DATA CENTER HANDBOOK APRIL 2017

A fresh approach
is needed to
manage containers
properly
FOTOLIA
DATA CENTER HANDBOOK

 o manage and monitor containers, understand

T
In this handbook:
their peculiarities
Editor’s Letter

PHIL SWEENEY
 hat admins need to know
W
to master containerization
technology A good IT operations team is primed to worry about an application’s availability
and performance. It’s a fundamental concern in every hour of every day. So
Docker container
when containers begin to deliver apps, an IT team needs to implement new
management renews appeal
to enterprises methods to monitor containers -- and to adjust to new ways of worrying.

 ontainer support grows to

C Container technology brings advantages to an IT infrastructure, particularly
combat security issues
with improved use of resources. The value of containerization, at least from
a technology point of view, is mostly clear by now. What holds back adoption
is uncertainty over how to work with and monitor containers. They come in
different formats. They are built through different methods. They behave in
different ways. They require a management approach that is, yes, different.

Momentum behind containerization is building. A recent report from 451

Research pegged spending in the application container segment at $762
million in 2016; by 2020, that figure is projected to jump to $2.7 billion.

2   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

That kind of growth suggests containers are destined to find a place in plenty
In this handbook: of IT shops, which makes learning about them -- and how to manage them --
Editor’s Letter
an IT priority. This handbook tackles that mission, beginning with an overview
from IT consultant Alastair Cooke on the best ways to manage and monitor
 hat admins need to know
W containers -- either through native tools or emerging third-party products.
to master containerization
technology There will be plenty of new tasks for IT admins to consider in a container
environment. Also included are discussions of how Docker is adjusting its
Docker container
management tools and how container security is evolving as adoption begins
management renews appeal
to enterprises to pick up.

 ontainer support grows to

C
combat security issues

3   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

 hat admins need to know to master

W
In this handbook:
containerization technology
Editor’s Letter

ALASTAIR COOKE
 hat admins need to know
W
to master containerization
technology Containers have inserted themselves into the IT conversation, and their
usefulness is being discussed in ever-widening circles. While adoption
Docker container
has been limited so far, it seems clear that 2017 is going to see a lot more
management renews appeal
to enterprises production deployment of applications in containers. Deploying anything into
production, of course, is when the operations team gets involved -- and they’re
 ontainer support grows to
C
combat security issues
going to have questions.

There are plenty of issues to consider when it comes to management of

containerization technology. These include how to handle dependencies in
files and the role microservices may or may not play in your cloud strategy. To
be sure, there’s a learning curve.

DevOps brought the idea that developers should support production. The
reality is that developers need their sleep, and it’s the operations team that
looks after production at all hours of the day and night. Operations teams will

4   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK
In this handbook:
Editor’s Letter
 hat admins need to know
W containers. Containers, based on how they are used, can have important
to master containerization
technology
Docker container
management renews appeal
to enterprises
 ontainer support grows to
C
combat security issues
need to understand the impact of these new containerized applications, and
they are the ones expected to resolve availability or performance issues.
Also, an IT organization might need new tools to monitor and manage
operational impacts on an IT organization. To properly manage
containerization technology means admins must take these factors into
consideration and figure out a plan to make it all work.
MANAGE APPLICATIONS AND DEPENDENCIES
Sometimes containers are just a way to package and distribute an application.
When an existing application becomes distributed as a Docker container, for
example, that packaging is essentially the special value that Docker provides
-- although it’s not the only reason to use Docker or containers. Containers
existed before Docker, which is used to create containers in a structured and
controlled way.
In some cases, the container simply wraps up the application and its
dependencies. The container is then run on a server. The magic of Docker is
5   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY
DATA CENTER HANDBOOK
In this handbook:
Editor’s Letter
 hat admins need to know
W
to master containerization
technology
Docker container
management renews appeal
to enterprises
 ontainer support grows to
C
combat security issues
to wrap all of the application’s dependencies into a Docker image and have
a single text file (Docker file) that describes how to create the image. With
this existing application model, each server may run just one instance of the
container -- just like the server used to run one instance of the application.
It’s fairly simple to monitor and manage this use of containers: continue
to monitor and manage the server. The admin can still see the application
processes on the server, along with resource usage.
In some ways, this is even simpler as there is no need to check that the
server has all of the application’s prerequisites. These prerequisites include
the correct version of Java or the appropriate Python libraries. All of these
dependencies are in the Docker image and controlled by the Docker file.
It might not be necessary to install and maintain Java on the server. But you
should have some control of these Docker files and ensure that the Docker
images contain components that are up to date. Rather than update or patch
the Java on the server, you need to update the Docker file and build a new
Docker image.
One new operational task may be to scan the Docker files for vulnerabilities.
6   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY
DATA CENTER HANDBOOK
In this handbook:
Editor’s Letter
 hat admins need to know
W new image.
to master containerization
technology
Docker container
management renews appeal
to enterprises
 ontainer support grows to
C
combat security issues
A Docker file may direct the installation of vulnerable or unsupported
components into the image. It may also be necessary to implement policies
about the maximum allowed age of a built Docker image. The versions of the
dependencies are fixed inside the image and can only be updated by building a
CONTAINERIZATION TECHNOLOGY IS DYNAMIC
Sometimes containers enable microservices architecture. This makes them a
whole new way to assemble applications.
Containers can be started and stopped much faster than VMs. Starting
another container typically takes a fraction of a second. A single server can
run multiple containers at once, with some isolation between the containers.
In applications built in the microservices way, containers will be far more
numerous and often short-lived. The application is broken into small parts
– microservices -- and will have a Docker image for each of the dozens of
small parts. Each microservice can scale in and out by creating or destroying
containers.
7   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY
DATA CENTER HANDBOOK

