It's not mentioned on this page, but these runc containers will also run on Windows[1], which is pretty amazing.
Not having to run the Docker daemon will also be pretty nice. Currently when I upgrade Docker, all containers have to be restarted on the host due to the daemon dependency. So to maintain uptime with Docker containers currently you better be running your stuff clustered (e.g. via Mesos/Marathon).
Standalone containers was something I felt rkt (alternate container format from CoreOS people) got right, so nice to see it carrying over here through the collaboration.
This is by far the most important announcement of the Keynote, it really shows that Alex (CoreOS) and Solomon (Docker) managed to come together and create this as part of a new open standard.
If there is ever gonna be a page in some book that covers server software development, I believe it will tell about this standard.
What we're seeing emerge here is a new universal binary format.
I've thought of Docker containers for a long time as gigantic statically linked binaries. This isn't necessarily a bad thing (though it does present issues). In some ways the process of installing the different moving pieces of a service and configuring them is a bit like manually "linking" something -- sub-services like MySQL, Redis, etc. are analogous to libraries.
Now what we're seeing is a runtime for this binary being ported around to different platforms. This could get interesting.
> Now what we're seeing is a runtime for this binary being ported around to different platforms. This could get interesting.
With x86 being the primary server/workstation workhorse (lets exclude mobile platforms for the moment), is all of this abstraction necessary? Doing Infrastructure and DevOps, I definitely see the benefit of containerization for build reproducibility and decreasing the friction developers face for running applications locally as they run in production.
Not everyone needs Borg/Mesos/Mesosphere. Not everyone needs containerization. When you have a hammer though, everything starts looking like a nail.
Containers won't run across different OSes (Linux/Windows) without VM virtualization. The spec doesn't actually cover the executable binary format. In the end, a container process is just a native process of the host operating system that is isolated from other processes. There is no OS virtualization taking place.
Sometimes, posts like this appear on hacker news that are completely impenetrable. I read the page for RunC and the only thing I could find out about it from that page is that it is a "Container", and these are its specs. A "Container" is something that is used by "Docker". "Docker" is a program that "allows you to compose your application from microservices". A "microservice" is "a software architecture style, in which complex applications are composed of small, independent processes" (we're down to wikipedia at this point). So a "microservice" is an abstraction of unix design, and finally we're on solid ground. If you were interested you might be able to work backwards through this list of projects, researching what each one does, and then you could find out what RunC actually is.
The unstated assumption of this announcement is that if you haven't heard of Docker, you may have been living under a rock. It arguably has more hype after two years than Java did in 1996-97.
The other part of the problem is that this is a rapidly evolving space with a ton of money and attention being pored into engineering and competitive battles playing out, and not so much in the marketing and clear explanations. runC is in part a symbolic "bury the hatchet" moment for a public feud over standards with CoreOS and others that began in December 2014. If you haven't been following the inside baseball, it it's all kind of confusing.
You might be overstating the "safer language" aspect. As another commenter suggests, they are using Go as little more than glue to the C or C++ kernel and libraries that run the important bits. And these searches should instill a bit of fear in your heart when running Docker:
Docker has such prodigious and repeated use of "unsafe" that it makes one wonder what, if anything, using Go has bought them in terms of safety or reliability? It seems like virtually every interface used in the Docker source code relies on unsafe casts to pointers, and I hesitate to say I am not sure how well the Go garbage collector meshes with casting pointers and providing them to the kernel and other libraries.
Something like Rust's native ability to ensure a pointer provided to external code lives long enough would be very useful.
In this project -- as in Docker and rkt -- Go serves as little more than a glue language, replacing the role of Python (in fact, it could have possibly been written in bash) -- not C. The core functionality is part of the kernel and is written in C (or C++ in the case of Windows, I believe).
Terrible. This website also promotes proprietary software right on the home page. The Linux Foundation really doesn't seem to care about the "free" part of FOSS anymore.
Speaking of containers I've always wondered if running a GUI app (something like a kiosk) would work in these sorts of containers? I know you can do it hackily in docker by playing with X and xfvb. But does any of them natively (easily) support it?
Not yet; though doing it in HTML5 would be relatively trivial (start container on a port, then point a browser to it). Most kiosks these days are just browsers anyway.
I would expect native graphics (including 3d graphics) are a feature we'll see down the road.
> CoreOS remains committed to the rkt project and will continue to invest in its development. Today rkt is a leading implementation of appc, and we plan on it becoming a leading implementation of OCP. Open standards only work if there are multiple implementations of the specification, and we will develop rkt into a leading container runtime around the new shared container format. Our goals for rkt are unchanged: a focus on security and composability for the most demanding production environments.
"To be clear though, the point of the OCP is not to standardize Docker, but rather to standardize the baseline for containers. Polvi explained that with an open standard, there can be multiple implementations of the standard. So for CoreOS, it means the company will continue to work on its Rocket container technology, while Docker will continue to work on the Docker container technology."
It's a little difficult to keep track of all the activity happening in the container area. The runC repo's history begins in June 2014? I believe rkt was announced in Dec 2014, right?
