CoreOS and the App Container Spec
The open-source Docker application virtualization container project has become a defacto standard for applications containers over the course of the last year. But it's a defacto standard that isn't a real specification and is one that is being challenged by Linux distribution vendor CoreOS.
CoreOS is developing its own Docker replacement, both in terms of technology with Rocket and in terms of an actual specification for defining what an application container is all about. The App Container Specification (appc) is currently in development and has some important differences in contrast to Docker.
Brandon Philips, CoreOS CTO, explained to ServerWatch that the appc spec has three parts:
1) the App Container Image or "ACI"
2) the App Container execution environment, which specifies how to build something that can run an ACI
3) the Discovery process for how to take an image name like coreos.com/etcd:v2.0.0 and find that on the internet, download it and cryptographically verify it
Philips noted that with appc a process has access to a cryptographic identity.
"Today our servers have identity from a 'Trusted Platform Module' or TPM so we can know a given piece of hardware is actually who it says it is, and our Linux servers have identity through their SSH public key, but our processes do not have identity," Philips explained.
- Navigating Your IT Career
- Exploring the Private Cloud for Your Organization
- IT Manager's Guide to Social Networking
"With the appc spec we want to give every container an identity so that container A can take some message, sign it with its identity, and hand it to container B who can verify it actually comes from container A," Phillips continued.
Philips additionally explained that the naming of images implies a DNS namespace in appc. It's also his belief that containers will become an important piece of infrastructure for the internet and new protocols should start from a decentralized namespace like DNS.
"Today, the docker namespace starts at index.docker.io and is implied when you type something like 'docker push mycompany/secrets'," Philips said.
Another component of the appc spec is that an application can have multiple processes. Philips explained that often times an application will be made up of multiple processes working together.
"We are trying to tackle a number of other central issues with the appc spec," Philips said. "Over time, I really do hope that we can come together with Docker and share this spec, as these are important technical things that should be standardized outside of any single runtime."
Read more on "Server Virtualization Spotlight" »