Hacker News new | past | comments | ask | show | jobs | submit login
Containers Are Not the Future (linkedin.com)
146 points by pjmlp on March 19, 2020 | hide | past | favorite | 110 comments

If we take "Container" to specifically mean OS-level isolation of applications, then there is a strong likelihood that Containers will be replaced by lightweight VMs.

To me, the rise of containers has been about packaging software alongside all its dependencies in a standalone package that is (to varying degrees) isolated from the underlying host. In that sense, lightweight VMs are an evolution of the container model we already use.

The author fails to explain how these lightweight VMs would be orchestrated. Maybe Kubernetes sucks, but if something more secure comes along, is that a failure of the container approach, or is it an evolution?

All in all, this feels like someone writing a post saying "The aircraft created by the Wright Brothers was terrible, therefore powered flight was a failure". That, an attempt to sell something by bashing popular techs and millennial coders.

The author fails to explain how these lightweight VMs would be orchestrated.

There are two directions that most organizations can go from containers, and they have opposite answers to this question.

The first direction is back to a monolithic application running in a VM. Orchestration no longer exists as a problem. What else do we get? Development is easier. Debugging is easier. We have literally decades of experience figuring out how to make it work.

Very, very few of the people reading this post are solving problems harder than ones I was solving decades ago using that kind of stack. Other than the fact that your resume won't look as good, there is zero reason not to do this.

The other is, as the post's author recommends, even further into isolating the app. Down to something even simpler than a container. In which case you will need a solution for orchestration, but it won't let you leverage a single running VM to a whole cluster. Limiting the attack area will be good for security.

As a bonus things that container folks say work, but don't, will work. For example autoscaling fails in adtech with containers fails hard because the time that it takes to boot up new instances exceeds the time that you are getting flooded by your ad. But if your unikernel boots fast enough, now autoscaling does work.

Now there is a third use case. And that is organizations like Google whose codebase is so big that they can't run it monolithically on a single machine. Containers solve that in a distributed environment by letting them run only some of their code on each machine. There is a hidden cost that RPCs over a network are inherently an order of magnitude more expensive (in time, latency, and resources) than a function call inside of a running application. So you order an order of magnitude more hardware, and containers are the sweet spot for you.

But that problem is of a kind that very few organizations have. And making it actually work takes a lot of thought and organization that very few in the containerization world seem to understand. Certainly if you read a few blog posts, install Docker and Kubernetes, then start deploying through Helm, I am willing to bet large sums of money that you are almost certainly making rookie mistakes.

> The first direction is back to a monolithic application running in a VM. Orchestration no longer exists as a problem

Of course it does, VMware makes a boatload of money with VM orchestration. Or you setup OpenStack which is free but a nightmare in itself.

You do not want a hand-rolled KVM virtualization stack. I've been there, I've seen the horrors.

In 2003 I was a developer on a website that served a million pages per hour using 2 databases, 4 webservers, and associated networking. Most of that hardware was there for automated failover.

At that scale, orchestration is simply not a challenge. We wrote a deployment script to roll out code changes and life was good.

2020 hardware is not worse than 2004 hardware. And while that business eventually failed, it was not due to technology. (And it made a lot of money before it failed.) As I said, most here are not doing something harder now than we did then. The same class of solution works.

As the old saying goes, KISS. Know when it works, and when it doesn't. As another saying says, YAGNIY. (You Ain't Gonna Need It Yet.) Deal with the limits of being monolithic after you encounter them. Don't complicate your life to tackle problems that don't exist.

> In 2003 I was a developer on a website that served a million pages per hour using 2 databases, 4 webservers, and associated networking. Most of that hardware was there for automated failover.

fwiw, Stackoverflow runs on a similarly sized/deployed stack.

But that is because Stackoverflow is fine with their employees running a cheap, un-complex system that works (I can't remember the last SO outage!), and their employees are also happy with this.

Others, especially startups? Gotta chase these hipster credentials and use the free AWS/Azure/GCP credits somehow... and the employees don't want boring old school stuff, they want the newest hipster crap that's barely alpha tested, but in production. Utterly ridiculous. Most of them would be fine with three sub-$10k AMD servers and a bit of work by a seasoned Linux sys-admin. But eww. Linux management. Not cool/hip.

But that is because Stackoverflow is fine with their employees running a cheap, un-complex system that works (I can't remember the last SO outage!), and their employees are also happy with this.

Great example!

Far too often we introduce complexity to manage complexity. Then we fail to manage the complexity that we created, and conclude that we need even more complexity!

Taking the simple approach seems impossible and utterly scary. But it works more often than most would believe.

Did that stack include daily traffic analytics hardware?

See https://nickcraver.com/blog/2016/02/17/stack-overflow-the-ar... for an overview of their stack.

They do NOT need a stack of daily traffic analytics hardware. As I said above, remote RPCs take an order of magnitude more resources than function calls. If you are used to using various distributed tools to do analytics, you are used to requiring an order of magnitude more hardware than a simpler solution. And if there are inefficiencies in your solution, it is easy for a second order of magnitude to sneak in. Therefore your experience is going to seriously mislead you about the likely limits of a simpler solution.

Making this concrete, if your job requires a Hadoop cluster of less than 50 machines, odds are good that it could be run just fine on a single machine with a different technology choice. But if you are fully utilizing hundreds of machines in your cluster, then you actually need to be distributed. (Though you could achieve considerable savings for some of your jobs could be run in a more efficient architecture. Amazon in particular makes excellent use of this kind of hybrid architecture in places.)

Google is making excellent decisions for the scale that they operate on. You just are unlikely to operate at a scale that makes their decisions make much sense for you.

For what the hell do you need traffic analytics beyond parsing access logs? Current ad-tech/analytics is a mixture of outright fraud, fraud sold as "AI", fraud sold as "big data", middlemen claiming to solve said fraud, and privacy invasions on a scale that would make the Stasi drool.

Stackoverflow doesn't need this kind of shit and frankly, no one else does. The GDPR was a first start in the right direction and I'm seriously hoping coronavirus has at least one positive side and eliminates those fraudsters who survived the GDPR wave.

