Write Review

Nabla Containers: New Format from IBM Designed for Strong Isolation on Cloud Hosts

Framework Installs with Docker to Add Unikernel Techniques Based on Solo5 & runnc

IBM recently launched a new container standard that functions as a type of plugin alternative to Docker’s native format with the intention of creating more isolated sandbox environments for cloud architecture. Similar to the gVisor framework released by Google this year, Nabla Containers seeks to reduce the number of attack vectors that can be targeted by exploits for apps operating in production at scale. Rather than functioning as a true competitor to Docker, Nabla basically works as an alternative format that can be installed on the same hardware and software platforms (i.e. public/private cloud hosts) to provide more robust security. Nabla uses library OS/unikernel techniques via the Solo5 project middleware that reduces the number of Linux system calls required to 9 when operating a container. The main difference is that Nabla uses runnc as “the OCI-interfacing container runtime,” whereas gVisor (another new hardened container sandbox alternative) is built around runsc and Docker containers are based on runC as the universal container runtime. Docker donated the code for runC to the Open Container Project in 2015 “as a standalone tool, to be used as plumbing by infrastructure plumbers everywhere.” The Solo5 project was originally started by Dan Williams at IBM Research during work to port the MirageOS to support the Linux KVM hypervisor. The main components of Solo5 are the kernel, ukvm, a testing suite, and a set of tools which support various virtualization requirements across different operating systems & hardware devices. Nabla Containers will mostly appeal to programmers and developers who have a drastic need to reduce the number of system calls permitted to a VM in production to implement higher levels of security, although this will require custom formatted disk images that are not cross-compatible with Docker’s runC code.

Framework Installs with Docker to Add Unikernel Techniques Based on Solo5 & runnc

Competition in the Container Market: Overview of Different Standards & Formats

Docker is one of the leading “unicorns” of venture capital and the rapid rise of the company to become a global standard in cloud data center management has largely been unprecedented. While there were some major platform tools available on open source fundamentals for container virtualization that preceded Docker, namely LXC/LXD, the main competition in the industry has been in the different versions of orchestration engines that automate containers into clusters that swarm or auto-scale according to different rates of user traffic or on-demand for individual logged-in users. For example, Kubernetes has largely outpaced Docker Swarm, Mesosphere, CoreOS, and other orchestration engines to become the de facto standard in enterprise data centers today. The combination of Docker & Kubernetes primarily marginalized the use of VPS (Virtual Private Servers) as an industry solution, as containers are much more lightweight to operate and boot a complete disk image in milliseconds that can be customized with unique web server stack software and web/mobile application code together. This open source solution outperforms in many ways proprietary virtualization software from VMware and Microsoft that had been widely implemented in enterprise data centers in the period before the advent of the cloud, and targets particularly the web server functionality introduced by the AWS EC2 platform. The proprietary virtualization solutions based around hypervisors like VMware ESXi and Microsoft’s HyperV largely compete with Xen, KVM, Virtuozzo/OpenVZ, & Parallels software in cloud hosting, but VPS platforms are now widely being surpassed by container virtualization with a new generation of software tools for deployment and management of cloud architecture. Intel recently launched Kata Containers as an alternative to Docker, which similar to gVisor and Nabla, seeks to improve the security of container installs by making them function more similarly to VMs for multi-tenant applications. Otherwise, there has been major competition in companies to create scaled-down, micro-OS distributions (Linux/Windows/BSD) for use in container deployments, as well as in third-party utilities such as storage, traffic monitoring, metrics, analytics, etc. for cloud data centers. OpenStack, Mesosphere, CloudStack, VMware, & Microsoft tools are currently the most popular solutions available for complete data center management software, although there is still no real industry standard in this field.

