Slashdot Mirror

← Back to Stories (view on slashdot.org)

CoreOS Announces Competitor To Docker

Posted by Soulskill on from the if-you-want-something-done-right dept.

New submitter fourbadgers writes: CoreOS, the start-up making the CoreOS Linux distribution, has announced Rocket, a container management system that's an alternative to Docker. CoreOS is derived from Chrome OS and has a focus on lightweight virtualization based on Linux containers. The project has been a long-time supporter of Docker, but saw the need for a simpler container system after what was seen as scope-creep in what Docker provides.

19 of 71 comments (clear)

  1. It is not about scope... by houstonbofh · · Score: 4, Insightful

    It is not about scope, or features, or development. It is all about who has the most things to install. Unless it runs Docker apps, (Which will be hard if it does not keep up with the feature creep) it is already starting way behind.

    1. Re: It is not about scope... by Anonymous Coward · · Score: 5, Insightful

      As someone that has used Linux vserver for over 10 years and is currently running lxc containers for our business, I would say that Docker is a very confusing project to put into practice. We decided that we could do a better job and have more control over the deployment and operations of our applications.

      We evaluated coreos and decided against it because it used Docker.

      I think this is a good moved from coreos and makes complete sense if you had to use this stuff for anything in the real world.

  2. Apple already uses that name.. by jcr · · Score: 3, Interesting

    "CoreOS" is the kernel and UNIX services layer of iOS and Mac OS X.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
    1. Re:Apple already uses that name.. by bill_mcgonigle · · Score: 4, Funny

      "CoreOS" is the kernel and UNIX services layer of iOS and Mac OS X.

      Actually, Core OS is.

      Yeah....

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Apple already uses that name.. by darkain · · Score: 3, Informative

      And IOS is the operating system powering Cisco routers.

      http://en.wikipedia.org/wiki/C...

    3. Re:Apple already uses that name.. by wonkey_monkey · · Score: 2

      Apple already uses that name..

      So does the Spanish post office! Kinda...

      --
      systemd is Roko's Basilisk.
    4. Re:Apple already uses that name.. by TheRaven64 · · Score: 2

      And Apple licenses that trademark from Cisco. They also license the trademark on iPhone from Cisco, who previously had a SIP phone with the same name.

      --
      I am TheRaven on Soylent News
  3. Fuck me. by Anonymous Coward · · Score: 5, Funny

    Oh, fuck. I'm going to in to work tomorrow, and our resident Ruby on Rails weeny will have a fat, stiff boner over this technology. He'll be ranting and raving about how amazing it is, even if he's never used it. The old FreeBSD and Solaris admins will scowl at this rube and how he's getting excited over technology they had available to them 15 to 20 years ago. The even older guys who worked on mainframes will chuckle, thinking back fondly to the days when they first encountered this type of technology, so many decades ago. Six months from now, after the Ruby on Rails dickweed has convinced our manager to use this technology in production, I'll get a call in the middle of the night because it's all fucked up and broken. I'll have to waste my night fixing it, while our resident Ruby on Rails pecker is reading all about the next fad he'll use to fuck over the rest of us with.

    1. Re:Fuck me. by pooh666 · · Score: 2

      He wasn't talking about FreeBSD 20 years ago, he was talking about App deployment on mainframes 20 years ago. Yes, junior it isn't a new idea. Sure some things are different, but many fundamentals were ideas way way before we had the super power, speed we do now.

  4. Pocket Rocket? by mveloso · · Score: 2

    So, Rocket for Android would be called Pocket Rocket?

  5. Where Docker failed by d3xt3r · · Score: 5, Interesting

    Containers are an interesting beast. Solaris has had Zones (aka containers) since 2005. In Solaris, these Zones are more akin to virtual machines, except much more efficient. All zones shared a single kernel, they just had virtual network interfaces, storage, and could be managed independently. Now, in 2014, Docker brings the same simplicity of Solaris Zones to Linux.

    Sure, we've had CGroups in Linux since 2004/2006 but Docker finally brought Linux up to speed with a simple to use capability for creating isolated containers on Linux. Only, the implementation brings with it the same flawed approach as Solaris Zones. Do we really need a full OS image running in a container? I don't think so. Docker images are based on a Linux distro (Ubuntu or CentOS, etc). So we look at this and say, "cool, virtualization without the overhead of interrupts for everything from writing to disk to sending packets over the wire." But is that really the best we can do?

    I think what Rocket really represents is a way to do containers right. Containers should run a single process. We shouldn't look at containers as a more efficient VM. We should see containers as a way to increase security and reduce overhead. Do you really want to have to run apt-get or yum inside every container? No. Containers should provide process isolation and application management capabilities. They shouldn't include the OS and the kitchen sink of user land utilities.

