Citing concerns around Docker's security model and its increasingly complex supporting platform, CoreOS is developing Rocket, an alternative to the open-source container technology.
"A little bit of competition is good for the user at the end of the day. It makes sure everyone is aligned on building really good products," said Alex Polvi, CoreOS CEO.
The Rocket container runtime, released Monday, addresses a number of concerns that the Linux distributor had around Docker.
CoreOS, which produces a popular Linux distribution configured for use in the cloud, has been an early and strong supporter of Docker. The company started working on its own alternative because of the increasing number of issues its customers were experiencing with the virtualization technology, Polvi said.
"We've tried for along time to get the [Docker] model fixed, and had meetings with the core Docker team," Polvi said. "At a certain point, we have users going into production with this stuff, so we have to fix it. We're fixing it."
One of the chief issues that CoreOS has had with Docker is that the scope of the technology seems to be sprawling. Originally, the idea behind Docker was to offer a simple virtualization container. Basically, a container is a module that can run on top of the operating system to provide a standardized environment for running an application, so it can be easily moved from one server to another.
The Docker project, which is overseen by the company of the same name that was founded in 2013, "has been evolving into something that is a lot more than just a simple container runtime," Polvi said. The Docker group is expanding the scope of software to include supporting technology, such as the ability to create, store, upload, run and orchestrate Docker images. At this point, Docker is more of a platform than a container, Polvi charged.
This growing complexity can be problematic for a number of reasons, he explained. It runs counter to the architectural philosophy behind Unix/Linux, which emphasizes simple building-block-like elements that can be easily strung together with the command line, and with scripts, to create full-fledged applications and workflows. The Docker application assumes that users will be using all of its components, rather than any existing ones they may already be running.
"Most of the people using CoreOS have existing environments of some sort that they are trying to integrate containers with. They are not ready to lob on a whole new platform," Polvi said.
The monolithic design can also be problematic from a security perspective, Polvi explained. The entire stack of Docker technology runs as a single process on Linux servers, one that requires root access to the machine. A general security truism has been that systems should run as few processes as possible under root, because root access offers total control over a machine. Any software that runs as root, if it has a security vulnerability, could be used to take control of the machine. Docker's increasingly large array of functionality, all of which must run as root, enlarges the terrain for possible system attacks, Polvi said.
In contrast, Rocket runs as a simple command line program, containing only the commands to run an App Container Image (ACI). The ACI can be encrypted and distributed across multiple channels, such as BitTorrent, a public object storage service, or mirror networks. Rocket itself can be used not only on CoreOS but with any Linux distribution. CoreOS itself will continue to support Docker as well.
CoreOS posted a development version of the software, version 0.11, on GitHub. Due to Rocket still being in an early stage of development, Polvi did not estimate when a full production-ready version of the software would be available.
CoreOS is not the only Linux distributor working on an alternative to Docker. Last month, Canonical started work on a secure container-based technology, LXD (Linux Container Daemon) which it claims will offer the speed of Docker, but the security of a fully isolated virtual machine.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.