Citing concerns around Docker's security model and its increasingly complex supporting platform, CoreOS is developing Rocket, an alternative to the open-source container technology.
"A little bit of competition is good for the user at the end of the day. It makes sure everyone is aligned on building really good products," said Alex Polvi, CoreOS CEO.
The Rocket container runtime, released Monday, addresses a number of concerns that the Linux distributor had around Docker.
CoreOS, which produces a popular Linux distribution configured for use in the cloud, has been an early and strong supporter of Docker. The company started working on its own alternative because of the increasing number of issues its customers were experiencing with the virtualization technology, Polvi said.
"We've tried for along time to get the [Docker] model fixed, and had meetings with the core Docker team," Polvi said. "At a certain point, we have users going into production with this stuff, so we have to fix it. We're fixing it."
One of the chief issues that CoreOS has had with Docker is that the scope of the technology seems to be sprawling. Originally, the idea behind Docker was to offer a simple virtualization container. Basically, a container is a module that can run on top of the operating system to provide a standardized environment for running an application, so it can be easily moved from one server to another.
The Docker project, which is overseen by the company of the same name that was founded in 2013, "has been evolving into something that is a lot more than just a simple container runtime," Polvi said. The Docker group is expanding the scope of software to include supporting technology, such as the ability to create, store, upload, run and orchestrate Docker images. At this point, Docker is more of a platform than a container, Polvi charged.
This growing complexity can be problematic for a number of reasons, he explained. It runs counter to the architectural philosophy behind Unix/Linux, which emphasizes simple building-block-like elements that can be easily strung together with the command line, and with scripts, to create full-fledged applications and workflows. The Docker application assumes that users will be using all of its components, rather than any existing ones they may already be running.
"Most of the people using CoreOS have existing environments of some sort that they are trying to integrate containers with. They are not ready to lob on a whole new platform," Polvi said.
The monolithic design can also be problematic from a security perspective, Polvi explained. The entire stack of Docker technology runs as a single process on Linux servers, one that requires root access to the machine. A general security truism has been that systems should run as few processes as possible under root, because root access offers total control over a machine. Any software that runs as root, if it has a security vulnerability, could be used to take control of the machine. Docker's increasingly large array of functionality, all of which must run as root, enlarges the terrain for possible system attacks, Polvi said.
Sign up for CIO Asia eNewsletters.