In-Depth

What to Expect for Containers in 2018

It might be tempting to assume that 2018 will be smooth sailing for the containerization movement. However, things aren't quite that simple.

• By Trevor Pott
• 02/05/2018

2017 was a pivotal year for containers. It saw the end of the container orchestration wars, with Kubernetes emerging the victor. With that out of the way, it might be tempting to assume that 2018 will be smooth sailing for the containerization movement. However, things aren't quite that simple.

The industry coalescing around a single container orchestration solution will likely drive increased adoption of containers, especially among enterprise users. Systems administrators are by nature cautious and risk-averse, and they prefer not to adopt new technologies until a clear set of standards starts to emerge.

For containers, the orchestration layer is the most important. The primary means of interaction with any IT solution is the management interface, and the container orchestration solution is ultimately how most organizations will interact with containers.

While it is likely that the position of Kubernetes as the orchestration solution of choice across the industry isn't going anywhere, the container solution that Kubernetes orchestrates is still up for grabs.

Red Hat Buying CoreOS
Throwing a potential wrench into the stability of the container ecosystem is Red Hat Inc., which has decided to purchase CoreOS. While the acquisition of CoreOS doesn't look set to threaten the Kubernetes dominance of container orchestration, CoreOS brings the container platform rkt to the table, which is a rival to the more firmly entrenched Docker.

Before Red Hat's announcement, it would have been reasonable for an organization to assume that the majority of its container usage was going to consist of Kubernetes and Docker. Red Hat's purchase of CoreOS makes this far from a sure thing. Rkt is a fantastic container solution, and Red Hat's industry influence is significant.

With a purchase price for CoreOS of $250 million, Red Hat clearly sees containers as a critical part of IT for the foreseeable future. Thus, it's a safe bet that Red Hat will want to exert influence in this space.

VMware
Red Hat isn't the only vendor looking to throw its weight around in the container space. VMware Inc. has recently released version 1.3 of its vSphere Integrated Containers, reminding the world that the company remains committed to Photon, and has no intention of being tied to the x86 hypervisor market that it dominates.

VMware is in an interesting position in the container market. The VMware Photon container OS can be orchestrated by Kubernetes, and yet VMware is also integrating Photon into vSphere for management using its established workload orchestration tools.

VMware could confuse the market greatly, or have no meaningful impact whatsoever. It's too early to tell. VMware is late to the party, but it commands much loyalty among enterprises.

Red Hat's strategy for containers isn't likely to hold many surprises. Whether its investment enables the company to displace Docker is largely a question of Docker's stickiness with existing users. Red Hat will leverage its existing partner relationships to ensure rkt is treated as a first class citizen, and things will proceed more or less according to the almost ritualistic pattern of consolidation that the IT industry undergoes after a new product category has been established.

VMware, on the other hand, is the ultimate source of randomness in the container space for 2018. VMware plays its cards close to the vest, leaving the market guessing at roadmaps and strategies. Meanwhile, VMware is trying to please everyone in the hopes of establishing Photon as a viable alternative. How viable it will be may depend on whether VMware can convince the major public cloud providers to support it.

Spectre
Further complicating matters for containers is the Spectre vulnerability. Unfortunately for all of us, Specter isn't going away anytime soon. While patches are emerging for all the known attacks using this vulnerability, all we've been able to do is mitigate Spectre, not fix it.

Spectre will return to haunt us in the future as new ways to exploit it are uncovered, leading to still more patches. This will be an endless dance until we can all replace our server CPUs with new ones that aren't vulnerable.

Spectre is a problem for containers. The Spectre vulnerability effectively allows one workload to spy on another. Containers are used to allow multiple workloads to run on a single physical host. More to the point, they're used to allow significantly more workloads to run on a single host than virtual machines running on top of x86 hypervisors can accommodate.

The impact of Spectre depends greatly on a number of factors. The first and most important will be how quickly new attacks emerge, as well as the length of the gaps between an attack's creation, it being noticed by defenders, and vendors issuing a patch.

Another factor that affects Spectre's impact on containerization will be whether the containerization solution is used in a multi-tenant environment. Taking advantage of Spectre in a single-tenant environment requires compromising a running workload, and then using that compromised workload to execute malicious code.

Multi-tenant environments are different. Here, code that takes advantage of the Spectre vulnerability can be executed without having to compromise a workload. In a multi-tenant solution tenants are provided environments to execute their code, and those environments may share a physical host with other tenants.

Shared multi-tenant environments are popular with public cloud providers and regional service providers. Here, anyone could simply rent time on the cloud in question and exploit Spectre to spy on other workloads, assuming they had a working exploit for that vulnerability.

Public cloud providers and regional services providers alike do tend to offer dedicated host options. These allow customers to make use of all the capabilities of the public cloud, but without sharing a physical host with any other tenants. This may become the norm for sensitive workloads in 2018, even where those workloads are small and composable enough to use containers. As of the time of publication, no significant movements toward dedicated hosts have been noticed among public cloud customers.

The Focus Is Now Multi-Cloud Orchestration
The real focus of containerization in 2018, however, is likely to be multi-cloud orchestration. Kubernetes orchestrates the underlying container platform (Docker, rkt or Photon). But something else is needed in order to orchestrate Kubernetes clusters.

If you were using only Amazon Web Services (AWS), then at first glance CloudFormation seems like a rational solution. It can be used to automate AWS infrastructure, and is perfect for spinning up Kubernetes clusters, or anything else you happen to want.

CloudFormation, however, isn't exactly a multi-cloud solution. Here, Hashicorp's Terraform is gaining a great deal of traction as the ultimate multi-cloud infrastructure automation offering.

VMware spinoff Pivotal would also like a chance to claim this space, while Microsoft has a hammer called PowerShell and sees all infrastructure as nails. The traditional configuration management solutions that provided automation at the OS level -- Ansible, Chef, Puppet, Saltstack and the like -- are all also attempting to broaden their capabilities, chasing Terraform.

As of the beginning of 2018 it looks like the most popular container stack is Docker for the container platform, with Ansible to manage the host OS, Kubernetes to cluster the container hosts, and Terraform to orchestrate all of that infrastructure on any cloud you could want.

By the end of 2018, who knows? VMware may buy Dell, reacquiring Pivotal and trying for a complete vertical container solution. Red Hat owns Ansible, and also has all the pieces to make its own complete stack. Microsoft similarly has a chronic case of "not invented here" syndrome.

Kubernetes, which closed out 2017 with a bang and the promise of uniting the container market, may end up discarded by the end of 2018, as may Docker. One thing's for sure, it's going to be an interesting space to watch.