CoreOS has taken another step toward distinguishing itself in the container ecosystem with the release of Clair 1.0, the production-quality version of its security scanner. But will this truly be enough for CoreOS to stand out from the likes of Docker?
As container companies go, CoreOS is a distant number two. Its name is well known and its software respected, but the company has followed an awkward trajectory — first trying to distribute Docker containers, then producing its own container offering, Rocket (or rkt). The company has arguably done a poor job of moving outside Docker’s shadow.
But the one area where CoreOS has been doing important things that Docker has not is security. In November, the company announced development of a container scanner called Clair, which is designed to detect security vulnerabilities in containers and help developers patch them automatically.
On Friday, CoreOS announced that Clair is now ready for production use. Since November, Clair has evolved to offer better performance through recursive database queries, which CoreOS says improves response time by as much as three magnitudes. Clair 1.0 also features a more extensible RESTful JSON API.
Clair has certainly come far in a short time. Back when CoreOS announced the tool in the fall, it was easy to assume that this would be a simple security scanner, which might make some admins feel better about security, but not actually do much to improve cloud performance. It is now clear that that is not the case. By all indications, Clair 1.0 is a sophisticated, robust security tool that is easy to extend and to integrate into different types of environments.
Plus, CoreOS is making good on the biggest selling-point of Clair, which is that the scanner is able not only to detect security issues but also patch them. That’s important, CoreOS says, because the whole point of using containers is to build a flexible, scalable infrastructure. If you have to update software manually whenever security vulnerabilities appear, you lose a lot of nimbleness. But if you can handle security in an automated fashion, you’re getting the most out of your cloud.
Indeed, in a way, Clair is like a cloud orchestration platform, except instead of managing the cloud workload, it handles the security front.
This all said, it remains to be seen whether Clair will prove a compelling enough offering to convince cloud admins to consider CoreOS’s container solution instead of Docker. The latter is much more established in the marketplace. It also has gobs more funding. Plus, you can use Clair to scan Docker containers just as well as you can CoreOS container images — so Clair is not going to force companies to use the entire CoreOS platform just to get a better security and upgrade experience.
But Docker compatibility may be the factor that makes people actually use Clair and, in turn, assures that CoreOS gets its slice of the container space. Docker itself has yet to offer security tools like Clair, or even send a strong message that it takes container security seriously. By filling this gap through Clair, CoreOS is positioning itself to stay relevant — although not to advance adoption of its entire container platform.