Competition in the Container Market: Overview of Different Standards & Formats

DataDog: One of the most significant studies of Docker use in enterprise web hosting was conducted by DataDog, who estimated that over 10,000 companies are using Docker in 2018 with over 700 million containers deployed. This works out to about 25% of all of the companies polled, where the frequency of Docker use increases according the institutional size of the organization involved. Kubernetes, Mesos, or a cloud-hosted orchestration platform from AWS, Azure, & Google Cloud Platform are the most popular solutions for cloud cluster server management at scale. The most common application software installed in Docker containers are: NGINX, Redis, Postgres, Fluentd, Elasticsearch, MongoDB, MySQL, etcd, RabbitMQ, & HAProxy. Learn More About Docker Usage at DataDog.

Competition in the Container Market: Overview of Different Standards & Formats

Sysdig Docker Usage Report 2018:

Sysdig’s auto-discovery mechanism – ContainerVision™ – shows what processes are used inside containers. Users are consistently utilizing open source solutions to construct their microservices and applications. Java Virtual Machines (JVM) top the list. Java has been relied on for app services in the enterprise before containers arrived, and now the two – Java and containers – come together as organizations adopt a modern day delivery model. In addition, increased usage of database solutions like PostgreSQL and MongoDB running in containers signal that the move is on to stateful services in containers.

Learn More About Docker Container Usage at Sysdig.

Competition in the Container Market: Overview of Different Standards & Formats

Docker Container Runtimes:

Docker shows up the most in production. We didn’t report on other container runtime details in 2017 because, at the time, Docker represented nearly 99% of containers in use. With the recent acquisition of CoreOS by Red Hat (the maker of rkt), and programs like the Open Container Initiative (OCI), which seeks to standardize container runtime and image specifications, we wanted to take a fresh look to see if container runtime environments are shifting. In fact they are. In the last year, customers have increased their use of other platforms. Rkt grew significantly to 12%, and Mesos containerizer to four percent. LXC also grew, although at a significantly lower rate. It appears from the data that customers have a greater comfort level with using ‘non-Docker’ solutions in production.

Learn More About Container Runtime Engines for Docker.

Docker Market Share vs. The Future for Nabla, Kata, & gVisor Container Solutions

Sysdig’s survey showed that Docker represented 99% of all containers in use in 2017, a year in which Docker’s CEO Ben Golub reported more than 14 million Docker hosts, over 900,000 Docker apps in production, a 77,000% growth in Docker job listings, more than 12 billion total Docker disk image pulls from sites like GitHub (accounting for 390,000% growth), and over 3,300 unique individual contributors to the open source Docker codebase. CoreOS rkt and the Mesos container standard managed significant inroads into the industry totals for container market share over the last year with their new products. At launch, IBM’s Nabla Containers project requires Docker to be installed on the host server on which it is used, but like gVisor and Intel’s Kata Containers, seeks to improve upon the overall security of container virtualization in practice. By donating runC to the Open Container Initiative on open source standards, it is easier for other developers and programming teams to make forks of the code and introduce different features, functionality, or alternative runtime options. Similarly, Docker will be able to analyze these competitive offerings and introduce security + feature improvements to their own releases based upon third-party innovation and industry demand where required. Red Hat’s acquisition of CoreOS could lead to a more robust challenger in the container space, although they may equally be inclined to market the tools as just a more efficient platform for running Docker & Kubernetes.

The major concern for Docker is if Google, IBM, & Intel develop their own container frameworks to integrate into their own cloud services platforms as a means to escape or avoid any mass licensing fees to the start-up company. Docker is valued relatively cheaply as a unicorn precisely because they have been unable to generate significant revenue from the use of their container software under open source licensing agreements, while Kubernetes is much more popular for orchestration than their proprietary “Docker Swarm” platform. A similar example would be KVM, which was originally developed by Qumranet then acquired by Red Hat in 2008 for $107 million USD, which is almost ubiquitous in use in virtualization platforms but earns almost no money to the company in licensing fees. The differences in container runtime engines like runC, runsc (gVisor), runnc (Nabla) & runV (Hyper.sh/Kata) parallels in many ways the divergence in hypervisor software for VPS/VMs. Docker open sourced their code as a means to build market share and remain the industry leader against other large IT companies entering into the container virtualization space, but this does not necessarily mean they will maintain their advantage forever. It is more likely that the company gets bought out by an industry major who can manage the code as part of their portfolio of brands with other income to cover the costs of stewardship. SDX Central reported that Microsoft already tried to buy Docker in 2016 for $4 billion USD.

