Evaluating Docker for Secure and Scalable Private Cloud with Container Technologies

The ongoing collaboration with the Maritime Division of Defence and Science Technology Group (DST) has resulted in another very useful piece of work that we are very glad to share through this blog. We have been conducting a series of Research and Development (R&D) projects with the same group in the Maritime Division of DST for evaluating technological solutions for building secure and scalable private clouds for mission critical systems. Given the increasing adopting of containerised solutions, our collaborators were interested in evaluating Docker for secure and scale private cloud – that means both security and scalability are the key quality attributes for their domain. Ben Ramsey from my team led the efforts of carrying out this work that has resulted in a detailed technical report. We believe that this technical report will be very useful for anyone interested in knowing about the security and scalability aspects of container technologies like Docker when used for building a private cloud infrastructure. Here is the report titled, Evaluating Docker for Secure and Scalable Private Cloud with Container Technologies, and the abstract has been copied from the report below:

“This is the third volume of a set of reports describing different aspects of a collaborative project with the Defence Science and Technology Group (DST Group), Maritime Division.  The project investigated secure and scalable private clouds focussing on container virtualisation.

In the previous two volumes, we have reported the details and results of our study of security of container technologies, when deployed on a cloud and when used in isolation. Since security is considered one of the biggest barriers to adoption of container technologies in enterprise environments, it is important to experimentally study and thoroughly understand the security aspects of container technologies. Software developers are increasingly adopting containers because of their better usability and performance compared with the traditional virtual machines that are launched by a type-1/2 hypervisor.

Whilst security is a major deciding factor in the usage of container technologies, it is equally important to consider other architectural characteristics when evaluating container technologies. In this volume of the project report, we also report the performance and usability characteristics of each of the studied container technologies. In our performance evaluation, we have used several different measurements of performance for each of the container technologies compared with the processes running on the Host OS, and inside a full KVM virtual instance. For the usability study, we evaluated all of the container technologies using the two primary use cases: the systems administrator, and the containerised application developer. Each of these use cases was evaluated based on the experience of the research team with the container technologies used for this project.

During the performance review, we have to heavily customise the benchmarks from sources for making them work in our environment. For example, the start-up latency benchmark was based on an evaluation of Kubernetes, and Docker Swarm. The changes needed to be made to work with the container technologies themselves. Another challenge was that in some benchmarks the rkt-kvm image was unable to be used, and the KVM image needed to be changed significantly for this to work, e.g., network bandwidth tests.

Our primary finding from performance analysis is that each of the studied container technologies performed better than the KVM based virtual machine; however, each of them also has strengths and weaknesses on different metrics. The usability is dependent on the role of the primary users of a system and the components to be used. In terms of performance evaluation of the container technologies, further work is needed for performing benchmarks that are based on practical use cases rather than performing a theoretical evaluation, which measures the performance of the technologies under an environment setup for benchmarking. A practical use cases based evaluation is expected to provide a more complete picture of the strengths and weaknesses of each of the technologies in terms of performance. The usability evaluation of the studied container technologies can be extended by involving people, other than the researchers themselves, who may have experience of working in the roles described by our use cases. That type of usability evaluation is expected to provide much more accurate and unbiased results.

This part of the work is expected to provide practitioners with useful information required to make decisions about container technologies based on their use cases. This work provides more comprehensive information about container technologies by studying two architectural characteristics apart from security.”