Stackoverflow logs every request into SQL Server which uses columnstore tables to handle all their analytics. It's fast, efficient and more than enough.

As someone said, "Scale is the problem (almost) everyone wants and (almost) no one has." Technologies like Kubernetes were developed from managing monster-sized applications like Facebook, Amazon, and Google. Devs really want to play with the cool tech, but unless they work for a FAANG company, the odds are good that not only do they not have those problems now, they will never have those problems.

That's not to say that things like containers are useless. I've seen a lot of benefits from developers working on containerization because it forces them to think about making their code reproducible and automating their development and delivery models. That has huge benefits from a security perspective, even if the end result is that you take the artifacts produced and rsync them onto a remote VM in the datacenter and restart services. There's lots of good to be gained there—I just wish people would quit trying to forklift everything into containers (and thence into the cloud) when they don't have to.

There do exist things that make it sense for even small shops putting their stuff into containers and then small-ish local/bare metal or even cloud k8s environments:

1) automatic restarts of services when they fail: yes, this is possible with systemd but it's a nightmare to set up compared to a simple HEALTHCHECK command in Docker or an appropriate config section in k8s/rancher.

2) dependency chains (e.g. a java app that depends on mysql database and an external elasticsearch): again, this is possible with systemd, but way easier in k8s.

3) hardware/OS maintenance: in ye olde days, the admin would have to manually shut down services, copy data to new servers, start services there and then pray everything would work to prepare for a large-ish OS update or a longer hardware maintenance without having too much downtime (or buy more expensive software versions such as JIRA/Confluence DC). With k8s/rancher, assuming shared NFS storage, it's as easy as draining and cordoning the node, minimal downtime (essentially the time the software needs to stop/start) and no network/firewall/LB surprises along the way.

4) related to 3), in the cloud, assuming that services have horizontal scalability in mind (which most popular PHP environments have), it's relatively easy and straightforward to use autoscaling to save costs on one side but also prevent your site from going belly-up in case of HN/Reddit mentions. With manual deployments? Ouch.

5) Software upgrades or the creation of stage environments are so much easier, assuming well-written Docker images and software. Again let's take JIRA and Confluence - manually installed it's a lot of fumbling around to upgrade an instance, but with Docker? As easy as incrementing the version tag in the k8s config and 5min later it's updated.

I'd agree with all the points you just made. I'd also offer that if one is using public cloud than a lot of the orchestration is already taken care of for you.

I mostly agree – which probably betrays my age – though when the load exceeds one server, you're going to have to orchestrate no matter what: deployment, load balancing, fail-over, system updates. While I'm critical of Kubernetes' complexity, I still think that for some people, having that orchestration handled by a tested layer instead of implementing it from scratch in-house is still going to be a benefit.

After working with and securing large bare-metal and monolithic virtual host environments for way too long, there's got to be a better way to deploy services and update systems than the snowflake hell some monolithic approaches seem to bring.

Perhaps there's a middle way between both worlds that has yet to gain any momentum.

Yeah, if you look at how lightweight VMs are being used, they're being used to run containers, not unikernels.

For orchestration:

Someone else mentioned this in a different comment, but there was very much a link to firecracker in the article.

That - and all the other many tools that you would deploy vms to the public cloud today of which there are numerous production quality options out there.

Lastly, this is precisely the point I was trying to address with the "I'm honestly curious - what are the alternatives?" paragraph.

You could say Lambda is the orchestration layer for Firecracker but it's based on the serverless/FaaS model that's a lot more restrictive than containers.

Oh - I'm not saying that Lambda is what I'd personally choose, although there definitely seems to be quite a few people that do like it.

As mentioned in the article - the base unit of compute on public cloud is the virtual machine so there are quite a few tools out there to deploy those. Some microvm implementations out there won't boot straight off AWS/GCE but many including Nanos do. It takes ~2min to deploy && boot most applications we are running on GCE - AWS is a bit longer (but I could see that changing in the future). Note - in this case you are actually uploading the entire image - if you are just spinning up/down than it's much much faster.

Yeah, I guess it depends on your goals. Some of the unikernel people talk about VMs even smaller/cheaper than a t3.nano that start faster than any cloud can start a VM. Clearly to run such a thing you would need your own orchestration layer. Maybe that's a niche within a niche though.


I think for our general use case we are looking at people with needs that are using vms or containers today (eg: not necessarily those that want plaid speed boot-times). That's not really something we are currently optimizing for. For something like a database there would be no desire to spin up/down so fast. Also, many frameworks with heavy language vms such as JVM or ruby take a long time to boot regardless so trying to run those in a 5-10ms boot-time doesn't make a ton of sense.

Having said that, there most definitely are very very interesting projects like LightVM, http://cnp.neclab.eu/projects/lightvm/ that do target low latency and NFV would be a great use-case for projects like that.

> packaging software alongside all its dependencies in a standalone package that is (to varying degrees) isolated from the underlying host

You mean like vmdk or qcow2 images did for nearly a decade before containers rose?

Check out Kata Containers if you're interested in QEMU with a container interface.

> packaging software alongside all its dependencies

That's why containers are a security disaster.

And they also make it impossible to do system administration with reasonable resources.

No more a disaster than managing multiple VMs that have their own set of installed packages that you need to securely update regularly.

Pardon the ad hominem, but this is mostly marketing FUD from someone with a vested interest in you not using Kubernetes. Kubernetes may not be perfect, but I guarantee you the licenses are a lot cheaper than whatever "NanoVMs" are.

The tone is also very arrogant and condescending. Not a great way to win mind share in this industry.

I had to stop reading after the insinuation that Hacker News comment sections are filled with trash. To the contrary, I find that half of the time the comments sections are more thoughtful and enlightening than the article posted. Very regularly I read the comments first to see if the post is worth diving into.

Yeah, that's where I knew something was wrong. There are some very genuine and useful conversations that happen in the comments at HN. They aren't universally awesome, but when I see something linked, I frequently jump straight to the comments to see the thoughts of the HN users.

I read it and was like: "Blunt words", let's see how long he and his start-up are going to survive in the jungle.

