Rocket ’security-minded’ container engine is production-ready
Lightweight Linux provider CoreOS has released a production-ready version of Rocket, its alternative to Docker, which has untill now been the default platform for handling containerized software.
Containerized software runs each app in its own minimal package with the resources it needs, which can be easily moved between development and delivery teams, and between different hardware platforms. Docker is the leading player in the space, but CoreOS announced a rival called rkt - pronounced Rocket - in December 2014.
Source: Thinkstock / 3DSculptor
Ready for launch
CoreOS, a hitherto strong supporter of Docker, announced Rocket as complaints emerged about the security of the Docker runtime. The Rocket runtime will support application containers built for Docker, but with improved performance and better security controls.
”rkt was born in 2014 at a time when interest in cloud-native computing and containers began to take off,” said CoreOS CEO Alex Polvi on the CoreOS blog. “Since then, the need for a secure, production-ready container runtime has continued to spread.”
Rocket is also designed to fit in with CoreOS’ larger vision, the Tectonic platform, delivered in November 2015, which is intended to handle a larger part of organizations’ DevOps needs, including container orchestration. The platform also works with other integration platforms, including Nomad and Google’s Kubernetes
While rkt is a competitor to the Docker runtime, users will still be able to run application containers that use the Docker image and have been built with Docker tools. It also has its own format, App Container Image (ACI).
”rkt is built from the ground up to be ready for security-focused environments,” Polvi says. ”Many of these principles weren’t invented at CoreOS — instead, we applied common, everyday best practices that have been largely overlooked in the container industry so far.”
To increase its security, Rocket includes an automatic signature validation feature for containers, and also supports Clear Containers, a technology from Intel based on the KVM hypervisor, which isolates containers. ”A Clear Container is a container wrapped in its own individual virtual machine that also includes a specially optimized copy of the Clear Linux OS, explains an Intel blog on the subject. ”Clear Containers run on KVM, a mature hypervisor included with the Linux kernel.” The Clear Containers are protected with the security of a virtual machine, but start nearly as fast as an ordinary containers, in less than 200ms, Intel promises. but provide all the security of a VM.
Although Docker has a clear lead in terms of adoptions and developer mindshare, Polvi believes Rocket is a serious contender, and it certainly has had a large effort put into it, with more than 3,000 commits from more than 100 developers.
While the two projects are rivals, both CoreOS and Docker are members of an effort within the Open Container Initiative, which aims to promote a standard for containers, built around a common runtime, runC,