December 1, 2016

Containers and Virtual Machines: A Dynamic Duo

brandon_philips.jpg

Brandon Philips
Brandon Philips, CTO of CoreOS, on stage at LinuxCon Europe talking about VM security and container workflows.

It's easy to think of containers and VMs as a binary choice -- deciding whether to use a VM or a container (not both) for your use case. In his keynote at LinuxCon Europe, Brandon Philips, CTO at CoreOS, talked about a case study for using VMs and containers together to take advantage of the strengths of both.

CoreOS runs a service called Quay, Quay.IO for the hosted service, which uses a combination of VMs and containers. It's used by large organizations like JPL, eBay, Hotels.com, and more, but you can also sign up with your GitHub account to try it out yourself. The goal for Quay is to have a system that people can trust, with audit logs and security scanning to provide confidence that only the people who should have access to each container do have access. There are also options to dig into the container image and send notifications if there are potential vulnerabilities within an image.

With Quay.IO, the SaaS product, it was important for it to handle code from many different people with security in place to make sure that each person only has access to their own code. The entire container market is growing rapidly, so at the same time, it also needed to scale as containers continue to take off to avoid rebuilding everything again in 12 months. 

Philips talks about how Quay uses containers and VMs together by essentially putting the resources isolation inside. This allows you to specify exactly how much CPU bandwidth, memory bandwidth, and network bandwidth is available for the virtual machine. "That's how we use containers and virtual machines together. We use the isolation mechanisms of VMs and the resources isolation of the container.”

While Quay has been around for a while, they are using a new approach to improve both security and performance. Instead of using EC2, they are using virtual machines, containers, and Kubernetes. It's similar to the previous approach, but with a single KVM instance running inside of a container replacing a single EC2 instance. This gives users faster builds, and CoreOS makes more efficient use of their capital, allowing them to buy better, bigger, and faster machines for the builds. By moving off of EC2 and onto Packet, using a Kubernetes cluster, and other optimizations, they’ve brought long startup times down to about 15 seconds, an 80% improvement.

Philips has a couple of takeaways:

  • For open source projects, Quay is a free hosted service.
  • You can use it with another open source project, Clair, to scan through these container images finding any known vulnerabilities.
  • Join them at their conference in New York City in December to learn more.

For more details about using containers and VMs together, and how they’ve done this with Quay, watch the keynote video below.

LinuxCon Europe videos

Click Here!