Free and open source. ;)

Fair enough, I shouldn't have made that assumption. It doesn't change the fact that this is marketing from someone trying to sell their own product.

Guilty as charged, although, I would love to see what percentage of HN traffic is someone selling their product. My guess is that it's well over 50%.

I think the three usages of containers often get conflated.

1) Packaging 2) Isolation 3) Secure isolation

Containers have dong a good job of packaging and isolating applications. This is has been a boon to development. Particularly with testing and deploying applications in a more or less consistent state and managing those applications. Note that these benefits have nothing to do with security.

Containers have done a poor job of being secure against malicious actors but that doesn't mean the isolation is useless. From a security point of view you just have to treat it the same as if it was running outside the container(s).

One day we'll hopefully get something better from a security POV but that doesn't mean packaging and isolation are worthless in themselves, even if they don't add any security. The problem comes when people assume containers add more security than they do.

Exactly, this is what has me so confused. The value I get from containers is the series of steps that create the container, not the underlying implementation. I don't really care what substrate the software sits in, be it a unimicronanofirecrackerkernelVM or LXC or a chroot jail, besides security implications of isolation escapes. I just like having a deterministic Dockerfile-like file. If I can keep that, sure, I'll buy into your Containers But Not But Really Cloud Native For Actual schtick and use it, especially if it actually is more secure (I'm sure it very likely is). It's the abstraction and model that makes containers easier to work with, not the implementation.

I find it very irritating and deceptive that the author wildly equivocates between containers and Kubernetes almost every sentence. And it's incredibly condescending that they suggest people buying the container Kool-Aid are simply too young to have done development and operations on regular servers/VMs, "duh!" Or that they're just trying to pad their resumes. No, I've had plenty of years of experience doing that, and I find containers far simpler to develop with, deploy, maintain, and update. And I've never used Kubernetes.

As most others have said, this comes across as extremely patronizing and demeaning marketing FUD from a company so certain that they're obviously right and almost everyone else is mind-numbingly wrong that even if that's actually the case, no one is ever going to believe them; and very justifiably. This is not how you do marketing, or write prose or communicate in general.

> wildly equivocates between containers and Kubernetes

The conflation of containers and K8s is pretty damning. I personally believe k8s is an early realization of orchestration and will be superseded by better ones. Building yet another orchestration system is a cottage industry at the moment and I've noticed that the existence of k8s hasn't impeded it.

And "spin up a linux box" is deeply naive. It is the habit of spinning up linux instances that leave companies and other institutions with huge collections of neglected, mis-configured, vulnerable linux VMs spread all over the planet with 0.1% average utilization.

Developers popularized containers, independent of the cloud or the troubles of operations. Containers solve tough development and packaging problems and have value whether the ultimate deployment abstraction is 'docker' or some microVM system. The most likely use case for whatever microVM product one might imagine is running containers.

* I don't see the conflation of k8s/containers. Many/most? production container users are using kubernetes. Not sure how that is debatable. Mesosphere changed their name to D2IQ and Docker sold off their enterprise arm.

* As for microvms running containers -- in this case Nanos doesn't run Linux so it can't run containers.

Can you point out something that reveals how security is failing in containers today?

The issue here with containers in general is that they break well known security boundaries. This is exacerbated by things like k8s cause it is inherently built to orchestrate many of them and assumes that there is a multi-tenant deployment by default.

Most recently Google themselves wrote about this just a few weeks ago:


but the issues have been present forever:




I've been saying for years that containers are nothing more than an ugly hack to get around the fact that OSes are broken. More specifically modern OSes still carry 1980s assumptions about multi-tenancy, system administration, application management, state management, etc.

In the 1980s a "server" was a big expensive special snowflake. Each server had a "system administrator." The system administrator would "install" software "on" the machine.

I quoted all those words to highlight no longer valid concepts.

Boxes are ephemeral now. Systems have more than one administrator, sometimes belonging to a different organization or department. Applications are not installed "on" the system in the sense that they root into it and modify its state. If they do this makes them a terrible hassle to manage. Applications should be ephemeral things that can float freely between machines and store their state in some kind of distributed or remote data store or database, or at least can be easily migrated between hosts. Everything is mobile. Everything is commodity. Everything is liquid.

OSes are just not designed this way, so we have an ugly hack called a container that basically amounts to "let's tar up images of operating systems and just treat them like giant static binaries." Onto this is bolted a whole array of other ugly hacks to make that easy to deal with, but the concept is fundamentally ugly as hell.

I agree, though I think containers are a very useful incremental approach towards solving the problem. Declare bankruptcy on fixing the current OS, stick it in a tar, and surround it in a new encapsulating system (Docker/k8s) that has isolation/deployment properties closer to what the ideal OS would have. Over time, we can shrink and eventually remove the "old-world OS" in the tar, and develop the new encapsulating system further. We can easily experiment with new features in the encapsulating system without needing to first reinvent everything in the old-world OS. Maybe we'll eventually just shrink the old-world OS out of the picture entirely, or we'll create a brand new purer system in the image of the encapsulating system without the old-world OS involved.

Something that really bugs me about a lot of criticisms of containers is that often you get two groups of people agreeing that containers are bad for opposite reasons: one group is fine with the old-world model, and one group that thinks containers don't go far enough in squeezing out the old-world model and replacing it with something better. It makes me worried that it's very easy for the audience to think the conclusion is "containers bad, old-world plain linux server good", which is detrimental to the second group's goal.

Well said. I see a lot of value in containers as a means of distributing software, but I agree that it's heavier and hackier than it feels like it ought to be.

I recently wrote about this here: https://jonathan.bergknoff.com/journal/run-more-stuff-in-doc...

Not sure why you are getting downvoted here - these all are extremely valid points on why we feel change is necessary.

Things have changed dramatically since the 1970s (Unix) and even since 1991 (Linux) yet we are still using the same constructs.

Those are valid points,

Have you seen or heard of any alternatives? I mean, software getting more and more complicated, maybe even more complicated than necessary, however running apps natively has its own pitfalls (we've all been there). It's like choosing necessary evil and if there is a better way of doing things we should evaluate it and talk louder about it

The only attempts I've seen are advanced package managers for Linux, like the stuff used by NixOS:


Unfortunately these tend to be overly complex and have too steep of a learning curve, and they don't address all the issues.

