ARN

CoreOS's Rocket aims for greater container isolation

Next generation of CoreOS's container runtime uses Intel hardware-based isolation for added security. Will other container systems follow that example?

Now that the Open Container Initiative (OCI) has promised to make all containers one, has work on container technologies other than Docker come to a halt? Short answer: no. And in CoreOS's case, development has only accelerated.

CoreOS, which makes an alternate container system that uses many of Docker's ideas, has been hard at work on its Rocket container runtime. Pitched as a way to deal with containers where security and simplicity are the leading concerns, Rocket (or "rkt"),  now at version 0.8, brings with it some Intel-engineered features that CoreOS claims are not found in other container runtimes.

Rocket 0.8 leverages work from Intel's Clear Containers project, which uses the VT-x instruction sets in Intel silicon to add hardware isolation to containers. In fact, Intel used Rocket to build a proof-of-concept for its project, so the current work with Rocket is better described as a collaboration between CoreOS and Intel. A container executed under Rocket 0.8 has its entire process hierarchy encapsulated inside a KVM process, meaning the container's contents are firewalled off from the host.

This much isolation might sound like overkill, but container isolation is an ongoing concern. Most container environments (e.g., OpenStack) claim to provide the kind of isolation that container technologies, generally cgroups and namespaces, don't provide. In a multitenant environment, for instance, that degree of isolation is vital.

The bigger question is whether Rocket's new features will be adopted in the world of the OCI. According to Brandon Philips, CTO of CoreOS, the original "appc" container spec proposed by CoreOS covers four different elements of container management: packaging, signing, naming (sharing the container with others), and runtime.

"The current focus of OCI has only been on the runtime," said Philips, although as work continues to "harmonize appc with OCI," he expressed hope that "the OCI specs can have a complete container image story for users to work from."

CoreOS wants to lead by example, but Docker is also providing some of the pieces Philips outlined. Most recently Docker released Docker Content Trust, a signing and verification mechanism for Docker containers. By using Content Trust as an opt-in mechanism for verifying content added to the official Docker Registry and offering it as an open source standard, Docker hopes to lead by example and encourage adoption.