Containers reality check: Why they're still not production-ready

Containers are one of the hottest concepts in IT right now. Just a couple of years ago, containers were a nascent technology. But thanks to the meteoric rise of Docker—timed well with growing cloud computing adoption—containers are now becoming part of the mainstream, and continue to gain momentum. Just because containers are increasingly popular, however, doesn’t necessarily mean they’re ready for prime time.

Docker and other container platform vendors have made a lot of promises in terms of the features, capabilities, and integrations possible with containers, but how much of that promise has been realized? As more organizations embrace containers, the issues of container security and container management at scale remain significant concerns. Moving containers to production has been a major theme at DockerCon and other events, but IT professionals are still apprehensive about the enterprise-readiness of application containers. 

Containers still gaining momentum

Companies are adopting containers incredibly quickly. In Q1 of last year, 451 Research surveyed nearly 1,000 IT decision-makers. We found that 6.3 percent of cloud-using IT shops had containers in initial or broad production, and another 3.9 percent were using containers in developer or test environments. By Q3 2015, that had more than doubled—14.1 percent were in initial/broad production, and 8.4 percent were in developer or test arenas. About 15 percent of IT shops have containers in production, and around 35 percent have at least done a proof-of-concept, with dev/test floating somewhere in between. This is one of the fastest-growing technologies 451 Research has ever seen, not just in developer audience, but in enterprises more broadly.

Vendors that support DevOps and container platforms are helping to push the envelope to enable more organizations to use containers in production. Some vendors are offering applications and tools, such as databases, in containers, and several players are addressing enterprise gaps in containers, such as those in management and security, monitoring and logging, data management and services, and networking. This is helping vendors and users leverage the speed and simplicity of container applications and services, which are more lightweight and thus easier to spin up and turn off.

Security remains a primary concern 

As with many hot trends in IT, the initial honeymoon phase eventually shifts to the question of security. As popular as Docker and container platforms in general are right now, there are security concerns related to deploying containers that must be addressed in order for larger enterprises to use them in production, particularly for enterprises in regulated industries, such as finance and healthcare.

Download 93-Page ReportHPE Cyber Risk Report 2016

Security has clearly been a key issue with containers, as with any new technology, but companies, including CoreOS, Docker, and Red Hat, have continued to push for fixes and create new software and integration across the toolchain to cope with that problem. Still, there is a lack of parity on security between application containers and what enterprises are used to with virtual machines. We may also see this emerge as a source of criticism or FUD against containers by legacy vendors and others that are not part of the container ecosystem and market.

One concern is the need to segregate containers so that processes and data aren’t exposed to other containers. Several secure container solutions have been introduced in the past year or so. Microsoft launched Hyper-V Containers, Intel unveiled Clear Container Technology, and VMware and others have tried to address the problem as well.

Docker recently announced a few changes that greatly enhance security for its containers. User namespacing is an improvement in Docker 1.10. Until it came along, all Docker containers ran as root. While the daemon itself still runs as root, it can be helpful for administrators to be able to limit the permissions of a specific container. Such security enhancements may help Docker gain wider adoption because it provides a level of isolation that enterprises require. Docker has also introduced its Docker Content Trust container image verification and Docker Trusted Registry software for security and compliance, as it has sought to further address security concerns around containers.

Docker also recently released Docker Datacenter (DDC). DDC is a comprehensive agile development and management platform that enables organizations to employ containers-as-a-service (CaaS) on premises. DDC includes the Docker Universal Control Plane, Docker Trusted Registry (DTR), and Docker Content Trust, as well as the Docker Engine runtime and tooling software with compute, network, and storage capabilities.  

DTR is among the most crucial elements of DDC from a security perspective. The combination of DTR and Yubikey image-signing can help create a secure environment in which to publish and deploy Docker images. Docker has also increasingly addressed the IT operations aspects to facilitate the management of the process from development all the way into operations.

Fortunately, security seems to be on everyone’s radar when it comes to containers, and vendors are making significant strides.

Managing and scaling containers still a challenge

Another key challenge in moving containers to production revolves around container management, orchestration, and scalability.

Managing and scaling a cloud-based infrastructure of virtual servers is challenging enough for large enterprises. With containers breaking applications down into individual components and processes, the sheer volume of resources that need to be created, monitored, and destroyed is exponentially larger and can be overwhelming if you don't have the right tools in place.

Surprisingly, few IT shops are using container management and orchestration. A 451 Research survey revealed that less than 10 percent were using container orchestration as of Q3 2015. This provides some suggestive evidence as to how many of them have scaled their use of containers, because it's very challenging to do so without something along the lines of Docker Swarm, Kubernetes, or Mesos on top.

Are containers production-ready?

So are we any closer to mainstream containerization and moving containers into production environments?

The answer is nuanced. Are we closer? Yes. Are we there yet? No, and we still have a long way to go.

Developing and deploying container applications and services has many benefits for both vendors and customers, but most organizations aren’t ready to embrace containers at that level just yet.

The good news is that the industry is marching steadily in the right direction. Containers are still gaining steam, and they’re here to stay, so the obstacles that stand in the way of using containers in production will be addressed rapidly, given the number of vendors involved. Some daring, bleeding-edge organizations might be using containers in production today, especially webscale companies and large enterprises. But for more mainstream organizations, vendors are still six months to a year away from having all of the necessary components in place. 

What do you think? Are software containers ready for production?

Download 93-Page ReportHPE Cyber Risk Report 2016

Image credit: Flickr

Topics: DevOpsIT Ops