i2kit: A Deployment Tool with the Simplicity of Containers and the Security of Virtual Machines

Abstract

Container virtualization technologies, like Docker, are becoming increasingly popular. Containers provide exceptional developer experience because containers offer lightweight isolation and ease of software distribution. Containers also solve a fundamental code portability problem. In contrast, container virtualization is basically insecure when compared to virtualization based on hypervisors. Virtual machines are also better integrated with the rest of the cloud ecosystem. Sum it all, virtual machines are more suitable for production environments. However, virtual machines impose a non-negligible memory footprint and suffer longer boot times, which is impractical for local development. So far, there is no deployment infrastructure that allows both the developer experience of containers and the maturity and isolation capabilities of virtual machines. We solve this problem in this paper by introducing i2kit, an orchestration tool that enjoys the best of both worlds: (1) the development workflow is untouched, containers can be used as usual; (2) at time of deployment, containers are transformed into virtual machines, keeping code portability, but providing better security and better integration with other cloud services. The tool i2kit creates virtual machines using Linuxkit. Linuxkit alleviates the drawback in size that using virtual machines would otherwise entail because the footprint of our Linuxkit distributions is only about 60 MB. The attack surface of the application is reduced since Linuxkit only installs the minimum set of OS dependencies to run containers. Finally, we report an empirical study using i2kit that allows us to conclude that i2kit is a promising technology for VM deployment of applications developed using containers.