With its latest project, Joyent joins the ranks of vendors offering large-scale solutions for Docker's problems: a way to run containers directly on bare metal without the additional layer of management and technological hassle attributed to VMs.
The Triton Elastic Container Infrastructure is built on Joyent's open source SmartOS product and can be installed on anything from a developer's notebook to an entire datacenter's complement of servers. Instead of managing containers by way of VMs, Triton uses the native containerization functions of SmartOS (derived from Solaris, not Linux) to provide what Joyent CTO Bryan Cantrill described as "the best possible infrastructure substrate" for containers.
To run containers, Triton provides its implementation of the Docker API, with full support for the Docker client and its growing roster of orchestration tools. Networking between containers and to the outside world is also handled directly by Triton; each container receives its own IP address, either public or private.
On top of that, as Cantrill noted, Triton allows all the machines in the data center to appear to the containers. To containers, "we just look like one large Docker host," said Cantrill. "[And] anything that talks to a Docker host, can talk to the [entire] data center."
Apart from ease of management, the other big boon is the performance gained by running on bare metal. Joyent claims an order-of-magnitude improvement in performance with Triton over Amazon AWS as far as I/O is concerned.
For Cantrill, the issue with running containers isn't the containers themselves, but how running containers inside a VM constitutes an unneeded degree of abstraction. "It doesn't make sense to run containers in VMs," he said. "Containers should run on metal, provided you have a secure substrate."
Another issue Cantrill brought up was security -- a major source of ongoing contention within the Docker world. In Cantrill's opinion, Linux and the security mechanisms it provides that are used by containers -- cgroups and namespaces -- do not provide the same degree of "airtight, multitenant" security provided by BSD jails or Solaris zones. "Linux wasn't designed for multitenant security," he said.
Many of Triton's design goals, according to Cantrill, aim to provide solutions for how Docker devs routinely run into problems when deploying at scale. "One thing we're seeing a lot of is operators working at Docker and asking themselves, 'How am I actually going to deploy [this container] in production? It's making my life a lot more miserable, because it's taking all the problems I already have around VM management and multiplying them, because I have to deal with a different layer of abstraction.'"
By doing away with VMs, Cantrill said, one can have all the power associated with VMs directly associated with containers instead. "This gives developers what they want, because they're oblivious to the complexity of this, and it gives the operators something they were never going to be able to have, which is Linux containers running securely on metal."
OpenStack is another area where Docker -- and Triton -- is increasingly in competition. Cantrill originally dismissed the idea, believing that Docker and OpenStack weren't comparable, but has since reversed his opinion -- at least in terms of what's done on premises. "I think on-prem efforts are shifting away from what many ops view to be a failed OpenStack experiment," he said, "They now want to deliver what their devs need and want, which is Docker."
The recent surge in development around Docker has been as much about compensating for Docker's current shortfalls as leveraging Docker's innate feature set. Some of these issues -- security, networking, questions of management philosophy -- are being addressed incrementally by Docker.
But these issues are hindering Docker from becoming all it could be. That's emboldened third parties to step up and supply what Docker is missing -- and to offer new takes on Docker.