Docker: when do I need to place a container in a virtual machine?

Application containers guarantee high speed and resource utilization, but they lack the security that virtual machines provide. Therefore, today I want to talk about using Docker inside the VM, in particular, the OpenSource project QEMU / KVM.

If you do not dive deep into the specifics of various containers, you can briefly describe Docker as a quick and dynamic solution that allows you to instantly run millions of containers with specific applications. Docker offers everything you need to run pre-built software builds with related components, but many still worry about the security of such loads. The problem is that Docker is still a very young solution, and not all "children's problems" are solved. And when you run multiple Docker environments on one machine, an attacker can technically get access to the resources of one user through another's hacking. Agree, this is not good.
Docker inside QEMU

Inside the Docker isolation is implemented today at the expense of NameSpaces, but the reliability of this approach is still in doubt. Therefore, a fairly common practice is to run a container inside a virtual machine. As a rule, QEMU is chosen because it is one of the most popular open source virtualization projects. Inside the QEMU virtual machine, single-user containers are already running. Thus, we find a compromise between security and speed, because users are reliably protected from each other, and the applications of one owner run fairly quickly, running in a container environment.
')

Chasing speed

However, over time, when the containers become larger, this compromise begins to be a problem. Therefore, developers are beginning to actively deal with it. So, in the community there are various technologies that help to solve the actual question - to increase the productivity of more secure environments that work with Docker.

For example, ClearLinux is a proprietary Intel distribution that is designed not only for work within the intel architecture ecosystem, but also for enhanced Docker support. ClearLinux has the ability to customize the “layers” - the individual components of the file system from which the root directory of the Docker container is formed. This allows you to significantly increase the efficiency of working with the hypervisor. The solution is very promising, but, of course, shows its main advantages only on Intel hardware.

Another option is to use Unikernel. Specially prepared OS images can reduce the performance impact of the presence of the OS kernel in the guest VM (where Docker is already running). Specially lightweight kernels of various operating systems with a regulated address space are proven, supported, and ready for commercial use solutions optimized for working with certain applications. If, under the application you need to use in Docker, Unikernel has already been created, then you can use VM isolation with much greater efficiency.

We at Virtuozzo also continue to follow the evolution of Docker and offer our solution to this problem. So, the KVM hypervisor based on Virtuozzo not only allows using lightweight VMs, but also supports a number of optimizations for launching Docker containers. In addition to this, lightweight VMs on OpenVZ and commercial Virtuozzo add to the KVM capabilities backup features and additional security monitoring, contributing to the protection of the Docker ecosystem running within the VM.

Docker support becomes necessary

Although today we are talking about the possibility of optimizing Docker security by using VM or light VM as an intermediate level, in the near future the community will not only be engaged in improving VM performance as a separate insulation layer, but also launching Docker containers directly based on the hypervisor.



In the Virtuozzo ecosystem, we generally view Docker as one of the possible options for running loads in a common virtual environment - along with light virtual machines and traditional virtual machines (based on different operating systems). Today, active work is underway to expand support for o-Docker services, such as hub, compose, kubernetes, flocker, libnetwork, various security checks, etc.

Thus, due to the Docker team’s own efforts, the availability of various projects to optimize the efficiency of intermediate VMs for launching Docker and Docker’s prospective support at the hypervisor level, in a short time, Docker application containers will be able to declare a decent level of security without compromising speed. Docker advantage.