This content is part of the Essential Guide: Virtual container technology options for management, security

CoreOS brings different approach to container security

Container security is central to CoreOS' first production release of container runtime rkt, which it sees as better suited than Docker for large-scale deployments.

The container market continues to heat up, as the security-centric rkt reached its first production-ready release last week.

A little over a year after the open source project was first made available, version 1.0 of the rkt container application runtime focuses on security and a stripped-down role in application deployments, marking yet another option for users to deploy Linux containers.

CoreOS is positioning rkt as a much more modular component into the overall application framework than Docker, which has expanded its push beyond just formatting and packaging containers to constructing an entire platform for building and running containerized applications.

Rkt will still work with the Docker image, and other ecosystem partners have put out add-on features for the 1.0 release around monitoring, networking, and a container registry for its runtime images and to convert Docker images to rkt images. Through a partnership with Intel, users also can launch rkt as a virtual machine for additional security overhead.

CoreOS plans to integrate rkt into Tectonic, its commercial Kubernetes platform. Kubernetes and other orchestration tools also compete with services such as Docker Swarm.

Deis, a division of Engine Yard and an open source platform as a service provider, has Docker containers in production for large enterprises, but it runs into problems after prolonged usage at scale. The Docker team has been supportive in fixing the problems, but as Docker keeps adding surface areas to the Docker client, it gets further away from the simple rock-solid container engine Deis wants, said Gabriel Monroy, CTO at Engine Yard, based in San Francisco.

"We just want something that [does] one thing and does it well," he said.

Deis has done scale testing and prototyping with rkt, and plans to eventually swap out Docker for rkt for runtime, while maintaining the Docker image format, Monroy added.

Project Calico, an open source networking stack sponsored by Metaswitch, supports Docker and rkt, although it sees the later as better suited to production at scale, said Christopher Liljenstolpe, director of solutions architecture at Metaswitch Networks, based in London. Docker, he explained, has more mechanisms wrapped around it, while rkt requires fewer running components.

CoreOS [is] much more about modular. You can take want you want and leave the rest.
Christopher Liljenstolpedirector of solutions architecture at Metaswitch Networks

"Docker very much wants to provide a fully integrated vertical stack, and that's the way they've built things," he said. "CoreOS [is] much more about modular. You can take want you want and leave the rest."

Containers have been one of the most talked-about technologies in IT since Docker burst onto the scene in 2013 and released its first commercial version a little over a year later. CoreOS garnered attention in late 2015 when it released rkt, while criticizing the security of Docker as a container engine.

CoreOS CEO Alex Polvi has raised concerns about the Docker model that requires a majority of operations to run through the Docker daemon -- a view he maintains with the 1.0 release.

"Without a rewrite of Docker, that will forever be a major area of security issues," he said. "We built rkt to address an architectural issue that can't be addressed with a light patch to Docker."

Rkt follows the Unix philosophy of privilege separation, according to Polvi. Users have the option of eliminating the need to run an API server as root, or talk to the Internet to upload and download images.

On the same day rkt 1.0 was released, Docker 1.1 was made available, with a heavy focus on container security and more fine-grained access control.

Docker declined to comment specifically on the CoreOS claims. Both companies take security very seriously, despite coming at it from different perspectives, explained Fintan Ryan, an analyst with RedMonk, based in Portland, Maine. Customers will pick the option that best fits their needs, but a fairer comparison -- and more intense competition -- will come with the software that sits on top of containers.

"The market is going to be absolutely huge for all this stuff, so there'll definitely be a couple different ways to do it," Ryan said.

Docker and CoreOS are fighting for the same IT dollars, but they're also working together alongside some of the biggest tech vendors in the world to establish a standard around container formats and runtimes through the Open Container Initiative

Analyst firm 451 Research asked 198 senior IT pros who their primary container supplier is, with 64% saying Docker, compared with only 10% for rkt, according to the New York-based company's third quarter of 2015 edition of its Voice of the Enterprise survey on cloud computing.

When new technology as popular as Docker comes along, the door opens for alternatives in the marketplace, said Jay Lyman, research manager at 451. Rkt has helped keep Docker honest in its progression and promoted a greater focus on container security.

"This is the classic open source software competitor disciplining the other projects," Lyman said. "It helps Docker and helps rkt when there is more than one viable alternative."

Trevor Jones is a news writer with TechTarget's Data Center and Virtualization media group. Contact him at [email protected].

Next Steps

An enterprise guide to Docker container technology

Five steps for deploying Docker containers

Tips for improving Docker container security

Docker and open source automation tools increase app delivery

Dig Deeper on Managed Kubernetes and container services