CoreOS: Dump Docker for our more secure replacement

CoreOS has devised App Container and Rocket, its own standard that goes back to Docker's roots

security protect shield

Every great movement goes through a schism. In the span of a little more than a year, Docker has allowed dev and ops alike to rethink how applications are hosted, deployed, and maintained. But not everyone has been happy with the fruits of the project.

CoreOS, the company that used Docker containers to create a different type of Linux distribution, is among the disgruntled. The company's next project is to create a new container -- much to Docker's chagrin, it seems.

CoreOS outlined its new App Container and Rocket runtime projects in a blog post that went live Monday afternoon. Rocket is "an alternative to the Docker runtime, designed for server environments with the most rigorous security and production requirements." App Container, a spec to describe containers used by Rocket, is "a new set of simple and open specifications for a portable container format."

CoreOS's main rationale for creating a variant container technology was Docker's development from less of a building block and more of a platform unto itself.

"A simple re-usable component is not how things are playing out," wrote CoreOS CEO Alex Polvi. "Docker now is building tools for launching cloud servers, systems for clustering, and a wide range of functions: building images, running images, uploading, downloading, and eventually even overlay networking, all compiled into one monolithic binary running primarily as root on your server."

This complexity, he claimed, has created issues for CoreOS and its customers. "At CoreOS, we have large, serious users running in enterprise environments," Polvi wrote. "We cannot in good faith continue to support Docker's broken security model without addressing these issues."

CoreOS's proposed solution is not a fork of Docker or a set of proposed commits, but rather a new container system, designed from the inside out to support four key attributes: composability, security, ease of distribution for images, and openness. The spec created from these ideas now has an early-model implementation, Rocket, although CoreOS believes other implementations are possible.

Docker has been trying to address security issues for some time now, most recently adding the ability to sign and apply SELinux and AppArmor protections to containers. But complaints about Docker security, many revolving around the Docker daemon (which requires root privileges), still ride high.

Docker has spoken up about the announcement, with Docker CEO Ben Golub noting that many of the issues CoreOS outlined are under consideration. "We hope to address some of the technical arguments posed by the Rocket project in a subsequent post," he wrote. "While we disagree with some of the arguments and questionable rhetoric and timing of the Rocket announcement, we hope that we can all continue to be guided by what is best for users and developers."


Copyright © 2014 IDG Communications, Inc.