has some historical basis, it does not take into account
the drastically altered environment that enterprise
IT works in today. While enterprise IT projects have
traditionally spanned months and years, the capabil-
ities of cloud technologies combined with DevOps
approaches have irrevocably changed that model.
Key leaders in many IT organizations are grasping
containers’ potential for accelerating development
cycles and lowering operational costs, especially
when combined with cloud and DevOps. These capa-
bilities can translate to tremendous competitive
advantage, and if anything can light a fire under
enterprise IT, existential factors like direct competi-
tion can.
I saw this reality playing out during the recent con-
tainer engagements I participated in with Docker
architects Aaron Huslage and Matt Bentley. Both
engagements were with enterprise IT organizations
in longstanding Fortune 50 corporations, both with
tons of legacy infrastructure and processes. Never-
theless, both were pushing extremely hard to incor-
porate containers into their application delivery pro-
cesses and architectures, leveraging Docker’s
expertise.
Myth 3 Status: BUSTED!
Myth 4: Docker Containers Aren’t as
Secure as Traditional Infrastructure
This myth is often phrased more directly (and less
accurately) as “containers aren’t secure.” Useful secu-
rity assessments entirely depend on measurement
against accepted standards – after all, total security
can only be achieved by total inaccessibility. If the
standard is a virtual machine like VMware’s, there is
no arguing the fact that containers do not offer the
same level of isolation, and that Docker containers
have security gaps that must be addressed.
However, a fact that is often overlooked is that con-
tainer deployment often leads to a corresponding
reduction in deployed operating system instances.
Modern virtual machines offer a constrained attack
surface. However, each virtual machine runs an oper-
ating system instance, so each instance’s total attack
surface is the combination of the VM and the OS. If a
virtualized operating system is compromised, there
42 | THE DOPPLER | WINTER 2016
is no real utility to continuing the attack to the hyper-
visor layer. If a Docker container is compromised,
unless standard hardening protocols are ignored, the
attacker only has access to that single application
process, not an entire operating system.
The takeaway here is that even at this stage of con-
tainer evolution, where security is not yet a mature
feature, the aggregate attack surface of a container-
ized application stack may not differ appreciably from
that of a virtualized stack.
Myth 4 Status: Seems Plausible, but BUSTED!
Myth 5: Containers Cannot Be Deployed
and Orchestrated At Scale
This container myth is perhaps the easiest to bust.
This statement used to be true when amended to
read “Containers cannot be orchestrated at scale…
out of the box with prepackaged solutions.” But now,
even this amended statement, is out of date since
Docker has made Machine, Swarm, and Compose
generally available.
Notwithstanding the Docker contributions, there are
several production-tested container orchestration
examples currently available, led by Google’s own
engineering experience and the resulting Kuberne-
tes. Following the acquisition of Orchard & Fig, the
Docker API now provides a clear path for develop-
ment of container orchestration tools, a path fol-
lowed not just by Fig/Compose but also by Spotify’s
Helios and New Relic’s Centurion.
Myth 5 Status: BUSTED!
Myth 6: Rocket and Competitors Will
Slow Docker Adoption
The fact and timing of CoreOS’s introduction of
Rocket as a competing container standard led many
casual observers to question Docker’s viability. “If
Docker was so great,” the reasoning went, “why would
a competing standard emerge so soon? After all, it
took several years for a serious challenge to VMware
and its hypervisor to emerge.” The answer is quite
simple – Docker the technology is an open-source
project with an open API, a project being driven for-