The closest is probably apps on mobile, but again that doesn't address all the issues and comes with a whole set of restrictions that are very problematic outside small single-user devices.

I'd say NixOS probably is not the right entry point if you are looking for a softer learning experience. NixOS is built on top of Nixpkgs package manager, which itself could be thought of as a side-effect of Nix - the DSL and a runtime for building software from source in a reproducible manner. If you start by learning how to employ Nix-the-build-tool in your daily software development practices, you will be amazed how little you need to learn in order to be productive with it, because there's essentially just one new concept - a derivation [1], the rest are just community-driven infrastructure and utility methods on top of it.

[1] https://nixos.org/nixos/nix-pills/our-first-derivation.html#...

Have you seen project atomic?


Seems like it would align pretty well with your vision

What is your proposed solution?

Everything needs to be namespaced and there needs to be a scalable and robust model for sharing resources.

Containers do the first part but not the second. Classical OSes do the second part but not the first.

Here's what I would do if I were working on this problem:

(1) Shared libraries can be linked by name and version constraints or by specific cryptographic hash of the library. The former uses some kind of name resolution system to get a cryptographic hash from that name and version constraint. This is not terribly unlike NPM or modern Go module versioning. It would allow sharing of resources without security or "DLL hell" type issues. The OS lazily grabs libraries by cryptographic hash off a configurable list of sources that could include URLs, IPFS, BitTorrent, peers on the same LAN, etc. (1) Could also perhaps be extended to include binaries, but this would require more thought.

(2) Kill the concept of installing software "on" a machine, but in a finer grained way than containers. Segment applications and services the way users are segmented: each app or service has a home directory and a UID/GID. Get rid of /bin, /usr/bin, etc. in favor of some system infrastructure for finding binaries where they live. MacOS has some of these things but isn't consistent about them.

(3) Lock down the system a lot harder in terms of different users being able to see anything outside things they own. For example a user should not be able to "find /" at all. This would be similar to containers but a little simpler.

(4) Extend namespacing and user/group ownership to network identifiers like IP addresses and other things. I think you could do this with existing cgroups plus some user land support.

(5) Get rid of system level service management (except for truly system level services) in favor of per-user services. Each user can run their own services/daemons that bind to IPs/ports in their own namespace.

(6) Kill 'root' in favor of a hierarchical administrative permission system. This may require some new stuff in the kernel or maybe cgroups could be leveraged to implement it.

(7) Kill privileged ports. This stupid restriction is utterly antequated and serves no purpose on modern systems or networks, and it makes a ton of stuff needlessly insecure and complex by mandating 'root' to e.g. bind port 80. I wrote a rant on this years ago: http://adamierymenko.com/ports.html

(8) Implement process hibernate/restore and migration as a standard feature in the kernel (if it's not somewhere in there already... not sure). That way the 'box' can be rendered absolutely ephemeral and entire runtimes can be hot migrated between boxes.

(9) Replace numeric UID/GIDs with GUIDs or even better hashes of public keys to allow some transparent tie-in to some kind of IAM infrastructure. It's possible that this could be done by having a local mapping to numeric UIDs/GIDs to avoid having to recompile the universe and refactor code that expects UID/GID to fit in 'int' or 'long'. This way a user can log into any machine anywhere and still be the same user and all that UID/GID synchronization or LDAP or whatever trash can die.

I think that would be a start.

Some of these concepts have shown up in various places: MacOS, iOS, Android, Mosix/OpenMosix, Beowulf, various container virtualization stacks, etc. I have never seen them in one place or integrated nicely.

> Shared libraries can be linked by name and version constraints

"Grab random libraries and never update them again" leads to the same security disaster of containers.

It's crucial to have large communities AKA Linux distributions that ensure that a set of libraries at given versions work well together and receive security backports!

3, 4, 5, 6, 8: you just described seccomp, symlinks, and tools the already exists.

The problem here is not about technology. Doing better packaging and modularization was possible for decades but goes against some commercial interests.

The problem there is that we've never figured out how to make it scale. Right now everyone builds everything static or as a container because if you depend on anything upstream it will break and then you will be held responsible for fixing it. Communities don't scale, and the Apple/Google alternative of closed app stores are... closed... and also tend to suck.

Making shared libraries and other upstream dependencies actually scale is an open problem in practical computer science / systems engineering.

The fact that commercial interests often have a vested interest in things sucking is a problem all over the place.

5) Systemd support this, though common services may not be configured for this by default.

K8 specifically might not be the future, but containers are the past (chroot) present (docker) and future. Sure, containers are a hacky shell script... but a hacky shell script that always runs the same way. I put in my time chasing down RPM dependencies, and debugging weird behavior because of a different version of some shared library I previously didn't know existed. I think the arguments presented here are focusing on implementation details, while the higher level picture is that containers-the-concept save a TON of developer (and devops) time and pain.

> debugging weird behavior because of a different version of some shared library I previously didn't know existed.

Containers don't solve that issue, they simply allow you to ignore it. Not having to struggle to keep up with dependencies is the other side of the "containers are a security nightmare" coin.

I once returned to a company after several years of being away. Of course nobody had bothered to update the dependencies in the old build. When I was working to fix and update the old build somebody informed me that the problem had already been "solved" by another team, and directed to me speak with that team's lead.

They managed to get a new build with slightly updated dependencies working inside a container. They showed me the new build inside the Docker container. I asked some questions, they fumbled around to do a demonstration. It was clear that they hadn't solved anything. Instead of one problem, we now had two problems, as the new build environment couldn't be updated any easier than the old one.

But it simply can't be denied that productivity will usually win over X, where X is security, technical debt minimization, etc. And the improved productivity comes from unlinking dependencies, particularly process dependencies more than actual software dependencies.

I still prefer to package and bundle my projects, open source or internally, using RPM and Deb, or just the classic `make install prefix=/usr/local/foo` (support for the latter, with traditional GNU Make targets[1] and variables[2], makes building RPM and Deb infinitely easier). I know people will end up installing my projects into containers, but it's necessary all the same to ensure it's easier to keep those containers up-to-date.

