requiring the use of hypervisors.
A new Linux Branded Zones (LXz) enables Linux applications, including those running in Docker Containers, to natively run on a layer of secure OS virtualization without the need for a hardware hypervisor layer.
Meanwhile, Joyent also announced it has developed an extension to the Docker run-time engine that can run on the company’s SmartDataCenter private cloud service, which runs on bare-metal servers. Previously, Joyent supported its own implementation of a container on its cloud service.
Joyent CTO Bryan Cantrill says that with Docker containers emerging as a de facto standard, Joyent sees a significant opportunity to not only host application development projects based on Docker containers, but also on actual production applications.
Key to that capability is an operating system level implementation of Docker containers that makes sure those workloads run in isolation from one another, says Cantrill.
Rather than relying on hypervisors that introduce both additional compute overhead and network virtualization complexity, Cantrill says Joyent is betting that developers that build applications using Docker containers would much rather attain higher levels of performance using bare-metal servers rather than relying on hypervisors to access virtual machines.
Currently in beta, Cantrill says LXz gives each container its own dedicated virtual network stack, while an implementation of the ZFS file system is used to provide persistence across the cloud service.
Joyent Public Cloud users can now leverage the Joyent Container Service to provision and manage Docker hosts and containers in the Joyent Public Cloud. Features of the Joyent Container Service include a security gateway, private registries and integrated logging and monitoring of Docker containers and hosts.
In general, a fierce debate is emerging over where to deploy Docker containers most securely. The challenge, contends Cantrill, is not to sacrifice performance in the name of security, but rather provide a mechanism for achieving both without compromising the other.