This is a far more dynamic environment than the monolithic applications that
In this handbook: admins are used to managing. The underlying servers can still be monitored
Editor’s Letter
with your normal tools, but the containers themselves are too volatile for these
tools.
 hat admins need to know
W
to master containerization A single container may only live for a few seconds. New tools will be required
technology
to manage and monitor these microservices applications in production.
Docker container Hyperscale vendors such as AWS have built their own tools to manage their
management renews appeal fleets of containers. Large organizations are more likely to use tools from
to enterprises
providers such as New Relic and Datadog to monitor their container fleets.
 ontainer support grows to
C
combat security issues
SCHEDULERS, TOOLS MAKE A DIFFERENCE

An essential part of DevOps is to have automation around all parts of the

application, which includes the many containers. This is where schedulers
play their part: to make sure that the right number of each container is running
and healthy. The scheduler may be something container-specific such as
Kubernetes or a more general-purpose scheduler such as Apache Mesos. It
might even be Kubernetes and Mesos together.

8   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

The automation reduces the amount of manual intervention required to

In this handbook: monitor and manage the application. Management should be based on setting
Editor’s Letter
policies for the application. The scheduler simply implements the policies.

 hat admins need to know

W To deploy monolithic applications into production with containerization
to master containerization technology may be a small change to the management and monitoring of those
technology
applications. If the applications are broken up into microservices and require a
Docker container scheduler, then there will be far more significant operational changes.
management renews appeal
to enterprises While it is still early in the development of the operational tools for fleets of
containers, there are a lot of tools being built for container management.
 ontainer support grows to
C
combat security issues Successful operations of microservices applications will need new tools and
methods for operations teams.

9   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

 ocker container management renews appeal to

D
In this handbook:
enterprises
Editor’s Letter

BETH PARISEAU
 hat admins need to know
W
to master containerization
technology Docker Inc. revamped its licenses and release cycles this week, which could
boost its appeal as it rides a wave of mainstream enterprise container adoption
Docker container
expected this year.
management renews appeal
to enterprises
Docker has pledged to slow and regulate updates to the Docker container
 ontainer support grows to
C platform, now split into two editions: the free and open source Community
combat security issues
Edition, which will be updated every four months, and the Enterprise Edition,
which will be updated every 12 months with security and critical bug fixes, as
needed.

Docker Enterprise Edition comes in three flavors: Basic, Standard and

Advanced, each of which includes support from Docker. Standard and
Advanced editions include the Docker Datacenter container orchestration
tool. Enterprise Edition Advanced also includes image scanning and security
vulnerability monitoring.

10   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

The Enterprise Edition starts at $750 per node, per year for business-day
In this handbook: support on Docker Enterprise Edition Standard. At the top level of the Docker
Editor’s Letter
container management pricing packages -- which costs $3500 per node, per
year -- the minimum support response time is two hours, and the package
 hat admins need to know
W caps the number of support contacts at eight, according to Docker’s pricing
to master containerization
technology page. Analysts foresee this being the subject of price negotiations with larger
enterprises that may need faster responses or more people to handle them.
Docker container
management renews appeal
to enterprises DOCKER DATACENTER SEEKS LEG UP IN BUSY MARKET

 ontainer support grows to

C
Experts said the licensing change is an opportunity for Docker to promote
combat security issues
Docker Datacenter amid a nascent and volatile market, where many container
management tools compete for the same enterprise audience. As a result, it
can be difficult for any one product to stand out.

“It should help boost their market share,” said Robert Stroud, an analyst with
Forrester Research. “We don’t hear much about Docker Datacenter at all. At
the same time, inquiries about container orchestration and management tools
have sharply increased.”