Docker Market Share vs. The Future for Nabla, Kata, & gVisor Container Solutions

Business Outlook: IBM’s Nabla Containers Not a Major Competitive Rival to Docker

As Nabla Containers require Docker to be installed on the host server, and additionally use Docker disk images to function, the framework cannot be seen as a true competitor with any real likelihood of disrupting the industry-leading market share of the company. Rather, Nabla mostly offers developers the opportunity to use runnc as an alternative to RunC and to implement the KVM-like security advantages of using Solo5 in container-native cloud architecture. Kata Containers is also part of the Open Cloud Initiative and has a much wider network of corporate backers behind the project (99cloud, AWcloud, Canonical, China Mobile, City Network, CoreOS, Dell/EMC, EasyStack, Fiberhome, Google, Huawei, JD.com, Mirantis, NetApp, Red Hat, SUSE, Tencent, Ucloud, UnitedStack, & ZTE), but still has not yet begun to see much uptake in practical use in enterprise. IBM has a huge collection of specialized open source projects in their company portfolio, but much of it is not widely used outside of their own corporate/government contract work. Projects like Nabla, Kata, & gVisor show that the burgeoning cloud container industry is still in its nascent level of development, with professional users in corporate enterprise concerned about security vulnerabilities in the platform.

Business Outlook: IBM's Nabla Containers Not a Major Competitive Rival to Docker

Steve Singh, CEO of Docker:

Docker is a private company and has never publicly revealed its revenues. At DockerCon 18, Singh provided some limited guidance, noting that revenues grew from single-digit million-dollar revenue in 2016 to double-digit million-dollar revenue in 2017 and are on track for triple-digit million-dollar revenue in 2018. “We’ve seen great growth in the business over the last three years,” he said. The rapid growth is coming from the success of the MTA program, which Singh said is delivering real value to customers. He added that customers are buying MTA and deploying it for all their legacy applications. Additionally, Singh said that Docker’s sales team is better understanding what customer problems are with application transformation and how to solve those challenges using Docker.

Watch an Interview with Steve Singh at eWeek.

Docker’s Modernize Traditional Apps (MTA) Business Model & Enterprise Edition (EE)

With alternatives like rkt, Mesos, & LXC/LCD still marginalized in market share in the container industry, it appears more likely that Docker will become a vital component of cloud networking and virtualization constructs like the KVM hypervisor on Linux, but fail in becoming a cash generating powerhouse. CEO Ben Golub was replaced by Steve Singh from SAP/Concur in 2017 after his attempts to build a subscription-based revenue model at the company failed. As Steven J. Vaughan-Nichols of ZDNet reported, “Docker has never explained why Singh was brought in from outside to become the leader, but it doesn’t take a genius to see that core container technologies were becoming commoditized. The Cloud Native Computing Foundation (CNCF)’s Open Container Initiative (OCI) standard turned today’s container fundamentals, including Docker containers themselves, into open standards. There wasn’t much value-add that Docker could offer its enterprise customers.” Docker Enterprise Edition (EE) follows the traditional Linux development model for open source companies by offering a free community edition of software as well as a packaged professional version with extra tools, technical support services, and consulting. Docker also has an Accelerator Service, Pilot Advisory Service, Production Advisory Service, Custom Solutions, Training, & Technical Account Management options available for corporations and other large/complex organizations to contract for as part of their “Modernize Traditional Apps” (MTA) business model. Bloomberg reports Singh has set a goal of $500 million USD in annual revenue to take the company public. Although many analysts believe this is unlikely, the potential is certainly there. Overall, IBM’s Nabla Container system is unlikely to move the needle in either direction for the company as a challenger.