CoreOS's Rocket aims for greater container isolation

CoreOS's Rocket aims for greater container isolation

Next generation of CoreOS's container runtime uses Intel hardware-based isolation for added security. Will other container systems follow that example?

Now that the Open Container Initiative (OCI) has promised to make all containers one, has work on container technologies other than Docker come to a halt? Short answer: no. And in CoreOS's case, development has only accelerated.

CoreOS, which makes an alternate container system that uses many of Docker's ideas, has been hard at work on its Rocket container runtime. Pitched as a way to deal with containers where security and simplicity are the leading concerns, Rocket (or "rkt"),  now at version 0.8, brings with it some Intel-engineered features that CoreOS claims are not found in other container runtimes.

Rocket 0.8 leverages work from Intel's Clear Containers project, which uses the VT-x instruction sets in Intel silicon to add hardware isolation to containers. In fact, Intel used Rocket to build a proof-of-concept for its project, so the current work with Rocket is better described as a collaboration between CoreOS and Intel. A container executed under Rocket 0.8 has its entire process hierarchy encapsulated inside a KVM process, meaning the container's contents are firewalled off from the host.

This much isolation might sound like overkill, but container isolation is an ongoing concern. Most container environments (e.g., OpenStack) claim to provide the kind of isolation that container technologies, generally cgroups and namespaces, don't provide. In a multitenant environment, for instance, that degree of isolation is vital.

The bigger question is whether Rocket's new features will be adopted in the world of the OCI. According to Brandon Philips, CTO of CoreOS, the original "appc" container spec proposed by CoreOS covers four different elements of container management: packaging, signing, naming (sharing the container with others), and runtime.

"The current focus of OCI has only been on the runtime," said Philips, although as work continues to "harmonize appc with OCI," he expressed hope that "the OCI specs can have a complete container image story for users to work from."

CoreOS wants to lead by example, but Docker is also providing some of the pieces Philips outlined. Most recently Docker released Docker Content Trust, a signing and verification mechanism for Docker containers. By using Content Trust as an opt-in mechanism for verifying content added to the official Docker Registry and offering it as an open source standard, Docker hopes to lead by example and encourage adoption.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Docker


EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments