The latest project from Google, the maker of Kubernetes, could give enterprise IT shops strong container isolation, but it needs more development to qualify for widespread use.
Google gVisor wraps a stripped-down OS — basically a kernel — around individual container images to ensure security isolation between them. With only application containers on a host, it’s possible for compromised containers to access every other container that shares the host operating system. This makes pure containerization a no-go for highly sensitive applications, especially in regulated industries, such as finance and healthcare.
Early adopters of Kubernetes said this risk is a sticking point for some enterprises as they evaluate container-based infrastructure and services.
“I’ve recently been talking to security and compliance officials at banks, and it’s an area they’re not necessarily comfortable with,” said Michael Bishop, CTO at Alpha Vertex, a New York-based fintech startup that uses machine learning deployed in a multi-cloud Kubernetes infrastructure to track market trends for financial services customers. “It’s not necessarily something a less security-sensitive environment would need, but for regulated enterprises, [gVisor] adds a layer of comfort.”
Google gVisor addresses a pressing problem for mainstream enterprises as they move past the beginner stage with containers and learn more about their security implications, Bishop said.
“It’s really difficult to get full isolation in the way an enterprise security person would describe it in a pure container environment,” Bishop said. “If a customer workload needs to go above and beyond to guarantee isolation, this is something we might use.”
GVisor a leg up over VM scalability ‘wall’
Google uses a version of gVisor internally under its Borg infrastructure orchestration tool, which was also the basis for Kubernetes. Google officials declined to say specifically which apps run internally with gVisor-like container security isolation, but said gVisor will be useful for MySQL, WordPress, Jenkins and other open source apps that are often shared between teams or tenants in container environments.
GVisor is similar in principle to other container isolation products such as Microsoft’s Hyper-V Containers, VMware’s vSphere Integrated Containers and OpenStack’s Kata Containers. Google claims gVisor is lighter-weight than these other approaches, as it doesn’t rely on a full hypervisor and uses a highly efficient Linux kernel.
“It’s a kernel that runs in user space, so it’s closer to unvirtualized containers [than other approaches],” said IDC analyst Gary Chen.
There’s also a growing appetite among enterprise IT shops to move beyond traditional VMs for container security isolation. A 451 Research survey of 201 enterprise container users in 2017 indicated that, while early container deployments commonly run inside traditional VMs for security isolation, there’s a desire to move away from that approach. No respondents said they ran containers on bare metal, and 36% said they ran containers within VMs. But slightly fewer respondents (32%) expected containers to run on VMs in the next 14 to 24 months, and 2% expected them to run on bare metal in that time frame.
Jay Lymananalyst, 451 Research
“Organizations hit a wall with containers on top of VMs in terms of scalability — you can’t get the same consolidation or efficiency as when you run containers on bare metal,” said Jay Lyman, analyst at 451 Research. “There can also be licensing issues with VMs and internal resistance to traditional VM providers.”
So far, hypervisor-based container isolation products have occupied a small niche in the container management market, but Google can trade on its industry recognition as the originator of Kubernetes, analysts said.
“Anything coming out of Google for containers is significant, partly because of Kubernetes and partly because Google itself is one of the advanced container users in the industry,” Lyman said.
Early gVisor limits require further development
Google gVisor’s lightweight nature comes with tradeoffs as the project kicks off. It supports about 200 Linux system calls, while standard Linux kernels have more than 300 system calls. This means apps that rely on system calls gVisor doesn’t include, such as Elasticsearch, NGINX and PostgreSQL, must await further development.
GVisor also isn’t part of any cloud or on-premises container orchestration utility yet, including Google Kubernetes Engine, which for now limits the multi-cloud portability of containers that use gVisor.
“The Docker container doesn’t know about the outer hypervisor layer, so you don’t lose portability, in that it’s the same deployment artifact,” Bishop said. “But I’m not sure it would be seamlessly portable across clouds if they don’t each have that same hypervisor layer — history makes me skeptical of those kinds of magical things.”