When Docker emerged in 2013, there were no orchestrators designed for containers. Today, there are so many orchestrators, like Kubernetes and Mesos (and more obscure options like Cattle) that it can be hard to know which to use.
It’s kind of like trying to order food at a restaurant with a hundred items on the menu. You have so many options for container orchestrators today that making a final choice is a pretty difficult affair.
If you’re struggling to identify the differences between container orchestrators, and decide which one is the best fit for your needs, this article is for you. Below, I take a look at the container orchestrators worth knowing, highlight the features that distinguish each one, and identify their various use cases.
At the most basic level, all container orchestrators do the same thing: They automate the provisioning and management of containerized infrastructure. In this sense, all orchestrators are the same.
It’s also worth noting that orchestrators aren’t strictly limited to the container world. Orchestration tools like Canonical’s Juju cloud orchestrator existed for other types of infrastructure before containers became popular. Mesos also predates Docker. And Kubernetes has its roots in an orchestrator, Borg, that was originally developed to manage Google’s in-house infrastructure.
But orchestrators are especially important in a containerized environment. That’s because when you use containers and microservices, you have hundreds or thousands of components within your environment. In a traditional environment composed of bare-metal or virtual servers, you might have been able to get away with managing things by hand, or using lightweight orchestrators that automatically pushed out configurations that you updated manually. But attempting to configure a containerized environment manually just won’t work in a production setting.
This challenge is why so many different orchestrators designed with containers in mind have emerged since Docker’s debut in 2013. While the need for orchestration is not new, containers have made it particularly important.
Orchestration Options: The Big Three
Now that we understand what orchestrators do and why it matters, let’s take a look at the different orchestrators available today.
Swarm, which is developed by Docker, is the orchestrator that has been built into Docker since summer 2016. Docker’s official philosophy is that “batteries are included, but swappable”—which means Swarm is bundled with Docker Engine, but can be turned off and replaced with a different orchestrator if desired.
Swarm’s standout features basically boil down to its very tight integration with Docker. There’s not really anything you can do with Swarm that you can’t do with one of the other Big Three orchestrators. Swarm can be convenient, however, because it doesn’t require you to learn a different terminology or new concepts. If you’re familiar with Docker Engine, it’s easy to extend that skillset to Swarm.
As noted above, Kubernetes (which is sometimes called K8s) has its roots in an orchestrator created by Google for managing its internal infrastructure. The Kubernetes project itself launched in 2014, back when containers were growing in popularity and were in sore need of an effective orchestration solution.
Kubernetes is built around a rather unique set of terms and concepts. It organizes groups of containers into “pods,” which can in turn be organized into “services” to build your application. Kubernetes load-balances and auto-scales in order to keep applications running according to preset configurations.
Mesos itself was not designed especially with container orchestration in mind. It’s a general-purpose tool for managing clusters of servers.
But Mesos implements a container orchestration framework called Marathon, which has become particularly popular as a container orchestration solution. One notable feature Marathon has is a built-in Web interface, which is handy if you prefer a GUI for managing your clusters. Marathon also offers a form of built-in performance monitoring via application “health checks.” I also personally like that Marathon is relatively easy to install locally for testing or development purposes. Setting up Kubernetes or Swarm locally is more complicated because you really need an actual server cluster to use them.
There are lesser-known orchestrator options available worth knowing about. Here’s a rundown:
- Cattle, an orchestrator built into Rancher’s container platform. You have to use Rancher if you want to use Cattle, but you don’t have to use Cattle if you want to use Rancher. Rancher also supports the Big Three orchestrators.
- The orchestration service that is built into EC2, Amazon’s Containers-as-a-Service platform. EC2 uses its own orchestrator rather than relying on an external one.
- Shipyard. This might more properly be called an orchestrator orchestrator, because it orchestrates Docker clusters using Swarm.
- Nomad, a container orchestrator from HashiCorp. Nomad has so far remained under the radar. I don’t hear much about it.
- Empire. Empire is a PaaS for containers, rather than just an orchestrator, but it has orchestration built in.
This list is not exhaustive; indeed, the definition of orchestrator is pretty flexible, and any type of tool that you use to help automate management of your infrastructure could be considered an orchestrator. I could write a Bash script to automate Docker and call it an orchestrator.
But if you want a serious orchestrator, I wouldn’t recommend that you rely on something I scripted. Choose one of the Big Three orchestrators, which are tried, true and well-supported by vendors. Or, if you want to be more adventurous, check out one of the lesser-known orchestration options mentioned above.
To see how Twistlock specifically works with orchestrators, see this earlier post, or subscribe to our newsletter for more regular updates on container security news and tips.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...