by Paul Rubens

Why the Open Container Project is good news for CIOs

Jul 23, 2015
IT StrategyOpen SourceSystem Management

A Linux Foundation project to create a single standard for containers means CIOs can invest in container technology without fear of running in to compatibility problems.

Credit: Thinkstock

Application container giant Docker and upstart rival CoreOS have ceased hostilities following the announcement of the Open Container Project (OCP). The project will work to develop industry standards for a container format and runtime software.

As a starting point, the OCP standards will be based on Docker technology: Docker has donated about 5 percent of its codebase to the project to get it going.

The OCP will run under the auspices of the Linux Foundation, and its sponsors include AWS, Google, IBM, HP, Microsoft, VMware, Red Hat and HP as well as Docker and CoreOS. So this can be seen as an industry-wide initiative to ensure that containers meet the following criteria:

  • They are not bound to higher-level constructs such as a particular client or orchestration stack.
  • They are not tightly associated with any particular commercial vendor or project.
  • They are portable across a wide variety of operating systems, hardware, CPU architectures and public clouds.

Fragmentation sidestepped

The announcement is timely and good news for the increasing number of enterprises that want to make use of containers, because the technology had started to fragment as competing systems emerged.

[Related: What are containers and why do you need them?]

With the threat of fragmentation neatly sidestepped, Docker and CoreOS (and other vendors) will be able to continue to compete by building platforms that manage and run containers. As long as their products are implementations of the OCP standard then enterprises will be able to use any vendors’ products without any compatibility worries.

Although Docker is the dominant player in the container space, CoreOS announced its App Container (appc) specification and rkt container runtime to rival Docker’s de facto standard standards last year. At the time CoreOS CEO Alex Polvi called Docker’s design “fundamentally flawed” and said its security model was “broken.”

Joining forces

But CoreOS is now enthusiastically embracing OCP as the way forward, even though the starting point is Docker technology. At the OCP announcement, Polvi said: “When we started the appc spec our goal was to have a well-designed software container specification that is modular, portable across platforms and is secure. Today we join forces with Docker and other industry giants in an effort to unify this goal.”

Kelsey Hightower, CoreOS’s product manager and chief advocate, points out that when there were competing systems some companies were reluctant to get involved with containers. “Now that things have settled down it makes it easier for people who had been sitting on the fence,” he says.

Hightower adds that companies that want to provide software that augments the container ecosystem will also find it much easier to do so now that a standard has been established – especially if they want their products to work with Docker.

“You’ll be able to talk about being OCP compatible rather than Docker compliant. That’s important because Docker has trademarks and there may be restrictions on using the name Docker. What if Docker said you couldn’t use their logo? Now you can target OCP and be Docker compatible.”

Security worries

One of CoreOS’s key objections to Docker was what it perceived as a lack of security – particularly when it came to signing container images so you could be sure who had built it. It was a feature that CoreOS offered but Docker didn’t.

[Related: Containers vs. virtual machines: How to tell which is the right choice for your enterprise]

“I think users want signing, the way Apple signs apps in the AppStore,” Hightower said earlier this year. “People have been asking for signing with Docker images and it has never happened. For us that is a security problem.”

But he says that the signing issue has been settled, with Docker announcing Docker Notary at DockerCon in June. The Notary technology will be used to perform container validation and ensure that when a container is pulled from a hub it is still from a trusted source. “The community has been waiting for something like Notary after we (CoreOS) pushed the envelope and showed it could be done,” says Hightower.

Multi-platform model

For its part, Docker is being magnanimous and is making a point of emphasizing the value of having CoreOS as a partner in the OCP project. “Clearly we played a critical role, but to make OCP happen it had to be done with the support from other great companies in the industry,” says David Messina, Docker’s vice president of marketing.

“The value of the OCP is that now there will be one container model for Linux, Windows, Solaris, IBM mainframes and so on,” he adds. “We wanted something that was universal and backwards compatible with what already existed.”

As chief advocate at CoreOS Hightower always talked a great story about the benefits of rkt and appc, and as part of OCP he is just as vocal about the benefits that containers will bring in the future.

Specifically, he is convinced that – with cross platform support – OCP will become more than just a container standard: it will help make containers become the standard way that organizations deal with enterprise applications.

“At the moment there are too many options and choices to make before you can use software – you have to ask if it is compatible, do you have the right third party software and so on,” he says.

“If you look at a smartphone, you just go to an app store and click an app and it installs. Mobile applications are containers and I think it also makes sense to package server software this way. There’s no friction, no installation wizards, it’s just a breeze.”