Menu Octopus Deploy

Mainframe containers: technologies, use cases, and best practices

What is a mainframe container?

Mainframe containers, specifically IBM z/OS Container Extensions (zCX), allow organizations to run modern containerized applications, such as those developed using Docker, directly on an IBM Z mainframe’s z/OS operating system. This hybrid approach uses the mainframe’s high performance and reliability for core business logic while enabling the agility, portability, and scalability of containers for new and updated applications, creating a powerful platform for modernizing enterprise workloads.

Examples of mainframes for containers include:

  • z/OS Container Extensions (zCX): This is the technology that enables containers to run on a z/OS mainframe. It provides an environment where Docker images can be deployed and managed.
  • z/OS Container Platform (zOSCP): A Kubernetes-based orchestration layer that enables scalable, standardized management of container workloads on z/OS systems, integrating containerized services with mainframe operational models.
  • Secure Service Container (SSC): A secure runtime environment for Linux on IBM Z and LinuxONE systems that provides hardware-assisted isolation, end-to-end encryption, and protection for containerized workloads.
  • Docker integration: Developers can build standard Docker images (specifically those compiled for the s390x or IBM Z architecture) and deploy them within the zCX environment on the mainframe.
  • z/OS Management Facility (z/OSMF): This is used for provisioning and managing the zCX instances, automating key processes in the lifecycle of a zCX instance.
  • Hybrid container-on-mainframe: The approach allows organizations to maintain existing mainframe applications while introducing new microservices or AI/ML workloads in containers on the same powerful platform.

Use cases include:

  • Application modernization: Creating new, containerized microservices that can interact with existing mainframe applications.
  • AI and analytics workloads: Deploying generative AI and large language models on the mainframe in containers.
  • API-driven integration: Using containers on mainframes to host lightweight services or gateways that expose legacy business functions as RESTful APIs.
  • DevOps and automation: Integrating containers into DevOps pipelines to increase automation and simplify application management.
  • Regulated industry compliance workloads: Supporting compliance-driven workloads by combining containerization with built-in mainframe security, auditing, and encryption capabilities.

This is part of a series of articles about mainframe modernization.

Benefits of mainframe containers

Mainframe containers offer a set of advantages by combining containerization with the strengths of enterprise mainframe systems. These benefits support modernization efforts while preserving performance, stability, and security.

  • Improved resource efficiency: Containers isolate workloads, enabling better resource sharing and use across mainframe systems. This reduces overhead and helps maximize the return on existing infrastructure.
  • Scalable modernization: Organizations can modernize applications incrementally, containerizing components without rewriting the entire system. This lowers risk and cost compared to full system overhauls.
  • Enhanced portability: Containers abstract applications from the underlying hardware, making it easier to move workloads between on-premises mainframes and cloud environments with minimal changes.
  • Consistent deployment: Containerized applications behave consistently across environments, simplifying development, testing, and deployment pipelines using CI/CD practices.
  • Improved isolation: Mainframes already offer strong security and compliance controls. Containers add another layer of isolation, helping to reduce attack surfaces and enforce access boundaries between workloads.
  • Support for hybrid architectures: Mainframe containers make it easier to integrate traditional workloads with microservices or cloud-native services, supporting hybrid deployments without disrupting legacy systems.
  • High availability and reliability: Running containers on mainframes uses their fault tolerance and uptime guarantees, ensuring that critical applications remain available and performant.

Examples of mainframe container technologies

Here are a few software extensions or packages that make it possible to run containers on mainframe systems.

1. zCX (z/OS Container Extensions)

z/OS Container Extensions (zCX) allow users to run Linux Docker containers natively within a z/OS environment. Using zCX, developers can deploy popular open-source solutions, middleware, or custom applications alongside traditional mainframe workloads without leaving the z/OS ecosystem. zCX integrates with z/OS system services, providing an operational experience and using the security and orchestration frameworks already embedded in the mainframe.

By using zCX, organizations can simplify hybrid cloud integration and deploy services like Kafka, NGINX, or Redis directly on z/OS, reducing complexity in managing cross-platform workloads. This pattern is useful for modernizing mainframe environments, extending z/OS capabilities, and simplifying the coexistence of cloud-native and mainframe-native applications within the same operational framework.

2. z/OS Container Platform (zOSCP)

The z/OS Container Platform (zOSCP) provides a Kubernetes-based orchestration solution tailored for z/OS environments. zOSCP enables standardized container management, deployment, and scaling while providing APIs and operational frameworks familiar to cloud-native developers. The platform aligns with z/OS qualities-of-service, ensuring high availability, security, and compliance for critical workloads.

With zOSCP, enterprises can migrate, develop, or extend new workloads in containers while gaining the agility of the Kubernetes ecosystem. This pattern helps bridge DevOps practices and mainframe administration, fostering improved collaboration and accelerating modernization projects. Integrating containers into z/OS using zOSCP allows organizations to unify deployment practices and governance across hybrid IT environments.

3. Secure Service Container (SSC)

Secure Service Container (SSC) is a container runtime environment purpose-built for IBM Z and LinuxONE systems, focusing on isolating workloads and enhancing security. SSC encrypts all data-in-use, at-rest, and in-motion, offering strong protection for sensitive applications. This pattern is especially relevant for regulated industries or scenarios where data privacy and multitenancy risks must be minimized.

SSC also offers automated provisioning and lifecycle management, integrating with DevOps workflows to support secure, fast deployment pipelines. By emphasizing workload isolation and cryptographic controls, SSC addresses many traditional concerns regarding running cloud-native applications on mainframes, enabling compliance without sacrificing speed or operational simplicity.

4. z/OS Management Facility (z/OSMF)

z/OS Management Facility (z/OSMF) is a web-based interface that simplifies the management and administration of z/OS systems, including containerized environments like zCX. For mainframe containers, z/OSMF provides workflows and templates that enable provisioning, starting, stopping, and monitoring of zCX instances, reducing manual overhead and simplifying lifecycle operations.

Through integration with z/OS services, z/OSMF helps administrators automate complex setup tasks, apply consistent configuration policies, and enforce governance over container deployments. It serves as the central hub for operational visibility, allowing teams to track system usage, manage certificates, and monitor system health across both traditional and containerized workloads.

5. Kubernetes on Linux-on-Z with integration to z/OS (hybrid container-on-mainframe)

Running Kubernetes clusters on Linux-on-Z provides a hybrid pattern where Linux containers reside on the same IBM Z hardware as z/OS, but not within the z/OS operating environment itself. This setup enables organizations to orchestrate cloud-native workloads (for example, microservices, event-driven apps, and CI/CD pipelines) on high-performance, resilient mainframe infrastructure, while tightly integrating with traditional mainframe services and data through standard APIs or Inter-Process Communication mechanisms.

This hybrid approach allows mainframe shops to unify application development and deployment practices across mainframe and distributed environments. It helps bridge skill gaps, simplifies modernization, and enables mainframe-resident applications to participate in hybrid cloud architectures, unlocking new opportunities for innovation and operational efficiency.

Tony Kelly Tony Kelly

Tony Kelly is a DevOps marketing leader who drives innovation and awareness of the latest trends in Continuous Delivery.

In my experience, here are tips that can help you better adopt and operationalize mainframe containers in modern delivery pipelines:

  1. Treat zCX as a constrained cloud, not a generic Kubernetes node:
    Design container resource requests and limits explicitly around z/OS workload management (WLM) behavior; overcommitting like you would on x86 often leads to unpredictable latency on IBM Z.
  2. Use image promotion instead of rebuilds across environments:
    Build s390x images once, sign them, and promote the same digest from dev to prod. This aligns well with regulated environments and avoids subtle compiler or libc differences creeping in.
  3. Externalize transaction boundaries deliberately:
    When containers interact with CICS, IMS, or DB2, define where the unit of work begins and ends outside the container. Relying on implicit commits is a common source of data inconsistency.
  4. Adopt GitOps selectively for z/OS-adjacent components:
    Tools like Argo CD work best for container-facing layers (APIs, gateways, analytics), while core z/OS assets should remain under traditional change control; resist forcing everything into one model.
  5. Pin container placement close to data paths:
    Network hops matter on mainframes. Co-locate containers that frequently access DB2, MQ, or VSAM to minimize cross-LPAR traffic and reduce serialization overhead.

Key use cases for mainframe containers

Application modernization

Mainframe containers serve as a foundation for application modernization, enabling enterprises to incrementally replatform, refactor, or re-architect legacy workloads without the risk and cost of wholesale system rewrites. By encapsulating legacy code within containers and integrating with APIs or microservices, organizations can separate front-end from back-end concerns, decouple monolithic applications, and gradually migrate business logic to more flexible, modular architectures.

API-driven integration

Deploying containers on mainframes enhances API-driven integration, allowing for seamless exposure of mainframe data and logic to distributed cloud-native ecosystems. Containers hosting lightweight API gateways, brokers, or adapters can mediate transactions between mainframe and off-platform workloads, bridging these disparate environments without deep code changes to critical systems. This pattern supports flexible digital transformation strategies, enabling centralized security, governance, and monitoring over API consumption.

AI and analytics workloads

Running AI and analytics workloads in mainframe containers unlocks opportunities to process sensitive or regulated data with minimal movement, using data-in-place analytics. By deploying machine learning inference, data visualization, or ETL components as containers on mainframe infrastructure, organizations can minimize data egress, simplify compliance, and take advantage of mainframe compute resources for near-real-time insights.

DevOps and automation with CI/CD pipelines

Mainframe containers enable the adoption of DevOps and CI/CD best practices by standardizing environments, automating deployments, and enabling reproducible builds on mainframe platforms. Containers can encapsulate testing, build, and deployment tools, reducing friction between traditional mainframe operations and cloud-native development workflows. This standardization accelerates software delivery, increases deployment reliability, and supports rapid rollback or blue/green deployments on mainframes.

Regulated industry compliance workloads

Many regulated industries, such as financial services, healthcare, or government, require stringent levels of data protection, auditability, and operational continuity. Mainframe containers, when combined with platform-native security controls and hardware cryptography, provide strong isolation and compliance features. Workloads can be deployed and managed under strict policy enforcement, with fine-grained audit trails and integrated encryption.

Challenges of running containers on mainframes

While mainframe containers have compelling advantages for modern DevOps teams managing legacy workloads, they raise several challenges.

Complexity of integrating with legacy subsystems

Integrating containers with legacy mainframe subsystems poses considerable challenges due to the diversity and rigidity of existing mainframe interfaces. Many business-critical workloads rely on proprietary protocols, batch processes, or internal data stores that are not directly accessible from containerized environments. Bridging these systems often requires custom adapters, API gateways, or middleware, which introduces latency, adds maintenance overhead, and increases the risk of integration failures.

Additionally, designing containerized applications to interact with legacy mainframe services can complicate DevOps workflows, as traditional batch or transactional models may conflict with the stateless, event-driven behaviors of containers. Organizations need to carefully evaluate the dependencies and communication patterns involved, ensuring consistency and performance while reducing the risk of introducing subtle integration errors that could compromise critical business logic or data flows.

Data coupling, shared state, and consistency

Managing data coupling and shared state in mainframe container environments is a major concern. Legacy mainframe applications often depend on shared datasets (such as VSAM, DB2, IMS data stores) and coordinated transaction processing that are synchronous and tightly coupled. Introducing containerized workloads—which typically favor stateless operations and local persistence—raises challenges around ensuring atomicity, consistency, and durability across these distinct paradigms.

Furthermore, distributed containers may exacerbate issues such as stale reads, partial updates, or synchronization delays. Proper data management strategies—using strong data consistency models or advanced messaging pipelines—are required to avoid introducing race conditions or creating data integrity issues. Organizations must carefully map out data access patterns and state management models to avoid duplicating or corrupting mission-critical information as they adopt containerization.

Security, isolation, and multi-tenant risk

While mainframes offer strong built-in security, running containers introduces new risks. Containers often rely on OS-level isolation, which may not provide the same level of assurance as traditional mainframe partitioning. Multi-tenant containerized workloads increase the risk of privilege escalation, lateral movement, and container escape attacks, especially if security best practices are not diligently enforced or when third-party containers are used.

Addressing these concerns requires additional controls, such as hardened container runtimes, robust identity and access management, and continuous scanning for vulnerabilities or misconfigurations. Comprehensive monitoring, enforced isolation policies, and integration with mainframe-native security tools are essential to maintain the integrity and confidentiality expected in regulated, mission-critical environments. Failing to address these risks can undermine the very qualities that make mainframes attractive for sensitive workloads in the first place.

Best practices for running containers on mainframes

1. Align with mainframe qualities of service and operational model

To ensure success when running containers on mainframes, it is crucial to align container management practices with the mainframe’s established qualities of service, such as high availability, reliability, and secure operation. Administrators should adopt resource management models that prioritize mission-critical workloads and use the mainframe’s isolation, protection, and workload balancing capabilities. These capabilities, once extended to containers, provide predictable SLAs and operational stability.

Consistent integration with existing mainframe operational frameworks is equally important. Monitoring, incident response, and change management processes should encompass both traditional and containerized environments. By adopting unified operational models, organizations can avoid the pitfalls of shadow IT, minimize skill gaps between teams, and maintain trust in mainframe-hosted containers as first-class production workloads.

2. Implement robust governance and compliance

Governance and compliance are essential when deploying containers to mainframes, especially in highly regulated sectors. Organizations should enforce compliance across the container lifecycle, from image creation to runtime, using policies that require code signing, vulnerability scanning, and audit trails. Integrating these policies with native mainframe security frameworks, such as RACF or Top Secret, improves trust and accountability.

Further, aligning policies with industry standards and regulatory requirements ensures that workloads remain compliant over time. Centralized governance over orchestration platforms and container registries helps control software provenance, access, and deployment. This enables auditors and risk managers to have a comprehensive view of container activities, supporting more efficient and effective compliance reporting.

3. Ensure performance monitoring and tuning

Mainframes are valued for predictable, high performance, and mainframe containers should not compromise this expectation. It is important to integrate granular performance monitoring tools—covering CPU, memory, network, storage, and application-level metrics—for both containerized and traditional workloads. Automated performance tuning can identify bottlenecks, deadlocks, or resource contention early, avoiding potentially costly disruptions.

Additionally, performance monitoring should be continuous and integrated into operational dashboards and incident management systems. This approach makes it easier to detect anomalies, enforce resource quotas, and achieve performance baselines across diverse workloads. Proactive monitoring and tuning foster a culture of accountability and responsiveness, ensuring mainframe containers operate within required service levels.

4. Secure containers with mainframe-native controls

Security for mainframe containers should extend and enhance the existing controls native to the mainframe platform. Role-based access controls, resource isolation, and hardware-based encryption mechanisms should be applied to containerized environments, ensuring no weakening of the security posture. Integrating container security tools with mainframe access policies gives a unified security management model.

Enforcing image integrity, runtime protection, and continuous vulnerability scanning closes attack vectors that may arise from third-party components or misconfigurations. Container communication should use encrypted channels, and sensitive workloads must be auditable to meet compliance requirements. Combining mainframe-grade security with container-specific protections results in a trusted environment for critical applications.

5. Use automation for deployment and scaling

Automation is a key enabler of container adoption on mainframes. Using Infrastructure as Code (IaC), automated pipelines, and self-service deployment tools ensure that containers are deployed consistently, reproducibly, and securely. Automation simplifies environment provisioning, scaling, rollback, and decommissioning, thereby reducing operational errors and accelerating time-to-value.

Additionally, automated workflows can integrate with existing mainframe change, incident, and release management systems, providing end-to-end traceability and compliance across the deployment lifecycle. Using container orchestration, such as Kubernetes or native mainframe tools, optimizes scaling under fluctuating workloads, ensuring that resource use matches business demand while maintaining operational controls and compliance.

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Tags:

Categories:

Next article
Mainframe DevOps

More resources