Azure CTO: Why Microsoft is digging Docker and the container revolution

Recently appointed Azure CTO Mark Russinovich spells out Microsoft's espousal of the container cause on its cloud computing platform and his reservations about Docker security.
Written by Toby Wolpe, Contributor
Mark Russinovich: Docker containers aren't secure. Image: Microsoft

Links with Docker, work on Google's Kubernetes project, and its own use of Drawbridge all underline Microsoft's enthusiasm for containers, according to new Azure CTO Mark Russinovich.

But despite viewing the technology as the future for platform as a service, Russinovich is blunt about what he sees as the lack of security offered by Docker containers.

Containers are a lighter-weight form of virtualisation, which sit on top of a single Linux instance and are each capable of running an isolated app on a reduced OS under a resources policy. Docker is an open-source project for automating app deployment inside containers.

In June, Microsoft demonstrated Docker deployment on an Azure Linux virtual machine. A month later the company revealed plans to contribute code to Google's Kubernetes Docker container cluster manager.

"We see a ton of interest in Linux [on Azure] but along with the Linux interest comes, of course — just as everybody has seen everywhere else — interest in using containers in Linux and Docker, and Docker has become really the de facto way to spin up containers on Linux," Russinovich said.

That level of interest in Linux is behind reports that link Microsoft with Red Hat and the possibility of adding its distribution to the others already available on the Azure cloud computing platform, which are CentOS, openSUSE, Oracle Linux, SUSE Linux Enterprise and Ubuntu.

"We'd love to have a supported version of Red Hat on Azure," Russinovich said. But when asked whether that was likely to happen soon, he replied: "I don't know. That's all I can say, unfortunately."

Microsoft is also using its own container software internally for some of its middleware services, applying technology from Microsoft Research's Drawbridge project.

"The container revolution — this micro services delivery of software inside containers for reliable execution of software moving from a dev-test environment to a production environment, where you get high density and high utilisation out of compute — is one that for sure is the trend for platform as a service and compute in general," Russinovich said.

However, the portability offered by Docker is what's driving the use of containers and apparently outweighs security issues.

"These containers aren't secure. They don't have that kind of isolation. They're sharing so much of their underlying operating system that they can't be effectively secured, at least not to the kind of level of risk that we'd be comfortable running two different customers in containers side by side," Russinovich said.

"But the value of it is this portability from a dev-test environment. You write the code, you test it, it's living in a bubble, isolated from the rest of the software on the server.

"You can take it and with a high degree of confidence deploy it to a virtual machine or a server and know that it will operate in the same way because it's still in that bubble and it's not going to be affected by the other software on the server or virtual machine."

Russinovich said Docker and Drawbridge, which Microsoft is considering making publicly available on Windows, resemble one another in their objectives but differ in important areas.

"They're similar but obviously Docker is built on Linux containers, which is Linux technology and they're insecure — those containers. Drawbridge is a Windows container technology, it's internal, it's not public and it is secure," he said.

"It supports what we call hostile multi-tenant workloads, so it's underneath some of our services like cloud machine-learning where inside a virtual machine we'll spin up these Drawbridge containers to run customer cloud machine-learning algorithms securely.

"It's not available to the public as a container technology other than through their indirect use of it on these types of services."

The ability to isolate resources is also a major advantage that is helping to drive uptake of containers.

"It's isolation in terms of not being interfered with by other applications and other application configurations but it's also resource isolation," Russinovich said.

"What that resource isolation lets you do is take a virtual machine that serves as your security boundary and pack it full of lightweight containers that spin up very quickly and you can get a lot of utilisation out of that virtual machine by packing a lot of them into it.

"So you could literally put hundreds of containers inside a virtual machine. The ones that are inactive release their resources; the ones that are active get the resources.

"You use resource isolation to make sure you have a basic level of service that you can guarantee for those containers. Those are all really powerful attributes that have, with just reason, caused this hype around Docker and containers."

More on Docker and Microsoft Azure

Editorial standards