Containers, Speed, and Security

Though I decided not to use Linux containers, I like the technology a lot. Everything I have read seems to indicate that containers/zones are faster and more resource efficient than VMs. The engineers at Joyent frequently write articles about the speed and efficiency of their Solaris zone based solution.  They are not a disinterested party but I have no reason to doubt their claim tsince I have read similar articles about Linux containers. For example, the HFT company Lucera choose SmartOS to host its trading software because of performance, and performance is a critical requirement for HFT.

I want to use containers. The reason I don’t is because their security model does not seem as mature as the one used by VMs. It is simply not possible, as far and I am aware, to implement a formal OS hardening scheme on a container. Does this mean that containers have a higher incident of attack? I don’t know. I was unable to find any data or research on the topic. My guess is they probably do not suffer from a higher incident of attack. I did find this fascinating post on Solaris 11 read-only zones. I imagine an approach like this would greatly enhance security.

As always, the choice of a technology is one of priorities. If speed and resource efficiency are your priorities then containers/zones are a good choice (unless you are running Hadoop which seems to run better on bare metal than virtualized.) If security (especially formal or regulatory security) is your highest priority then VMs are a good choice.

The OS choice represents a similar tradeoff. Solaris/SmartOS zones provide a more mature and powerful implementation than their Linux equivalent. Whether to run Solaris or Linux depends on the skills of your IT staff. Other facor include the ability to hire staff. Depending on your geographic location this may or may not be an issue.

The choice of any software product must ultimately be a business decision rather than a technology one. As in the case of DSLs the problem of sub-optimization exists here too. IT is an environment which should be optimized as a whole not by its parts. This often means choosing the worse of two technologies. On the other hand, you may want to accept some risk and choose a technology that gains you a competitive edge. This is where a well thought out business case is essential.





Categories: Management, Security


Share Your Ideas

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: