As momentum continues to build for the Docker containerization platform, some of the open source project’s biggest contributors argue that it has lost its way. Priorities have shifted at Docker from the ideal of building a standard container to instead supporting an entire containerization ecosystem. According to the developers at Linux disto company Core OS, it’s this move has left the entire Docker process “fundamentally flawed.” It’s why they announced this week a competing container runtime called Rocket that they hope will become the “simple composable building block” they’d originally envisioned Docker would be.
“Unfortunately, a simple re-usable component is not how things are playing out,” wrote Alex Polvi of CoreOS in a blog about the launch. “Docker now is building tools for launching cloud servers, systems for clustering, and a wide range of functions: building images, running images, uploading, downloading, and eventually even overlay networking, all compiled into one monolithic binary running primarily as root on your server.”
That’s an inherently risky prospect for security-conscious organizations, Polvi argues. What’s more, as Docker starts moving toward expanding the capabilities of its platform it will only increase its complexity and diminish its ability to integrate containers elsewhere. Which is why CoreOS is leading the charge for Rocket. Introduced as a prototype on GitHub this week, Rocket is a command line tool designed to run what it calls ‘App Containers.’ These can be a specification of an image format, container runtime or discovery mechanism.
“Rocket is the first implementation of an App Container, but we do not expect it to be the only one,” Polvi says. “An open specification allows other systems do their own implementation of App Container without using Rocket at all. CoreOS fully supports and embraces alternative implementations.”
It’s a big move considering that the company’s co-founder and CTO, Brandon Philips, is a huge Docker contributor and on the Docker governance board. However, CoreOS argues that the clients that run Docker on CoreOS are clamoring for something with the kind of flexibility that Docker seemed to promise early on. So while CoreOS will continue to support Docker long into the future it hopes Rocket can help solve some problems that many of its clients have with the platform.
“Our primary users have existing platforms that they want to integrate containers with,” Polvi says. “We need to fill the gap for companies that just want a way to securely and portably run a container.”
Polvi says that as CoreOS designed Rocket around four major factors that its team believes are key for good design of a standard container. First, it should be independent and composable. Second, container images should be designed for easy, distributed retrieval. Third, it should be open so that independent implementations of tools can run in the same container consistently every time. That’s why CoreOS says that it’s developing an open specification so that other systems can implement an App Container without even using Rocket.
And, fourth, security should be tantamount.
“Isolation should be pluggable, and the crypto primitives for strong trust, image auditing and application identity should exist from day one,” Polvi explains. “Security primitives are very important to us, so we added an identity feature to the meta-data service. This means every instance of a running container is given a unique identity, coupled with a lightweight HSM-like service for signing.”
This is a new approach for container environments, so CoreOS is especially seeking community feedback for this design. However, the entire project is essentially ready and waiting for community support. Those interested should out the details on GitHub.