[1] https://www.gnu.org/software/make/manual/html_node/Standard-...

[2] https://www.gnu.org/software/make/manual/html_node/Directory...

I haven't delved that deep into containerland but to me, it seems the main downside of using k8s is the complexity of set up and maintenance.

I'm not sure what's stopping people from developing tools to make the whole containerization process invisible to developers who don't need that much control. I'm sure stuff like that already exists/is being worked on, and I don't know why it shouldn't work.

The thing is that k8s != containers. I’ve been using containers for years, but I don’t use k8s in any of my current projects (although that might change at some point)

That’s why I had to stop reading this article. They repeatedly conflate k8s with containers. From the users perspective, one is an extraordinarily complex orchestration framework, and the other is an incredibly simple packaging system.

It’s a classic leaky abstraction, you will need that control at some point. And I say that as a heavy user of Docker and lighter user of Kubernetes.

The article is arguing for super lightweight VMs that (I assume) would have the same build-once, run-the-same abilities as containers. Considering at my work we have hardware run VMs which contain clusters, I can certainly see the use case for removing one of these abstraction layers. I agree that containers were a step forward, and that the idea of run-the-same is a huge advancement, but I think we can get that feature from VMs just the same as containers, as soon as the infrastructure around developing unikernels / "nanoVMs" is as simple as Docker.

The company I work at started with the idea that we would build an orchestration system for Unikernels. Very much in the same space as the NanoVMs folks. I totally applaud their work. We took a different path once our small team worked with unikernels for a bit (mostly OSv). During the early days we noticed that the unikernel landscape had technical shortcomings that would take an incredible amount of engineering effort to overcome and we found convincing users to trade Linux for a (mostly but not totally) compatible unikernel based system was an insurmountable hurdle. It was a fun experiment but, after timeboxing our work and taking stock of the landscape, we fell back to one of our original sentiments: A stripped down Linux is actually a pretty good substitute for a Unikernel for most applications (emphisis on "most).

We ended up pivoting to running a lightweight linux, based on Alpine and orchestrating everything using Kubernetes and Virtual Kubelet [1]. Shameless Plug! Pods are isolated on their own virtual machines that are booted for the pod, the underlying OS is rock solid and gives users all the great tools, bells and whistles you'd expect from a linux based system. Fewer surprises, easier development. We actually open sourced the system today.

[1] https://github.com/elotl/kip

Great intel from on the ground. The story arc makes total sense. I also have starry eyes for orchestrated unikernels, but otoh linux is so configurable scaling down the kernel also seems very reasonable. How do the boot times compare? To me, the unikernel's chief appeal is that it could potentially start up in about the same amount of time it takes to load a native binary. Thanks for sharing.

On bare-metal boot times are drastically different. OSv was sub-second while our Alpine images were 3-5 seconds depending on what services we needed. However, we were focused on running our system on cloud VMs, not bare-metal. In the cloud you can't get a VM to start booting in less than 20-30s so that order of magnitude difference turned into, at most a 10% difference in boot times.

In 2017 we measured the restart time in of our unikernel images in AWS to be 22 seconds, all that time was waiting for Zen (2017... no KVM yet) to get around to getting to the place where we could run our image. So for our use case, the boot time didn't actually matter, it was far overshadowed by everything else happening under the hood.

I should say: Unikernels do have their advantages and should be used in areas that can exploit those advantages: Fast boot, low attack surface, way better performance for some workloads. We had trouble finding the specialized customers in the cloud that needed any of a unikernel's positives so badly that they would take on a unikernel's shortcomings.

The tone of this article is very condescending, it contains a lot of absolute statements and most of its reasoning is done by linking somewhere else.

This reads like a marketing piece ("CEO at NanoVMs") by someone who is betting on the frustration of Developers and Operators with the pace at which "DevOps tech" is moving.

Maybe MicroVMs are the future (whatever that means) but this is not the way to push it.

I wrote a satirical blog post on Docker/k8s in 2015 [1]. At the time, I actually felt docker was the future, but it became clear over the next few years that it was too much. The complexity of docker /infra/devops is overwhelming, and something much much simpler is clearly needed.

I don't know if Dark (my startup trying to solve this) is going to take over, but it's pretty clear that the current complexity is unsustainable.

This goes double if recession/layoffs/etc is happening due to COVID. People are going to need to spend a lot less on engineering, and the amount being spent on engineers that maintain infra is an obvious starting point. I would expect people to switch to much simpler infrastructures, and reduce the complexities of their stacks by necessity.

[1] https://circleci.com/blog/its-the-future/

>The complexity of docker /infra/devops is overwhelming, and something much much simpler is clearly needed.

I'm very disappointed with the fact that now one cares about simplicity nowadays. Everyone gets excited by k8s, then gets excited about tools around it (k3s, kops, helm, etc, etc) but no one understands that those are incredible complex tools with high cognitive overload.

This is 2020. Why do I have to think about 'containers' and 'nodes', why do I have to wait 30 mins while my pipeline will build image and trigger k8s to redeploy the things, why do I have bother with tons of YAML?

10 years back we've got Heroku and surprizingly no one tries to disrupt the space of infrastructure simplifying then. Everyone just tries to get things more and more complex.

The Dark ecosystem is perfect example of what backend should be. I don't agree that we need new language though, but at least Dark tries to solve complexity. While others just bring more and more leaky abstractions to the table.

Even your comment doesn't received any response. Why? People don't like to get they code just to work without all the infrastructure burden? I really really don't get it.

Be careful. The whole point of Docker/k8s was to simplify operational complexity - and to that end it's done a great job. Yes k8s has complexity, but it's a known and knowable complexity vs. the unknown complexities of the processes of yore.

Does that mean there can't be improvements? Of course not. If you're working on simplifying things even further then great. But I'm concerned with your ability to execute if you believe Docker/k8s have made things more complicated because that signals to me you may not realize where the complexities lie.

Meanwhile I'd love to hear about your ideas to make things less complex.

> Yes k8s has complexity, but it's a known and knowable complexity vs. the unknown complexities of the processes of yore.

