That CoreOS CEO Alex Polvi’s blog post Monday about a new application container standard the company had in the works caused a stir would be an understatement.
Co-founder of one of the current San Francisco IT startup darlings said Docker, the app container technology it had so devotedly supported all along, was fundamentally flawed. Docker is also a San Francisco IT startup darling that has enjoyed a lot of support throughout the industry.
In an interview, Polvi played down the assault-on-Docker aspect of his post, saying his team was simply addressing a technological problem. But that’s not how Docker devotees (and there are now a lot of them) took it.
“I’m not saying [CoreOS] is wrong, but that blog post is aggressively worded and seems to be intended to create uncertainty about Docker,” Mark Imbriaco, vice president of technical operations at DigitalOcean, wrote in a Tweet.
“Worse: it’s a copy-paste of our own explicit design roadmap,” Solomon Hykes, Docker founder and CTO, Tweeted back. Hykes was commenting on the design principles behind App Container and Rocket – the container standard and container runtime CoreOS is proposing.
In an interview, Joyent CTO Bryan Cantrill was direct, calling Polvi’s post “chancy,” “foolish,” “needlessly caustic,” and not “technically accurate.” Joyent is a San Francisco-based cloud service provider that has been integrating Docker into its own portfolio of services.
How “Broken” is Docker’s Security?
Docker, according to Polvi, has a “broken security model” because the entire platform is a daemon that runs as root. “Everything is in that one Docker daemon,” he said.
His other problem with Docker is the company’s platform approach, its aim to build all kinds of tools into its Docker runtime – things like tools for launching cloud servers and clustering systems – instead of focusing on a simple and composable Docker container.
Docker’s management has consistently been upfront about its plans to build tools for the entire application lifecycle in the past, but Polvi said his team was not aware of those plans until recently.
Cantrill dismissed the daemon issue as a fairly trivial problem to solve. The bigger security issue was not a Docker issue but a Linux issue, he said. That issue is that Linux containers (different from Docker containers) were not designed for multi-tenancy, which makes them unsecure, he explained.
“The OS-level problem, the kernel-level problem, is much more acute (than the daemon problem),” Cantrill said. Writing daemons that execute securely “is a solvable problem.”
It’s worth noting that Cantrill and Joyent have a horse in the race. The company’s cloud runs on its own operating system, and it has used a Docker API to build a tool that enables users to run Docker containers on its own OS rather than on a Linux substrate, which Cantrill says is unsecure in a multi-tenant situation.
Pivotal, Mesosphere Voice Support for Docker Alternative
CoreOS isn’t alone. Pivotal, the EMC-controlled software startup led by former VMware CEO Paul Maritz, has expressed support of App Container and Rocket. Pivotal engineers reviewed the App Container spec before CoreOS published it and responded positively, Polvi said.
Mesosphere, another well-known startup whose software pools disparate compute resources and presents them to applications as uniform clusters, has also expressed support for the App Container initiative. Mesosphere has been a big Docker supporter.
DigitalOcean’s Imbriaco didn’t necessarily argue the points Polvi made, taking more of an issue with the tone of Polvi’s post.
We reached out to Docker for comment, but the company’s representatives could not respond in time for publication. Docker CEO Ben Golub posted his initial comments on Polvi’s post Monday.
Steep Climb Ahead of CoreOS
The attempt by CoreOS to introduce an alternative standard to Docker is doubtless a long shot, considering how widespread support for Docker already is, and how quickly the company and the open source technology gained that support (it has been around for less than two years). People like Cantrill don’t think Rocket or App Container stand a chance.
Yet, CoreOS has also enjoyed a lot of support, often from the same people that support Docker. In fact, a lot of its success can be attributed to the success of Docker, and it has billed its Linux-based operating system as the best OS to run Docker on. But support for Polvi and his team’s proposition by top engineers at companies like Mesosphere and Pivotal is not something to ignore.