Windows 'Drawbridge' Container Tech Sets Stage for Docker Battle

As the capabilities of virtual machines reach their outer limits in the quest to build cloud-based software-defined datacenters, containers are quickly emerging as their potential successor. Though containers have long existed, notably in Linux, the rise of the Docker open source container has created a standard for building portable applications in the form of micro-services. As they become more mature, containers promise portability, automation, orchestration and scalability of applications across clouds and virtual machines.

Since releasing Docker as an open source container for Linux, just about every company has announced support for it either in their operating systems, virtual machines or cloud platforms including IBM, Google, Red Hat, VMware and even Microsoft, which in May said it would support Linux-based Docker containers in the infrastructure-as-a-service (IaaS) component of its Azure cloud service. Docker is not available in the Microsoft platform as a service (PaaS) because it doesn't yet support Linux, though it appears only a matter of time before that happens.

"We're thinking about it," said Mark Russinovich, who Microsoft last month officially named CTO of its Azure cloud. "We hear customers want Linux on PaaS on Azure."

Russinovich confirmed that Microsoft is looking to commercialize its own container technology, code-named "Drawbridge," a library OS effort kicked off in 2008 by Microsoft Research Partner Manager Galen Hunt, who in 2011 detailed a working prototype of a Windows 7 library operating system that ran then-current releases of Excel, PowerPoint and Internet Explorer. In the desktop prototype, Microsoft said the securely isolated library operating system instances worked via the reuse of networking protocols. In a keynote address at the August TechMentor conference (which, like Redmond magazine, is produced by 1105 Media) on the Microsoft campus, Redmond magazine columnist Don Jones told attendees about the effort and questioned its future.

During a panel discussion at the Interop conference in New York yesterday, Russinovich acknowledged Drawbridge as alive and well. While he couldn't speak for plans on the Windows client he also stopped short of saying Microsoft plans to include it in Windows Server and Hyper-V. But he left little doubt that that's in the pipeline for Windows Server and Azure. Russinovich said Microsoft has already used the Drawbridge container technology in its new Azure-based machine learning technology.

"Obviously spinning up a VM for them is not acceptable in terms of the experience," Russinovich said. "So we built with the help of Microsoft Research our own secure container technology, called Drawbridge. That's what we used internally. We are figuring out how to make that kind of technology available publicly on Windows." Russinovich wouldn't say whether it will be discussed at the TechEd conference in Barcelona later this month.

Sam Ramji, who left his role as leader of Microsoft's emerging open source and Linux strategy five years ago, heard about Drawbridge for the first time in yesterday's session. In an interview he argued that if Windows Server is going to remain competitive with Linux, it needs to have its own containers. "It's a must-have," said Ramji, who is now VP of strategy at Apigee, a provider of cloud-based APIs. "If they don't have a container in the next 12 months, I think they will probably lose market share."

Despite Microsoft's caginess on its commercial plans for Drawbridge and containers, reading between the lines it appears they're a priority for the Azure team. While talking up Microsoft's support for Docker containers for Linux, Russinovich seemed to position Drawbridge as a superior container technology, arguing its containers are more secure for deploying micro-services.

"In a multi-tenant environment you're letting untrusted code from who knows where run on a platform and you need a security boundary around that," Russinovich said. "Most cloud platforms use the virtual machines as a security boundary. With a smaller, letter-grade secure container, we can make the deployment of that much more efficient," Russinovich said. "That's where Drawbridge comes into play. "

Ramji agreed that the ability to provide secure micro-services is a key differentiator between the open source Docker and Drawbridge. "It's going to make bigger promises for security, especially for third-party untrusted code," Ramji said.

Asked if cloud platforms like the open source OpenShift PaaS, led by Red Hat, can make containers more secure, Krishnan Subramanian, argued that's not their role. "They are not there to make containers more secure. Their role is for the orchestration side of things," Subramanian said. "Security comes with the underlying operating system that the container uses. If they're going to use one of those operating systems in the industry that are not enterprise ready, probably they're not secure."

Russinovich said customers do want to see Windows-based containers. Is that the case? How do you see them playing in your infrastructure and how imperative is it that they come sooner than later?

Posted by Jeffrey Schwartz on 10/01/2014 at 2:25 PM