TL;DR -> I see what you are saying, but there are methods to make your infrastructure consistent and keep the manual drift away that do not require k8s-level complexity. Both for monoliths and microservices.

Because we talk of the processes of yore, I will use a simple application architecture in the form of a web site that clients access that CNAMEs to a load balancer.

The load balancer distributes traffic to web servers, which each make back-end connections to a database.

This could also be load balancer to hosts that just run single-host instances of docker CE/EE as well - microservices can be done through this setup as well. If they are designed correctly, they shouldn't "need" to all be in one cluster, after all, these are durable microservices, not sharded bits of a monolith, right? :)

You have 4 basic tools, which with not a lot of thought can be used as a foundational platform for many, many workloads.

Aside from your codebase, you have the following (and/or their competitors)

Hashicorp Terraform

JetBrains TeamCity

Octopus Deploy

With a build server, a deployment platform, and a configuration management platform, you can get 98% of 'web scale' (all the scale you are really gonna get + plenty of runway for all but the FAANGs among us) for WAY less daily cognitive load. This applies to the DevOps team, the developers, the support cannon fodder (note if this is too true, and you are in leadership - please help this by empowering your cannon fodder), the DBAs, all of 'em.

1. Programmers check in their code to source

2. TeamCity runs unit/integration/regression tests. Pass? Publish to nuget feed for Octopus

3. Terraform sets up automated DB, web server, load balancer infrastructure for the servers, configured for whatever your company's definition of 'production server' is

4. Octopus deploy takes the newest build artifact from TC nuget package and deploys it to those servers.

In the above process, if you need to scale up:

1. modify the count of web servers in terraform

2. Terraform apply

3. wait for TF to complete its provisioning of new servers

4. wait for Octopus to recognize the new servers as deployment targets for your code (in this scenario, you write TF such that it will install the Octopus agent and set deployment target)

5. Deploy your code to the new servers

6. Have Terraform reconfigure the load balancer to expect these web servers to work but start in a disabled state

7. the load balancer will detect they are now passing health checks, enable them, and poof, they are serving traffic.

You have infrastructure as code, you have CICD, you have scalability for miles, and not a docker registry, helm chart, istio policy, or rancher needed. Best of all, your helpdesk, intern developers, even non-tech managers can cognitively follow the process.

Need to patch? Cattle, not pets says:

1. Terraform: reconfigure load balancer to drain connections on the boxes to patch

2. Terraform: reconfigure lb to remove from LB when done

3. Terraform: destroy the boxes

4. Terraform: spin me up same number of new boxes. Using packer or a fresh AMI, the new box will be patched, then have TF set configs, install etc. as done with the original boxes

5. Octopus: deploy code to all known web servers

6. TF: add boxes to load balancer

PS: sorry this grew into a wannabe blog post with handwave set to maximum.

There's a good reason I start reading articles and papers from the end to the beginning.

"Conclusion Containers are clearly not the future. You will eventually need to migrate completely off of containers and kubernetes and we are here to help."

While this does not negate the core idea, it summarizes the motivation and bias behind the arguments.

Operating systems abstract resources.*

Unixes got the abstraction boundary not-quite-right, by excluding networking and filesystems from the concept of process.

Containers are a correction to this.

i.e. not quite as catchy, but:

"Containers: the present is what the past should have been."

* Windows abstract screens, Files abstract storage Sockets abstract connections, Threads abstract CPUs, etc.

Maybe so, but somehow containers aren't really there yet. As a trivial example, when I 'lsof' a container process (as root), it often cannot "see" all of the information about the process' open files, apparently because they're mapped into a different chroot, or because of other cgroups/namespace issues.

This is one of a number of issues that make containers hard to deal with.

(We also see an issue where containers interact badly with the OOM killer, leading the entire system to hang because /proc/*/cmdline cannot be read at all.)

The failure of userland tools (such as lsof) to correctly show work with containers is unfortunate, but this is partly an artifact of the Linux kernel's somewhat ramshackle approach to containerization.

The kernel doesn't have a concept of containers, but rather of kernel namespaces. For example, it's possible for a process to create a new namespace that is the same as that of a default process, except with a new file system namespace — i.e., a chroot.

Hopefully we'll see these tools updated to better understand kernel namespaces. In the meantime, if you need to interact with containers, use the nsenter [1] tool. For example, it allows you to enter the same PID namespace as the container, but still use the host file system.

For example, run to lsof against a container's PID 1 (corresponding to the host PID 1234):

$ nsenter -p 1234 lsof -p 1

[1] http://man7.org/linux/man-pages/man1/nsenter.1.html

They work for google, however there just arent many companies with the resources of google.

If you had a small army of SRE and seriously senior devs / devops you could easily manage containers.

If you are just stuck on running containers and k8s I suggest you leverage their resources and get to GKE

But then releasing k8s might just have been the plan to get people into GKE instead of AWS

Who am I to speculate on googles marketing acumen ?

Which OS did? From memory this sounds like Plan9.

I think this is largely correct, but I think we have to add that POSIX is not the future either. The model of process isolation and shared resources that is built in to the POSIX model is just too hard to get right.

I think the post-POSIX world will have to look somewhat like the IOS model of isolation, something like the NIX level of packaging, and something like the Docker model of running. A shared filesystem where certain information is held in certain locations in the filesystem is just a nightmare to manage, but it is currently not possible to replace it.

> The model of process isolation and shared resources that is built in to the POSIX model is just too hard to get right.

isn't that the basis of like, every modern operating system? Haven't we been working on getting it right since the '70s?

Would love to see the world evolve past POSIX.

Unfortunately, that's where we drew the line on "startup innovation tokens" - maybe round 2. :)

This phrase from the article "Resume Driven Development" is 100% true where I work.

It's true at a lot of places.

I know one developer who is obviously planning to go to Amazon because every single application he works on immediately starts with looking at which AWS services he can glue together. I'm to the point where I want to create and AWS bingo card and when hes on a conference call, pass it around to see if anyone wins by the time he describes some solution set.

"Well I'm starting with [AWS service here] but it doesn't support [major, normally functional breaking requirement], so I'll use [this crazy set of JS NPM packages] to do the work in between"

Wish people would develop solutions, not resumes.

