Container Virtualization Options

photo by sioda	via PhotoRee

Looks like the container virtualization space is becoming a little more interesting this week. Previously, Docker was the only more or complete standard container implementation (with definition of image, image creation, and container start/stop management). There was Canonical's LXD, it didn't seem to be garnering nearly as much attention and support since it was only announced a month ago. However, with the Docker and CoreOS organizations starting to encroach on each other's territory, the CoreOS community has released an early version of their own container runtime, Rocket. On the balance, Docker has moved into the container cluster orchestration and management space with Docker Swarm and Docker Compose, the latter being still in the design stage.

It seems that a combination of Swarm and Compose would achieve roughly the functionality of Google's open source container cluster manager Kubernetes. But at this point, both Rocket, Swarm, and Compose are at very early stages of development, so it is difficult to tell how their implementations and respective communities will eventually turn out. One thing that the CoreOS community is emphasizing is how Rocket is being built from scratch with encryption and security concerns in mind. With respect to security, they have mentioned a few main issues they will address: image auditing/app identity, pluggable isolation, image/container encryption, and single daemon for container management (thus a highly privileged daemon that is a potential security hazard).