Part of my work on the Technical Alliances team at Docker involves exploring innovative projects our ecosystem partners are working on. One area that has seen radical change in recent years is the operating system (OS). You may have noticed some new OS releases: CoreOS (August 2013), Project Atomic (April 2014), and more recently Snappy Ubuntu Core (December 2014). These are all minimalist OSs designed to host Docker applications and simplify your infrastructure. If you are interested in the distinguishing features of each and how they differ from traditional Linux distributions, read on.
While there are some unique technologies and design trade-offs in these new systems, there is also a common set of ideas worth pointing out up front:
- Stability is enhanced through transactional upgrade/rollback semantics.
- Traditional package managers are absent and may be replaced by new packaging systems (Snappy), or custom image builds (Atomic).
- Security is enhanced through various isolation mechanisms.
systemdprovides system/service management. In general,
systemdhas been adopted almost universally among Linux distributions, so this shouldn’t be a surprise.
SIDENOTE: If you are a Windows or Mac OSX user, you may already be familiar with the smallest (23MB) Docker-focused OS: http://boot2docker.io/. Boot2Docker is designed to get new users up and running with a local instance of Docker on unsupported platforms through the use of virtualization; consequently, it does not support any of the power features discussed below.
Snappy Ubuntu Core
In their own words,
“Snappy Ubuntu Core is a new rendition of Ubuntu with transactional updates – a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler mechanism. The Snappy approach is faster, more reliable, and lets us provide stronger security guarantees for apps and users…” –https://developer.ubuntu.com/en/snappy/
Ubuntu has been in the minimalist operating system game for many years with Ubuntu Core (originally JeOS, “Just Enough OS”). Snappy Ubuntu Core (henceforth, “Snappy”) is a mashup of Ubuntu Core and knowledge gained from Canonical’s Ubuntu Phone efforts. The end result is a small system image sporting a new packaging tool that leverages AppArmor to enforce strong isolation of applications.
The Snappy packaging system is designed to be easy for developers to use, as they need only supply a metadata file along with their build artifacts to create a new Snappy “app”. There are actually two types of Snappy packages: “frameworks” and “apps” which can declare dependencies on “frameworks”. The key difference between a “framework” and an “app” is that only a “framework” specifies additional required system privileges. In this model, the Docker engine is a “framework”, and Dockerized applications can be redistributed as “apps” that simply call the Docker CLI to manage the container lifecycle. It is also possible to manage containers directly with the Docker CLI, though due to the current alpha status of Snappy, there are some open issues that make this a less than ideal path.
If you are looking for a new packaging system that behaves more like an app store with increased isolation by default, then Snappy Ubuntu Core may fit the bill. For more information, see http://developer.ubuntu.com/en/snappy/.
In their own words,
“Project Atomic integrates the tools and patterns of container-based application and service deployment with trusted operating system platforms to deliver an end-to-end hosting architecture that’s modern, reliable, and secure.” –http://www.projectatomic.io/
Each of the Red Hat Enterprise Linux (RHEL) family members (Fedora, RHEL, and CentOS) have their own independent Atomic Host releases, so if you are already familiar with their parent projects, you’ll know which one is right for you. The Atomic Host is a flavor of the parent OS that replaces
rpm-ostree, which is used to manage the base OS
rpm content in a git-like fashion. There is also an emerging recommended path for creating your own custom Atomic images/media with
rpm-ostree-toolbox. This represents a more conservative, hybrid approach to package management that retains the benefits of traditional
rpm underneath the
rpm-ostree layer. On the security front, SELinux is enabled by default and you are encouraged to use it for increased isolation.
If you would like to simplify your deployments using a stripped down RHEL-family OS designed to run Dockerized applications, then Project Atomic is worth investigation. For more information, see http://www.projectatomic.io/.
In their own words,
“CoreOS is designed for security, consistency, and reliability. Instead of installing packages via yum or apt, CoreOS uses Linux containers to manage your services at a higher level of abstraction. A single service’s code and all dependencies are packaged within a container that can be run on one or many CoreOS machines.” –https://coreos.com/using-coreos/
CoreOS is a derivative of Chromium OS (and by extension Gentoo) designed to simplify deployment in clustered environments. It is available in three release channels: alpha, beta, and stable. A system subscribed to the alpha channel will receive frequent updates based on the latest development code, whereas the stable channel will only receive updates after they’ve been vetted in the alpha and beta channels.
CoreOS also comes with mature Cloud-Init support. Cloud-Init provides mechanisms for customizing an operating system image at boot time by passing in structured configuration data. The CoreOS implementation of Cloud-Init supports custom options that simplify the generation of Systemd unit files. This complements bundled tools such as
fleet, and is the recommended way to setup/configure services on the CoreOS host. While CoreOS does not support arbitrary software installation on the host directly, they do provide a helper script (
toolbox) which can start a privileged Fedora container for debugging purposes.
If you value the convenience of Cloud-Init integration or prefer managing your system services with
systemd, check out CoreOS. For more information, see https://coreos.com/
If you are looking for the right foundation for your Docker-based infrastructure, there are a lot of great choices. Virtually all modern Linux distributions have officially supported Docker install paths and come with thousands of pre-packaged software components that can run alongside your containers with minimal friction. The new minimalist operating systems discussed above represent a major departure from the past and are also worth further investigation. The increased focus on stability and security of these systems is appealing, and the trade off of losing traditional packaging systems will become less relevant as software is increasingly distributed via immutable Docker images.