Containers have uses, but yes if you expect them to be secure, you're in for a big surprise.

And last time I checked Kubernetes basically washes its hands of the problem, and maybe makes it worse by adding layers that obscure the security properties.

I worked on a Kube-like project from 2010-2015 and I was definitely horrified by the state of containers in the Linux kernel. Security is basically what made me give up on the project.

You can run containers in userspace, use app armor, etc and you get better security. Aside from maybe one or two major security exploits, what issues have you want into?

I'm not so sure that unikernels are the way forward. And in general, angry rants about technologies from the CEO of a company entirely devoted to some competing technology is generally best taken with a large grain of salt.

Undoubtedly there are risks to having the flexibility that a full OS provides, but the benefits to troubleshooting, incident-response, resource-sharing, and just plain operational flexibility are huge. Until there's a good story for managing unikernel-based microVMs at scale, they aren't going to make a dent in container-world.

I suspect the path we'll actually see pursued is more along the lines of Bottlerocket (https://github.com/bottlerocket-os/bottlerocket), which is basically the Linux kernel plus a containerd API that works with Kubernetes but doesn't expose nearly as much surface area.

Nothing in software is ever "the future." How many things change as fast as software technology? For many of us not concerned with "building our brands" through "resume driven development", but instead focused on enabling rapid and reliable production deployments containers and orchestration have improved our results. Obviously this will not remain the dominant paradigm forever. The next thing may be an evolution of it, or it may be a take in a different direction that leaves kubernetes a dusty and unused side-branch in history. Wouldn't be the first time. Regardless of how likely that is, or what the drivers of the eventual result are, I am not sure what the author wishes people to have done instead of employing containers? Should we have just kept on installing dependencies and services onto VMs while awaiting the one true new thing that would last forever?

Containers are like front-end frameworks: they are great tools to have, and solve certain problems better than the previous options, but there is a tendency among advocates to assume they are the only tool in the toolbox.

> If their own developer evangelists are going to conferences and calling the software a "clusterfuck" why on earth would you bring this clusterfuck into your organization?

Most software sold to large organizations are tire fires/clusterfucks, Kris is just saying up front that complex software is hard.

Everyone knows reasonably complex software tends to be a clusterfuck -- if you're making purchasing decisions based on a vendor telling you their software does all these things and it's a perfectly engineered masterpiece then ...

thanks jcastro - if anything here is a clusterfuck it was this bro's article - If you actually watch my talks you will see that I love Kubernetes and just want to get people ready and excited about new technologies. The word clusterfuck is just funny to say...

Security-as-a-second-thought also doomed Java Applets and Flash. If Cloudville doesn't focus heavily on security, it's doomed. History has given you at least 3 lessons.

I feel this was a bit scattershot, more about Kubernetes than containers per se.

Kubernetes isn't directly responsible for the sins of container runtimes and vice versa. Lightweight VMs solve some of these and I don't think it's controversial at this point to say so.

I may have reservations about the design of Kubernetes but I don't need self-serving conspiracy amongst the designers to hold those reservations.

Disclosure: I work for VMware, we do a fair amount of Kubernetes stuff, including lightweight VMs.

Are we not able to have polite discourse anymore? Sheesh..

Container orchestration is not the first silver bullet that has grown a large following that makes money off of it, whether reasonable or not. I do have a question though. Say you have a bunch of microvms processing your workload or serving dynamic pages. How are you going to manage your fleet of MicroVMs? Would you perhaps write a microvm orchestrator of some sort?

Got a huge kick out of the first comment on the linked page:

> You know what you call a "micro-VM that's purpose-built to run one application" if you're a Unix person?

> A process.

> And now we've come full circle. Everything old is new again!

> Are we not able to have polite discourse anymore?

It's not impolite to point out impoliteness.

For everyone asking about a "microvm orchestrator" - the implication here is that the public cloud (where the vast majority of people reading this will be deploying too) is the orchestrator.

Public cloud like AWS and GCP does all the networking, volume management and everything else for you - for free. That's arguably one of the reasons for using it in the first place. There is no need to put something on top. That's kinda the whole point here.

People abandoned Packer+Terraform style workflows in favor of containers. Why? Why change back?

I think there are few thoughts here.

a) I don't necessarily agree with that statement - witness HashiCorp's recent raise:

https://www.sdxcentral.com/articles/news/hashicorp-scores- 175m-funding-round-5b-valuation/2020/03/

b) The vast majority of container users run their workloads on public clouds like AWS and GCP which run on top of virtual machines to begin with.

I'm not stating you need to use terraform (I definitely don't) - what I'm saying is that you can use the underlying orchestration provided by the cloud of choice - be it the networking or the volumes. There's no need to replicate that on top as container workloads do. When people who speak of kubernetes/container complexity - this is what they are complaining about.

If you look at a lot of the configuration mgmt software out there - chef/puppet/ansible/salt/terraform/etc. it all involves configuring a linux system whereas with unikernels it's literally just one application and instead of having to plumb your network together or ensure that your workloads or 'stateless' vs 'stateful' you just use the underlying cloud facilities. That's the magic. It actively removes complexity from the provisioning.

Doesn't that just make it an Operating System?

I think this thought is extremely on point.

A lot of older unix abstractions have been heavily broken when we all started running tens, hundreds, or thousands of vms on the public cloud. Users are relegated to IAM. Most databases can't even fit on a single server. Many webapps are load balanced to begin with.

The classic monolithic 'server' named Mars or Jupiter outgrew itself cause we all were consuming so much software. So part of what we are asking here is why do we have 2 layers of linux? We have the underlying one for the hypervisor but all these legacy abstractions are still present in the guest.

Because hardware is easier to safely and completely virtualise. It's a relatively small surface compared to the entire OS API.

I'm confused why the author keeps associating containers with total insecurity. Docker's approach to whitelisting access to the filesystem has been great in my experience. I've managed classic multi-tenant Linux servers before, and I've pretty much always found lots of examples of services having read or even write access to each other's files unnecessarily. Docker's strong whitelisting-based approach to filesystem access seems so much more ideal.