    This is where Docker has failed. Instead of simplifying administration and deployment, it's introduced its own nuanced approach to system management. The reason we need a Docker competitor (replacement?) is because Docker has failed to live up to its hype.

    1. Re:Where Docker failed by steveha · · Score: 5, Interesting

      Disclaimer: I'm not super experienced in this stuff. I am open to correction if I have any of these points wrong.

      Do we really need a full OS image running in a container?

      I think we probably do.

      One of the key selling points of Docker is that the container is load-and-go. Do you have some wacky old software that has a hard dependency on particular versions of some libraries? You can build a container with just the right libraries and get your software to work... and, after you do that work, the container is just another container. It may have been a pain for you to get it working, but then anyone can run it on any Docker host as easily as any other container. This seems kind of powerful to me.

      Do you need to see how your software runs on CentOS and Debian? You can set up a container for each, and run the tests on a single host system.

      And if you want maximum security, it's kind of neat that each docker container can use just its own private file system and containers can't affect each others' running state.

      So, if you are content with running an up-to-date system, and always running the latest versions of everything, and upgrading everything together, you could make a security isolation system lighter weight than Docker, but trading off some of the simplicity and flexibility of Docker. You might think it's a good choice, but I don't think you can reasonably claim that it's better in all ways.

      Containers should run a single process. We shouldn't look at containers as a more efficient VM.

      As I understand it, it is considered best practice in Docker to run a single process per container. Some people do use Docker as a sort of lightweight VM but not everyone likes it.

      Are you arguing that Docker is flawed because it doesn't enforce one process per container? Because I'm not seeing it. I would rather have the flexibility; if I want to use Docker as a lightweight VM, the option is there, and I don't see that as a bad thing.

      Do you really want to have to run apt-get or yum inside every container?

      Please correct me if I'm wrong, but my understanding is that you don't have to run a package manager inside every container. You would have a "base system" image, and you would update that image from time to time; then you build your specific containers as layers on top of the base image.

      I believe a container could simply be a script that starts up a service, and config files that configure the service, with the actual packages for the service in the "base system" image. I'm not sure if that is standard practice or what.

      I'm hoping that with Docker I could make micro-servers, like a Docker container with just a web server in it, not even a Bash shell. If someone cracks my server I want him in a desert, with no tools to help him escalate his privileges. I'm not sure how feasible that is now, but I think Docker is at least headed in that direction.

      I'm not opposed to this new Rocket thing, but I'm still not clear on its actual advantages over Docker.

      --
      lf(1): it's like ls(1) but sorts filenames by extension, tersely
    2. Re:Where Docker failed by vux984 · · Score: 3, Interesting

      Do you have some wacky old software that has a hard dependency on particular versions of some libraries? You can build a container with just the right libraries and get your software to work... and, after you do that work, the container is just another container.

      On the flipside, the security of that container has to be managed separately. The operating system and libraries have to be managed separately. Yes, you get the advantages you state... but if the software isn't "wacky old software with wierd dependencies" then its a lot of overhead to setup and maintain.

      A more lightweight approach to the common case makes sense, and you can always fall back to a full VM for the wacky ones.

  6. You are not Dockers business case by brunes69 · · Score: 2

    If you have been using LXC for over 10 years and have a custom application already tuned to it, you are not Docker's case, and that is fine. What Docker is about is being able to rapidly download and deploy entire enterprise stacks, with each piece of the stack being totally isolated and thus easily maintainable and upgradeable, making the whole thing easily automated. Want to swap from Postgresql 8 to Postgresql 9? Swap out the container that someone else has already made and tested... done. It is a very useful project.

    1. Re:You are not Dockers business case by DUdsen · · Score: 5, Interesting

      Dockers problem along with most of the web2.0 stuff is that it might look easy now but how are you going to ensure that everything is kept patched. When the installation/development team have fled the building and handed the task of running it over to some "outsourced operations center".

      This is the question that never gets asked and why a lot of this new fancy smart stuff isn't that widely deployed by largish shops whose core business is something other then it and where a 5 year life cycle is considered short and agile.

      Forking a filesystem is smart but remember your also forking and freezing yourself into all of the undiscovered bugs so you need a way to resync and retest every docker container ever deployed for every update in the platform you based it on. and this is something i haven't really seen anyone cover in dept yet.

    2. Re:You are not Dockers business case by jbolden · · Score: 2

      but how are you going to ensure that everything is kept patched. When the installation/development team have fled the building and handed the task of running it over to some "outsourced operations center".

      The outsourced operations center is responsible for most of the core containers and your development team responsible for others. The operations center knows what containers need to be replaced everyday. Because automated test environments need to be in place, they just roll out the new container and test. If it passes regression (i.e. identical output) it goes into production (or at least staging). Then you find out if your regression tests are up to snuff. If they aren't you build better regression tests.

