Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Oracle Releases Open Source Container Utilities, Including A New Container Runtime Written in Rust

Oracle Releases Open Source Container Utilities, Including A New Container Runtime Written in Rust

This item in japanese


Oracle has released three open source container utilities including Smith, an Open Container Initiative (OCI) image-compliant container builder that creates "microcontainers" with a single executable and its dependencies; Crashcart, a microcontainer debugging tool that allows operators to sideload an image with Linux binaries into an existing container; and Railcar, a Rust-based alternative container runtime that implements the OCI-runtime specification.

A post written by Vish Abrams on the Oracle Developer's Blog states that Oracle is using containers to run many components of their cloud services. Many lessons were learned during the development and operation of these containers within a production environment, and tools have been created accordingly, which are now being released as open source under dual-licensed Universal Permissive Licence 1.0 and Apache License 2.0, and the code is available via GitHub.

As a prelude to the release of the tools, Abrams has written an additional post on the Oracle Developer's Blog, titled "The Microcontainer Manifesto and the Right Tool for the Job", and discussed that the standard build process for containers is "ideal for developers, but the resulting container images make operator's jobs more difficult". When Oracle's investment in container technology began two years ago, they defined a key goal of improving the "stability and security" of running containers. Although this is the first official announcement of Oracle's container technology, the blog post does note that the properties of stability and security have dramatically improved in other container implementations since the work was begun.

Abrams discusses that problems resulting from a Docker container build arise from the practice of putting an entire Linux operating system (OS) into the container image. Specifically this leads to: large images, which resulted in large images that necessitated layers just to be manageable; privilege escalation - compromise of an application running within an entire Linux user space gives other potential avenues of attack; vulnerability management - the standard build process makes it difficult to determine if a container needs to be updated because it is unclear which dependency files in the container are actually being used. It is noted that many of these issues are already addressed in existing container systems, for example, the use of container-specific OSs and scratch containers; enabling User Namespaces and Linux kernel security modules like AppArmor; and security-scanning container images using static vulnerability scanners like CoreOS's Clair.

In order to address the issues the Oracle team saw when running containers in production, a new concept of a "microcontainer" was defined (not to be confused with existing usage of the term from and JBoss). Specifically, a microcontainer:

  • Contains only a single executable and its dependencies, with no shell and no init process
  • Runs with a read-only root filesystem with no layers and no Overlayfs (writes are isolated and handled via volume mounts)
    • All temporary files are placed into /run and all persistent writes (log files and data files) into /write
    • Config files that need to be modified per container are placed in /read where they can be modified via a volume mount or a Kubernetes configmap
  • Has no user and group filesystem ownership - everything is owned and readable by a single user
  • Has no filesystem timestamps or capabilities
  • Can be built reproducibly, and produces the same image each time
  • Is deployed to a node out of band, and has no specific concept of an image repository

To facilitate the building of microcontainers, Oracle has released Smith, a container build tool written in Golang. This tool can be used to build a microcontainer from yum repositories and (optionally) an RPM file. In addition, it can be used to "micro-ize" an existing Docker container, which allows developer friendly Docker tooling to be used to build a container during development, and Smith to be used to transform the container into a microcontainer for production deployment. Smith builds images in the standard OCI format, but it can also upload and download images from Docker repositories.

When microcontainers are minimized for production use it can be more challenging for operators to diagnose and remedy any issues that arise, mostly due to missing OS tooling. Most debugging can be done from the host, but sometimes access to the filesystem as the container sees it is required. Oracle have created Crashcart for this use case. Crashcart allows the side-loading of a set of Linux binaries into a running container, with the goals of inspection and debugging. Additional information on why the side-loading binaries is difficult, and how Crashcart accomplishes this, can be found in a the "Hardcore Container Debugging" blog post.

The third tool released by Oracle is Railcar, a Rust-based implementation of the OCI runtime specification. It is similar to the reference implementation runc, but it is implemented completely in Rust for "memory safety without needing the overhead of a garbage collector or multiple threads". Abrams notes that although very useful for building system utilities and CLIs "Go is a poor choice of language for a container runtime" due to, for example, problems interacting with namespaces (as noted in a recent Weaveworks blog post). Additional information on the development of railcar can be found in the Oracle Developer's Blog "Building a Container Runtime in Rust".

Additional information on the release of these tools can be found on the Oracle Developer Blog and within Oracle's GitHub account.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p