11   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

IDC analysts do get inquiries about Docker Datacenter specifically, said Gary
In this handbook: Chen, an analyst at the market research firm. But sales for all orchestration
Editor’s Letter
platforms are slow, as enterprises are still becoming acquainted with core
container platforms, such as Docker and CoreOS rkt.
 hat admins need to know
W
to master containerization Here, Docker Enterprise Edition can raise Docker Datacenter’s profile,
technology
said Brandon Cipes, managing director of DevOps at cPrime Inc., an Agile
Docker container consulting firm in Foster City, Calif.
management renews appeal
to enterprises “[Docker Enterprise Edition] gives them a chance to start working on more
regular revenue streams and forge a path toward larger clients in need of more
 ontainer support grows to
C
combat security issues reliable support,” Cipes said.

Docker Datacenter’s features are well-aligned with the balance enterprises

seek between completely do-it-yourself “erector sets” and highly specific
platform-as-a-service (PaaS) offerings, added Dennis Smith, an analyst with
Gartner.

“A lot of my clients are not eager to go the full-blown PaaS route, nor do they
have the expertise to build it themselves from scratch,” Smith said. “Over the
next 18 months, we’re going to see more clients going with production-level

12   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

deployments, and Docker Datacenter is well-positioned there as a middle

In this handbook: ground.”
Editor’s Letter
Docker Datacenter also gives enterprises one commercial vendor on which to
 hat admins need to know
W focus, as opposed to a fragmented ecosystem of multiple vendors that offer
to master containerization variations of Google Kubernetes, IDC’s Chen said.
technology
Docker’s newly unveiled partner certification program also seems an attempt
Docker container
management renews appeal to tame a confusing ecosystem of competing products, Docker users said.
to enterprises
“Both the ability to have images certified, as well as being able to readily
 ontainer support grows to
C identify tested and compliant images, is critical to building trust and
combat security issues
confidence in the Docker ecosystem,” said E.T. Cook, chief advocate at
Dallas-based consulting firm etc.io, which works with enterprises to deploy
containers. “It brings a bit of sanity to an ecosystem that, at times, can seem
like the Wild West.”

Cook said he was excited to see a partnership with Microsoft that includes
Docker Enterprise Edition licenses in Windows Server 2016.

Some highly regulated and security-conscious enterprises with large IT

13   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

infrastructures might find the Docker container management platform’s

In this handbook: 12-month enterprise lifecycle too short to incorporate the often major changes
Editor’s Letter
that tend to come with each Docker release, Cook said. Other enterprise
support licenses for open source software, such as Red Hat Enterprise Linux,
 hat admins need to know
W may last as long as a decade.
to master containerization
technology
However, more rapid changes and upgrade cycles are the way of the world
Docker container now as DevOps hits the enterprise.
management renews appeal
to enterprises “Things are a bit faster than they were going back a decade or so ago,”
Gartner’s Smith said. “Twelve months is pretty normal now.”
 ontainer support grows to
C
combat security issues
Beth Pariseau is senior news writer for TechTarget’s Data Center and
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.

14   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

 ontainer support grows to combat security

C
In this handbook:
issues
Editor’s Letter

JIM O’REILLY
 hat admins need to know
W
to master containerization
technology Containers are among the hottest items in IT today. The concept behind
containers is simple: You can build virtual instances that share an OS. This
Docker container
comes with a number of benefits, including faster spin-up time, a lower
management renews appeal
to enterprises memory footprint and an expansion of a server’s operating capacity.

 ontainer support grows to

C While there are some downsides to using containers, the last year has seen
combat security issues
some major improvements to this rapidly evolving technology, with more and
more vendors offering container support. The first concern was security;
since containers share an OS, they don’t offer the same hardware-emulated
partitions as VMs. In order to combat this, many administrators run containers
inside VMs, which provides an additional layer of isolation. This approach
segregates different parts of a tenant environment, which may increase
security and control.

