- May 19, 2020
- Dr. Christian Seeling
“Software in a Box”: The Best Way to Manage Software Assets in Containers
Software containers, relatively new and very popular technologies, may not be on most Software Asset Managers’ radar. But because the additional virtualization level of containers can hide software from software discovery tools, organizations without an overview of their software container architecture face significant software license compliance risks.
This short article will provide an overview of software container technology and explain:
- How do vendors license their software for containers?
- What container data is relevant for Software Asset Management, and how do you get it?
- What software license compliance risks are associated with container technology?
- How can you save software costs using container technology?
Overview of container technology
Containers are popular because they are compact, self-contained, resource-efficient, extendible, and portable. Container technology has matured so much that even users with little technical know-how can operate containers on their local devices.
Furthermore, containers bring production and development closer together, significantly reducing bugs and outages in production. Information Officers rely on containers because they are scalable and easy to maintain. And both freeware and commercial software are provided as official container images (e.g. Microsoft SQL Server and Oracle Database), increasing the likelihood that an organization has containers in its environment.
Unlike virtual machines, containers run on top of the existing host operating system, so there's no need to deploy and maintain a guest operating system for each container. This means that containers start and stop much faster, making them well suited for scalable architectures: If a container crashes, just launch another one. If the demand increases (e.g. seasonal shopping in a buying portal), just launch additional containers to handle the higher load.
Containers are flexible because they do not store any persistent data. Instead, the data is typically stored in mounted volumes that are attached to the container.
Of course, as with running software on a virtual machine, running software in a container requires additional, sometimes expensive licenses, licenses that use sometimes hard-to-understand metrics and require sometimes hard-to-find data.
The additional virtualization level of containers can hide software from software discovery tools, so organizations without an overview of their software container infrastructure face significant software license compliance and security risks.
See why managing software containers should be on your SAM radar.
How do vendors license their software for containers?
Vendors that offer their software as official container images in public registries such as "Docker Hub" ideally state in their licensing terms how the software is licensed in containerized environments. Those licensing terms work similarly to traditional licensing metrics for virtualization:
- Container-based licensing: Each container needs its own license. The number of running containers determines the license demand. A well-known example is Microsoft SQL Server Standard Edition. Depending on the number of containers and how those containers are setup, you might pay for more than you would for the total host resources. For example, if you run a SQL Server on a two-core machine with two containers, you could end up paying for four cores! Some vendors offer host-based licenses to avoid such overcharges. They are costlier, but they cover all running containers.
- Host-based licensing: The host resources themselves are licensed, so the number and configuration of containers does not impact the license demand. Some examples of host-based container licensing are IBM's Websphere MQ and Microsoft's SQL Server Enterprise Edition.
What container data is relevant for Software Asset Management, and how do you get it?
There are two types of container hosting: local and clustered, and each type requires a different approach to software discovery:
For local container hosting (e.g. Docker running on desktop devices), the scanners must deliver the running container images and system environment variables
For clustered container hosting, the scanners need tools to connect to the interfaces of container orchestration services such as Kubernetes, Apache Mesos, or Docker Swarm. If you’re using the container services of a cloud provider, you typically need to connect to the cloud provider's API first (e.g. apps running in Google's GKE service).
Like a Russian nesting doll, a container image is based on another image, and so on, and so an image could potentially include commercial software, software that needs to be licensed and paid for. Ideally scanners and APIs are also able to return the container image layers, so that licensable software used by a custom container image can be identified.
Because containers are virtual items, their life span is typically short. So, for some licensing metrics, you would have to track and process information about containers being run and removed over time (orchestration log). Although this is desirable on the long run, it requires managing a huge volume of complex data.
What software license compliance risks are associated with container technology?
As with most everything, convenience comes with costs. Many of these costs are hidden by the complexity of your environment, so it’s important to know what effect a new technology might have on your software budget before running it.
For example, setting up the commercial version of Microsoft SQL Server takes less than a minute. If Docker is installed, just enter the following command to run a SQL Server Enterprise on your local machine: docker run -e "ACCEPT_EULA=Y" -e 'MSSQL_PID=Enterprise" -d mcr.microsoft.com/mssql/server:2017-latest-ubuntu
It’s that easy. But did you notice the "accept EULA" and the "PID" parameters? This is a nightmare for software compliance management. Entering this command with a Docker that has access to 2 CPU Cores could make you liable for licensing fees to the tune of $12,000 or more.
How can you save costs using container technology?
If you want to save money on containers, you need a license management solution that can measure your organization’s use of software operated in containers as well as simulate the best licensing options. Finding the right licenses (e.g. container-based vs. host-based licensing) for your usage scenario and needs requires knowing the number of containers, the host resources, and the container resource configuration.
Even as technologies continue to evolve and disrupt how most of us do business, the fundamentals of Software Asset Management remain the same:
- know what you have
- know what you need
- simulate the best licensing scenarios
This is as true with software containers as it is with cloud computing. Software Asset Management experts should keep track of container adoption in their organizations and work to keep these useful technologies cost-effective and business-focused.