In the video of someone breaking into a Kubernetes cluster, they start off with restricted kubectl access. Okay, so restricted kubectl access isn't a strong security boundary. I don't think it's a big deal to a lot of people's use-cases. I didn't know it was a feature; the lack of a strong feature like that is only a dealbreaker to certain kinds of setups. It doesn't seem necessary for sandboxing different services apart from each other; it's for giving different sysadmins/developers access to deploying to different parts of the cluster. I'm going to make a wild guess that the issue isn't core to and unfixable in Kubernetes, because the person in the video shows a way to plug the issue. Summarizing this as calling Kubernetes security a clusterfuck is way over the top.

I could believe that the author's NanoVM project is even better at security out of the box, but I find the way they present the argument as overblown, and they don't introduce NanoVM for comparison until the end, so I think the arguments are doubly misleading because most people are going to be comparing containers to the classic plain multi-tenant Linux server model, and Docker and Kubernetes seem like at least an improvement to that in security.

"CEO at NanoVMs"


CEO of Redmeat corp says that Soja isn't the future.

Eh, hard to care when Docker works well for what I need it to. I'll stick with containers until something significantly better comes along.

Ehh if microvms are the future, we are going to need software to schedule and orchestrate them across large clusters. Software with this capability happens to already exist and it’s called Kubernetes.

I feel as though the author is only thinking about Kubernetes as an application platform. However, you can build platforms on top of Kubernetes (knative, Istio, etc) which solve many of the issues the author has brought up.

Some truths in there...but unfortunately drowned out by the FUD marketing spiel

I agree with the article entirely. Just the other day/week I was down voted for lamenting K8s and pointing out how dumb it is.

When I saw and read about unikernels a few years ago I knew they'd be the future. I've explained several times in the past: why did we create containers instead of working hard to make VMs better, lighter, faster? Now the time has come.

K8s will be dead in 3-4 years.

I used to be a die-hard advocate of containers, back when they were Solaris Zones. They could destroy the performance of Xen VMs (and I wrote posts explaining the technical reasons why.) But a lot of things changed with HW hypervisors, with the leaders nowadays being Amazon Nitro and Firecracker.

It's something the article doesn't address. Containers used to be a slam dunk, so I'm not sure I'd say that we were wrong _at the time_. But HW hypervisors evolved, so now I can see HW hypervisors like Nitro and Firecracker being compelling for some* workloads (e.g., to give the end user a dedicated kernel where they can do anything, including run any BPF program, run PGO kernels, etc.)

* I'm not sure yet whether it's "some" or "most".

It’s almost as if there’s multiple solutions for multiple problems.

Containers are just a solution to a problem. I’ve been around long enough to know that containers aren’t novel either.

Novelty is the future. It always is.

The biggest reason I have to concern myself with deployments nowadays is to quickly spin up local projects. So far, nothing has offered me the speed of docker-compose to achieve that.

Sure, I can take a look at these microvms, but if they're not as convenient to run multiple projects simultaneously—I'm a freelancer and have my own hobby projects—then I see no reason to switch.

After all, I used to use vagrant, but spinning out containers is so much faster.

Unrelated to the content of this post, but look at how terrible Linked in is:


Scrolling pushes state to your history, and it's so poorly done that hitting back doesn't even restore previous scroll positions (I'm assuming that was the intent).

And yet, you could probably with a bit of work swap out the container runtime for a VM manager in Kubernetes and most users wouldn't even notice.

This article is enthusiastically declaring that the CEO of NanoVMs doesn't understand the audience he is addressing.

Containers were never meant to be "secure" and Kubernetes has nothing to do with security in general. Application level containerization solves 3 problems: 1- repeatable builds 2- software distribution 3- infrastructure mutability

Docker solves brilliantly all these problems: we can build software in controlled environments that we call images and the product is an image itself, that we can share by means of software catalogs called registries and that we can deploy the same way we can play CDs in a computer, without modifying the host system. Security was never meant to be a concern, it was never part of the plan, at least no more than running a process in an operating system. And containment systems are just a smart way to launch a process, that's it. They can't replace security functionalities beyond what is already provided by host OS.

Is this a fault? Would you blame a hammer for not being able to unscrew a cork?

NanoVMs CEO spends some time also making fun of "stripped down systems", accusing them of recklessly "ripping out components of a system that simply don't belong in the virtualized world of 2020", namely users, SSH logins and desktops. Again, there is a big misunderstanding here. Linux processes expect some facilities to be present at runtime, namely system calls to retrieve Process IDs and user IDs. But these facilities were merely retrofitted in containment systems to avoid processes crash upon syscall invocations. As all retrofitted functionalities, their implementation is barely beyond the dummy level. Therefore, we have PID 1 everywhere, no SSH logins and dummy users.

Now, Kubernetes. K8s is just a scheduler, an orchestrator. It has nothing to do with security, it is mainly concerned with resource optimal usage and container placement. And it is a fundamental component in microservice world, otherwise we would be paralized by operations at each deployment. "You spin up a linux box and call it a day - done". Seriously? Is this really the whole understanding of the world of operations? I've been in ops for 12 years and I'd never want to go back to the old bad days of 2008, where most of us managed an handful of servers and services and, yet, datacenter ops were at one with deployment ops. That was the very world of manual and error prone ops. Orchestration has been a bliss but requires a unit of scheduling. A container, in this case. But it may be a VM as well.

So, the saddest thing here is that NanoVMs could be a perfect replacement for containers while retaining the benefits of orchestration (as in Kubevirt, for example), but the CEO prefers to throw away the dirty water along with the baby for marketing hype.

The CEO from a VM oriented Start-up says that Container are not the future..

There is no way to go back to VM deployment and management. I used to be openstack wizard, proxmox ninja and kvm/vagrant contributor and I cannot really think about giving up my whole container orchestration (ci, deploy, update, introspection , monitoring, you name it) to use back VMs.. I'm 40, doing sysadmin since 2002 and computer scientist since 2006.

Why should I click the LinkedIn URL to read a tech article?

There is no way to secure k8s. Really now. REALLY NOW.

Care to expand ?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact