How Alibaba Achieved 100% Containerization with PouchContainer – A Deep Dive

Alibaba Group recently completed 100% internal containerization and image‑based deployment, and within a year of its open‑source release the PouchContainer 1.0 GA version reached production‑grade stability and was even included in the university textbook "Introduction to Cloud Computing".

PouchContainer now serves the majority of Alibaba and Ant Financial business units, covering transaction, middleware, B2B/CBU/ICBU, search advertising databases, and acquired companies such as Youku & Gaode. The largest workloads are the e‑commerce platforms, which during the 2017 Double 11 event supported record‑breaking peaks with millions of container instances.

Applications run in various languages (Java, C/C++, Node.js, Go) and span scenarios from standard online services to specialized workloads like shopping carts, advertising, and test environments, each requiring different container usage patterns.

The evolution followed Alibaba’s architectural shift from a single monolithic system to distributed micro‑services. Early monolithic services (e.g., Taobao) were gradually split into independent services linked via HSF, TDDL, and Notify, leading to a large cluster of lightweight services.

To replace VM‑based isolation while preserving existing operational assumptions, four requirements were identified: independent IP, SSH access, isolated file system, and resource isolation with visibility control. Initial hacks using virtual NICs, Cgroup, and Namespace evolved into integration of LXC, custom kernel patches for resource visibility, and directory‑based disk‑space isolation (later replaced by overlay2 on newer kernels).

In 2015 Docker gained popularity. Alibaba adopted Docker’s image model, merging it with the existing T4 container template to create a thin base image that retained internal operational habits (account push, security policies, system checks). By 2016 the first image‑based application was launched, and by Double 11 2016 all core applications were containerized.

Key innovations include a two‑tier image distribution system with regional mirrors and a P2P transfer tool (named "Qingting"), which alleviates pressure on central registries when pulling images to tens of thousands of machines. Ongoing work explores remote‑disk image mounting to further eliminate traditional distribution steps.

PouchContainer’s open‑source version is built from scratch, supporting multiple runtimes (including a custom RunLXC), full Docker API compatibility, and CRI for Kubernetes. It integrates with libnetwork, supports various storage back‑ends (local disks, memory disks, remote block devices), and can be orchestrated by Kubelet or Swarm.

Operationally, the platform enforces the four isolation principles, enabling seamless migration from VM to container without breaking existing deployment or monitoring pipelines. Developers now author Dockerfiles, shifting environment‑dependency responsibilities from operations to development, fostering full‑stack ownership.

Q&A highlights: the team emphasizes gradual cultural adoption, the importance of image‑based deployment for cost reduction, and the compatibility of PouchContainer’s image registry with Docker standards.