Containers have security problems and flexibility issues. VMs will make them viable

Never bet against a technology that has matured over decades

Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you – the reader – choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday.

During the week you can cast your vote on which side you support using the embedded poll, choosing whether you're in favor or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular. It's up to our writers to convince you to vote for their side.

This week's motion is: Containers will kill virtual machines

And now, today, arguing AGAINST the motion is DARREN YATES, a research scientist who just completed a PhD in machine learning and data science, and is a veteran technology journalist...

Remember when the PC was going to vanish if Microsoft didn't nail the next release of Windows? It turns out Global PC sales actually rose 4.8% in 2020. Write this off as a pandemic-induced aberration if you want, but as the global workforce gets a taste of working from home and likes it, this sort of ‘aberration’ proves yet again that once a good technology matures, it takes something revolutionary to replace it.

Now, it’s the turn of Virtual Machines (VMs) to supposedly fall at the hands of containers. The only trouble is, VMs go back even further than the PC to the early-1960s, which shows they have enduring value. Containers may well be here to stay, but it doesn’t mean you’ll be saying good-bye to VMs any time soon.

Why? Consider VMs’ versatility, for a start. By lifting the abstraction from the hardware layer up to the app layer, containers can be moved and distributed without worrying about the hardware they’re running on. That same abstraction also allows for deeper server utilisation because you don’t have the setup overheads of a VM with its full-blown guest OS. That much is given.

One compromised container endangers all of the other containers sharing the host kernel

However, abstracting at the app layer reduces versatility, since all containers on the host server are limited to sharing the same host OS kernel. Need to cross-develop for a different hardware platform or require a custom kernel? Containers on their own won’t help.

Abstracting only the lower hardware layer allows VMs to run a mix of different OSes and kernels on the same server. Sure, you lose some versatility in terms of server utilisation by siloing resources, but you gain it back by having greater control over the applications, kernels and OSes your server can run. (Then again, if you use Kubernetes, you might tap KubeVirt to run your VM with your containers, provided your host supports nested virtualisation, but not all do).

In other words, it’s ‘swings and roundabouts’.

However, there’s another important benefit of VMs' lower-level abstraction: security.

Since containers share the resources of the host system, this makes them vulnerable to attack. One compromised container endangers all of the other containers sharing the host kernel, or those built from the same container image. In fact, several attack vectors have been identified by researchers –containers attacking each other, hosts attacked by malicious containers and vice versa. Even containers attacked by its own apps. It sounds like an Aliens movie.

Yet, by incorporating the OS layer in the virtual silo, VMs inherently add an extra barrier that isolates one VM from another, as well as from the host. Should a VM be attacked, that attack ends at the VM border – the system host and other VMs remain unaffected (notwithstanding some nasty side-channel attacks).

Nevertheless, it’s not surprising that one of the more active areas of industry and university research right now is improving container security.

For example, researchers at Cornell University developed X-Containers to improve container isolation and performance by incorporating a Linux-based ‘library’ OS (LibOS), that bundles all of the OS services required by the container application into a library. This is then wrapped around by an exokernel, a lean, low-attack-surface kernel that isolates the containers from each other. Published performance results show good scalability, but an X-Container currently has a larger memory load and is slower to boot than a Docker container (but still faster than a full VM).

In the context of this debate, one of the more interesting solutions lining up to solve the container isolation issue is hypervisor-controlled containers or ‘microVMs’, where each container runs inside a lightweight VM with its own kernel. What you end up with is the security of a VM, but with the fast boot-times and lower resource requirements of a container.

Once a good technology matures, it takes something revolutionary to replace it

Kata Containers are an OCI- and CRI-compliant open-source example evolved from Intel’s Clear Containers platform using QEMU/KVM VMs. Launched in 2018, Kata Containers can also claim some big-name players in their corner, including Apple, Intel and Red Hat. Version 2.2.1 was released just two weeks ago. Based on that alone, there’s not a lot to be gained trying to prove containers will wipe the floor with VMs, because even if you think you’re using a container, there’s a good chance you’re actually using a container inside a VM.

So this doesn’t need to be a fight to the death. Containers complement VMs and where containers fall short, VMs can save the day. So, far from ending up on the scrap heap, VMs are simply evolving to meet the needs of the current ‘as-a-service’ landscape. Just like the PC, VMs have proven themselves over decades – too long for them to disappear now. ®

Cast your vote below. We'll close the poll on Thursday night and publish the final result on Friday. You can track the debate's progress here.

JavaScript Disabled

Please Enable JavaScript to use this feature.

Similar topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022