CoreOS is a sort of frenemy of Docker—a competitor and partner at the same time—and continues to be a thorn in Docker’s side every once in a while. Now is one of those times as CoreOS recently unveiled version 1.0 of its rkt (A.K.A. “Rocket”) container runtime with a focus on making the container ecosystem more secure.
Containers have moved quickly from niche concept to mainstream technology—in large part thanks to Docker. As with most emerging technologies, though, security is an afterthought. Once mainstream acceptance begins, the focus shifts to security. It’s unfortunate that security doesn’t get more attention in the earlier development, but it’s a reality that occurs across all facets of technology.
As containers have gathered momentum and more organizations have considered containers as a part of the overall IT and app development strategy, security has taken center stage. Microsoft, IBM, Intel, VMware, and others have introduced container variants designed to embrace the benefits of the container concept while adding the security that enterprises need in order to adopt the technology with confidence.
An article in InfoWorld quotes CoreOS CTO Alex Polvi explaining how the daemon-less approach of rkt gives the platform a security edge over Docker. “Any action you take can be invoked as a separate operation, meaning it can be subject to privilege separation. Things talking to the Internet, for instance, don’t have to run as root. That’s just basic Unix system programming; you shouldn’t have to run everything as root in the server.”
CoreOS also includes things like signing and validating container images as a foundational principle of container security.
CoreOS previously frustrated Docker when it apparently abandoned its own Standard Container Manifesto and ventured down a path that was more proprietary. It was this conflict between CoreOS and Docker that provided the catalyst for the industry to band together with the Open Container Project.
That effort is a work in progress, so we haven’t quite reached the stage of a ubiquitous container standard. CoreOS primarily supports the App Container image format, but has designed its platform to convert Docker images transparently in real-time so that both container images are supported within rkt.
Now the two cooperate more, but also still remain competitors at the same time. To its credit, Docker has also recognized the lack of security in its container platform and has introduced new security features and controls for its own containers too. The competition between the two and with the industry at large drives innovation and