      This is the question that never gets asked and why a lot of this new fancy smart stuff isn't that widely deployed by largish shops whose core business is something other then it and where a 5 year life cycle is considered short and agile.

      The idea is that there are microservices. Nothing will ever have a 5 year lifecycle unchanged. That's the philosophy.

    3. Re:You are not Dockers business case by Anonymous Coward · · Score: 2, Interesting

      He said vserver for over 10 yrs, NOT lxc.

      Believe it or not, linux has had OOT container technology for ages, in the form of vserver and openVZ. We also have used vserver for at least the last decade at my work.

      I was most surprised about the "using lxc in production" bit. We keep looking at it, but lxc still does not offer the isolation or stability to use in production (we had unpriv lxc containers working, then they were not). Semi-priv haven't been broken in quite a while though. Still not convinced lxc is really safe yet, even with uidmaps, since the main backers of lxc, Cannonical, always run app armor on top of it.

      We also haven't found a use-case here where the Docker layer provides benefit. And anything with an ugly xml config file needs to be _very useful_ to be bothered with.

  7. Needless confusion by Anonymous Coward · · Score: 3, Informative

    There is significant confusion about Linux containers. The Linux container project (LXC) has been baking since 2009, is perfectly usable and the extensive Linux toolset to support servers and clustered environments work with LXC perfectly.

    There is little need to reinvent unless some value is being added but in many cases its just adding complexity to extract value by funded companies who muddy the waters relentlessly.

    LXC is supported by Ubuntu since 2012 and mainly developed by Stephane Graber and Serge Hallyn of Ubuntu. LXC gives you Linux containers with a complete Linux environment, a wide choice of container OS templaes and advanced features like unprivilged containers that let's non root users run containers. Tools like Docker took this base LXC container, introduced a restrictive container OS environment to give you an app delivery platform with added complexity suitable for PAAS type scenarios, but promote themsevles as 'easier to use'. And in their marketing are vague on their genesis and their value add on top of LXC which would need them to be open about the extact nature of LXC, referring instead to the project as 'low level kernel capabilities' and allowing the misconception to spread that Docker is linux containers.

    Because of the LXC project's low profile and marketing resources of funded companies a lot of folks first introduction to Linux containers is via tools like Docker, who do not know much about LXC beyond the misconceptions. And even stranger a lot of other funded projects spring up around tools like Docker that try to break though the self imposed restrictions of Docker containers to make them more like LXC!

    The end result is unbecoming confusion even on better informed discussion forums like Slashdot, Soylent news, Hackner news and phoronix. So imagine the level of confusion with normal users? All Docker has to do now is lose the needless restrictions on their containers and LXC is basically dead. This looks like embrace, extend and extinguish.

    Here is a timeline of LXC

    2007 - Cgroups patches to the Linux kernel by a couple of Google coders

    2009 - The LXC project by Daniel lezcano, Serge Hallyn supported by IBM with a kernel patch and userland tools to create and manage containers. The LXC code was merged into the kernel in 2.6.32 with userland tools available.

    2012 - The project is now supported by Ubuntu with Stephane Graber and Serge Hallyn on Ubuntu working on it. It was a pretty low profile project.

    2013 - LXC 1.0 stable is released with a lot of new and exciting features.

    2013 - Dotcloud was using LXC containers for their internal PAAS platfrom, and experimented with LXC's support for overlay filesystems like aufs and overlayfs.

    2013 - Based on this they released a tool called Docker. They manage to get a lot of funding and market themsevles aggressively to the devops community.

    2014 - Docker sees huge adotpion and with the 0.9 release drop their dependence on the LXC project and annnounce a new tool called libcontainer that will use cgroup and namaspaces in the kernel directly.

    2014 - Ubuntu finally wakes to the potential of their own supported LXC project and announces LXD which will use uinprivilreged containers by default and manage containers across LXC hosts

    2014 - CoreOS, a linux distribution based around systemd and deploying apps in Docker containers with multi host orchestration tools like etcd and fleet decides to make a competing container format to Docker. Apprently because Docker was going to step in to the multi host orchestration business itself. Of course containers being like VMs don't need any specific container oriented orchestration, and tools that work with bare-metal and VMs work with LXC containers, but if you intentionally make restricted container formats then you will need to create an ecosystem of tools that support your restricted format. So you can't use normal orchestration tools as you would with LXC but need to find a Docker way or CoreOS way of doing things. That sounds fun.

  8. "Docker Platform" by Ritz_Just_Ritz · · Score: 2

    I don't understand the need to inject all the platform bloat into Docker. Why not just fold docker functionality into an existing platform such as OpenStack to handle all those "extras" that are being contemplated? The work to integrate the two is already in progress:

    https://wiki.openstack.org/wik...

    Best,