Docker is the gold standard in modern development and deployment pipelines. Any developer can package and ship their code in a docker container, any devOp toolchain can support it and finally many if not most cloud hosts support it. However, it has problems. Not least of all is data integrity and security. Cross container attacks proliferate and a single poisoned container can infect entire clusters, apps and even data centers.
Before we go farther let us define what is a microvm (mVM)? A mVM, simply put, is an ultra small qemu/kvm VM that runs a single app and is treated as disposable like a container. Amazon’s Firecracker project is a prime example of mVMs in production. However the modern world lives and thrives around the docker container system and as of this writing Firecracker has no support for docker containers.
What I am proposing, going forward, is a system using KVM virtualization that spins up a vm per individual docker container. This allows for the flexibility of docker containers, while leveraging the isolation, stability and security of a traditional VM. This concept is even easier to implement by leveraging modern ultra light distros like Alpine.
Networking is simple, KVM and Docker/Kubernetes both have solid intra cluster, and virtual networking services that are well vetted and understood. Using modern name based routing further simplifies and readily facilitates scaling of the cluster. This approach is also more efficient in the era of scarce public IPs name based routing intra app and intra data center allows for unlimited scaling independent of network.
For packaging and launch, solid automated scripting engines such as HashiCorp’s stack of packer, terraform et al, and open source tools such as ansible, puppet, and chef can easily spin up and auto configure networking, resource allocations, storage, and container installation and optimization. This should allow for not only the one button launch of infrastructure but because docker is widespread it is easier to find developers familiar with it.
Finally, an enterprise ready infrastructure needs monitoring and command and control. Because KVM is the most widely used open source virtualization software in the world, there are a plethora of dashboards, cluster monitoring and management tools available. At the container level, docker, also has a mature; well understood; management, monitoring and command and control ecosystem available. These tools are already enterprise ready and capable of massive horizontal and vertical scaling.
Jenny Fong in her blog at docker.com said “containers can run on virtual machines or on bare metal the choice is up to you” It is becoming clear that virtual machines and containers are the perfect pair for modern IT load outs. MicroVM architecture provides a way forward and solves the problems inherent with containers with a solid, mature, well vetted and understood solutions while preserving their efficiency and flexibility. It requires no development of novel systemic approaches, in fact the only development required is tuning and deployment scripting. Finally as it uses popular toolsets most monitoring and command and control can also be readily and easily implemented.