This container security approach does, however, increase the overall footprint

15   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK
In this handbook:
Editor’s Letter
 hat admins need to know
W increase in container adoption over the next few years.
to master containerization
technology
Docker container
management renews appeal
to enterprises
 ontainer support grows to
C container technology continues to evolve.
combat security issues
and may reduce agility, so the industry is looking to thin hypervisors, such as
Intel’s Clear Containers or CoreOS, and even bare-metal container products.
This approach to security will evolve throughout 2017, providing users with
very secure, very lean container environments. Ideally, this will lead to an
Containers already offer great advantages for edge applications, such as
web servers. However, shared network storage challenges remain a problem,
preventing organizations from containerizing some complex applications.
Products like Flocker from ClusterHQ help address this problem, and
Intel has developed a series of additions to their core CPU architecture to stop
cross-tenant access in virtualized environments. Unfortunately, these can’t
separate the tenants in containers. A common resolution to this problem is to
layer a hypervisor on bare-metal and give each tenant one or more VMs, each
isolated from other VMs by hardware. Tenants can build up as many containers
as they want within the VM.
16   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY
DATA CENTER HANDBOOK
In this handbook:
Editor’s Letter
 hat admins need to know
W potentially translate to lower memory efficiency. Hypervisor instances also
to master containerization
technology
Docker container
management renews appeal
to enterprises
 ontainer support grows to
C
combat security issues
INTEL CLEAR CONTAINERS
Although running containers on a hypervisor resolves security issues, it comes
at the price of an extra layer of complexity and management, which could
take much longer to start up than containers. Intel developed Clear Containers
to address this problem and to make the container approach faster and more
memory-efficient.
Clear Containers use the containers within a VM approach, but offer a much
faster startup time, and drastically reduce the hypervisor footprint, thanks
to their fast and lightweight hypervisor, QEMU. Intel estimates that Clear
Containers can start up in a matter of microseconds, which is comparable
to containers, and much faster than the typical hypervisor. Clear Containers
also optimize shared memory through kernel same-page merging and direct
access bypassing of the page cache. Clear Containers currently only support
Linux hosts.
17   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY
DATA CENTER HANDBOOK

MORE VENDORS GET IN ON CONTAINER SUPPORT

In this handbook:
Microsoft offers strong container support. The company has had a close
Editor’s Letter partnership with Docker since 2014, and it delivers Hyper-V-based containers
 hat admins need to know
W in Windows Server 2016. There are some limitations to this offering: There
to master containerization is no support for Active Directory membership for containers, and dynamic
technology
addressing for networks is standard. Azure also offers container support, and
Docker container we can expect the Azure Pack product for private clouds to provide support.
management renews appeal
to enterprises VMware came late to the cloud game, but is notably more responsive when it
comes to containers. VMware built support for containers into vSphere 6.5.
 ontainer support grows to
C
combat security issues VSphere Integrated Containers (VIC) aim to address the lack of control over
container instances within an ESXi instance by nesting each container within a
VM.

Unfortunately, VIC is far more complex than other container offerings, which
means it has a slower container spin-up time.

18   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

KUBERNETES
In this handbook:
Kubernetes has gained a lot of support as a tool for creating containers in
Editor’s Letter hybrid clouds because of its portability. It’s ported to OpenStack and has
 hat admins need to know
W support from companies such as IBM, Red Hat, VMware and Huawei. Amazon
to master containerization Web Services (AWS) and Azure will likely offer support for it in the near future,
technology
setting Kubernetes up to be the lingua franca of the container world.
Docker container
management renews appeal
to enterprises
OTHER CONTAINER ENVIRONMENTS

 ontainer support grows to

C There are many other tools for the hybrid or private cloud. Mesosphere
combat security issues Marathon and Apache Mesos are used with Azure and have strong credibility
as a result. CoreOS Fleet and Cloud Foundry Diego are also good alternatives.
With the evolution of containers moving at breakneck speed, the features
of these tools tend to shift rapidly, so determining your best approach for
production requires some hands-on testing.

19   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

TOOLS FOR OTHER TASKS

In this handbook:
There are good tools for building container images, such as Docker Hub and
Editor’s Letter VMware Harbor, and for automating update distribution to keep all the virtual
 hat admins need to know
W instances in sync, such as VMware Admiral. It’s best to build images in layers,
to master containerization keeping the OS, definitions, runtime tools and apps separate, as this makes
technology
updating easier.
Docker container
management renews appeal
Finally, remember that containers are intended to be cheap, lightweight and
to enterprises plentiful. Be sure to run only one app in each container and to keep extraneous
tools and other junk out.
 ontainer support grows to
C
combat security issues

CONTAINERS AND THE CLOUD

Major cloud service providers have embraced containers. Running containers

internally can help improve service provider efficiency, which could be passed
down to customers in the ongoing cloud price wars.

If you’re interested in trying out containers, the public cloud is a great place
to start because the cost and risk are relatively low. Companies like AWS,
Microsoft and Google already offer strong container support. AWS has EC2

20   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY

DATA CENTER HANDBOOK

Container Services (ECS), which comes with a broad set of tools, including
In this handbook: CloudFormation, EC2 Container Registry and Docker, among others. ECS
Editor’s Letter
supports continuous delivery.

 hat admins need to know

W
to master containerization
technology

Docker container
management renews appeal
to enterprises

 ontainer support grows to

C
combat security issues

21   A FRESH APPROACH IS NEEDED TO MANAGE CONTAINERS PROPERLY