Links with Docker, work on Google's Kubernetes project, and its own use of Drawbridge all underline Microsoft's enthusiasm for containers, according to new Azure CTO Mark Russinovich.
But despite viewing the technology as the future for platform as a service, Russinovich is blunt about what he sees as the lack of security offered by Docker containers.
Containers are a lighter-weight form of virtualisation, which sit on top of a single Linux instance and are each capable of running an isolated app on a reduced OS under a resources policy. Docker is an open-source project for automating app deployment inside containers.
"We see a ton of interest in Linux [on Azure] but along with the Linux interest comes, of course — just as everybody has seen everywhere else — interest in using containers in Linux and Docker, and Docker has become really the de facto way to spin up containers on Linux," Russinovich said.
"The container revolution — this micro services delivery of software inside containers for reliable execution of software moving from a dev-test environment to a production environment, where you get high density and high utilisation out of compute — is one that for sure is the trend for platform as a service and compute in general," Russinovich said.
However, the portability offered by Docker is what's driving the use of containers and apparently outweighs security issues.
"These containers aren't secure. They don't have that kind of isolation. They're sharing so much of their underlying operating system that they can't be effectively secured, at least not to the kind of level of risk that we'd be comfortable running two different customers in containers side by side," Russinovich said.
"But the value of it is this portability from a dev-test environment. You write the code, you test it, it's living in a bubble, isolated from the rest of the software on the server.
"You can take it and with a high degree of confidence deploy it to a virtual machine or a server and know that it will operate in the same way because it's still in that bubble and it's not going to be affected by the other software on the server or virtual machine."
"They're similar but obviously Docker is built on Linux containers, which is Linux technology and they're insecure — those containers. Drawbridge is a Windows container technology, it's internal, it's not public and it is secure," he said.
"It supports what we call hostile multi-tenant workloads, so it's underneath some of our services like cloud machine-learning where inside a virtual machine we'll spin up these Drawbridge containers to run customer cloud machine-learning algorithms securely.
"It's not available to the public as a container technology other than through their indirect use of it on these types of services."
The ability to isolate resources is also a major advantage that is helping to drive uptake of containers.
"It's isolation in terms of not being interfered with by other applications and other application configurations but it's also resource isolation," Russinovich said.
"What that resource isolation lets you do is take a virtual machine that serves as your security boundary and pack it full of lightweight containers that spin up very quickly and you can get a lot of utilisation out of that virtual machine by packing a lot of them into it.
"So you could literally put hundreds of containers inside a virtual machine. The ones that are inactive release their resources; the ones that are active get the resources.
"You use resource isolation to make sure you have a basic level of service that you can guarantee for those containers. Those are all really powerful attributes that have, with just reason, caused this hype around Docker and containers."