CoreOS’s real motivation is not to upend Docker, but to firm up the security of containers and their infrastructures, CEO Alex Polvi says. Its main product is Tectonic, a spin on the open source Kubernetes platform for deploying and managing containers.
“It boils down to the architecture of Docker itself,” Polvi says. Docker, for instance, doesn’t offer different levels of privilege, meaning anybody downloading a container image becomes the most privileged user possible. Polvi described this as an effect of the centralized daemon that Docker runs — everything is built into one engine.
Validation is another concern. Anyone who can talk to a Docker container can tell it to download and execute code.
“These things make it easy to use, but if someone is transitioning to a production environment, you can’t cut those corners any more,” Polvi says.
So in December 2014, CoreOS introduced rkt, which at the time was spelled Rocket. Some users share CoreOS’s concerns, which is partly how rkt got its momentum.
It’s symptomatic of the maturing process that Docker is going through. Still just three years old, the Docker Inc. version of Linux containers became popular for use in development and test environments because it eased the process of moving an application from one environment to another.
As Docker has rocketed — so to speak — into popularity, there’s been a natural pull to use it in production environments. But production is a more serious world than test, with fussier requirements and bigger concerns in areas such as security. Getting containers, Docker in particular, to work in production is becoming something of a cottage industry. It’s why Oracle recently acquired StackEngine, for instance.
CoreOS might claim it doesn’t want to rival Docker Inc., but in creating rkt, CoreOS also created a new container format, the Application Container Image. The Open Container Initiative, launched last summer, could eventually reconcile the two. Docker Inc. has characterized OCI as more a way of creating open source governance for the Docker format, now that the format has become a de facto standard.