Runc is the neutral implementation of the new open container standard that was created with the Appc guys at the table. Although not stated explicitely, the open standard will most probably supersede the appc spec
The sample manifest at https://github.com/opencontainers/runc makes it look like you just specify a big list of mounts, rather than it supporting the higher level concept of overlayed layers that both Docker and appc support.
Are layers not part of the opencontainers spec, or is the sample just missing that bit?
That's correct, layers are not part of the spec. It's the caller's responsibility to setup the container bundle (manifest + one or more rootfs directories) so that runC can load it. How that is done is not the concern of runC.
This is by design: it turns out layers, as implemented by Docker, are not the only way to download or assemble a container. The appc specification uses a different, incompatible layer system. Many people like to "docker import" tarballs which bypasses layers entirely. The next version of Docker is gravitating towards pure content-addressable storage and transfer (a-la git), possibly eschewing layers entirely.
runC is not concerned by how you got a particular runnable object. It's only concerned with its final, runnable form. The result is a nicely layered design where different tools can worry about different levels of abstraction.
No expert here, but I would guess the important bit is the "root": value, which in the example points to rootfs. rootfs, I suppose, would be the directory on the host system containing the entire root filesystem that is to be mounted at /. This could be created using overlayfs, or a COW filesystem like btrfs, which would be how you'd achieve layers.
In this way, the notion of layers is external to the container spec.
[+] [-] waffle_ss|10 years ago|reply
Not having to run the Docker daemon will also be pretty nice. Currently when I upgrade Docker, all containers have to be restarted on the host due to the daemon dependency. So to maintain uptime with Docker containers currently you better be running your stuff clustered (e.g. via Mesos/Marathon).
Standalone containers was something I felt rkt (alternate container format from CoreOS people) got right, so nice to see it carrying over here through the collaboration.
[1]: https://twitter.com/docker/status/613039532422864896
[+] [-] mmastrac|10 years ago|reply
[+] [-] advanderveer|10 years ago|reply
If there is ever gonna be a page in some book that covers server software development, I believe it will tell about this standard.
[+] [-] api|10 years ago|reply
I've thought of Docker containers for a long time as gigantic statically linked binaries. This isn't necessarily a bad thing (though it does present issues). In some ways the process of installing the different moving pieces of a service and configuring them is a bit like manually "linking" something -- sub-services like MySQL, Redis, etc. are analogous to libraries.
Now what we're seeing is a runtime for this binary being ported around to different platforms. This could get interesting.
[+] [-] toomuchtodo|10 years ago|reply
With x86 being the primary server/workstation workhorse (lets exclude mobile platforms for the moment), is all of this abstraction necessary? Doing Infrastructure and DevOps, I definitely see the benefit of containerization for build reproducibility and decreasing the friction developers face for running applications locally as they run in production.
Not everyone needs Borg/Mesos/Mesosphere. Not everyone needs containerization. When you have a hammer though, everything starts looking like a nail.
[+] [-] vezzy-fnord|10 years ago|reply
Insofar as libcontainer can ram as many ways to implement OS-level virtualization across platforms, that is.
[+] [-] pron|10 years ago|reply
[+] [-] kraig|10 years ago|reply
[+] [-] JackdawX|10 years ago|reply
[+] [-] parasubvert|10 years ago|reply
The other part of the problem is that this is a rapidly evolving space with a ton of money and attention being pored into engineering and competitive battles playing out, and not so much in the marketing and clear explanations. runC is in part a symbolic "bury the hatchet" moment for a public feud over standards with CoreOS and others that began in December 2014. If you haven't been following the inside baseball, it it's all kind of confusing.
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] Animats|10 years ago|reply
Another key bit of infrastructure moves to a safer language.
"This is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning."
[+] [-] AaronFriel|10 years ago|reply
https://github.com/docker/docker/search?utf8=%E2%9C%93&q=uns...
https://github.com/docker/docker/search?type=Code&utf8=%E2%9...
Docker has such prodigious and repeated use of "unsafe" that it makes one wonder what, if anything, using Go has bought them in terms of safety or reliability? It seems like virtually every interface used in the Docker source code relies on unsafe casts to pointers, and I hesitate to say I am not sure how well the Go garbage collector meshes with casting pointers and providing them to the kernel and other libraries.
Something like Rust's native ability to ensure a pointer provided to external code lives long enough would be very useful.
[+] [-] pron|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] zeckalpha|10 years ago|reply
[+] [-] praveenster|10 years ago|reply
Interesting times …
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] GrandTheftR|10 years ago|reply
[+] [-] davexunit|10 years ago|reply
[+] [-] dubcanada|10 years ago|reply
[+] [-] tlrobinson|10 years ago|reply
[+] [-] wmf|10 years ago|reply
[+] [-] exelius|10 years ago|reply
I would expect native graphics (including 3d graphics) are a feature we'll see down the road.
[+] [-] craneca0|10 years ago|reply
[+] [-] riquito|10 years ago|reply
https://coreos.com/blog/app-container-and-the-open-container...
> CoreOS remains committed to the rkt project and will continue to invest in its development. Today rkt is a leading implementation of appc, and we plan on it becoming a leading implementation of OCP. Open standards only work if there are multiple implementations of the specification, and we will develop rkt into a leading container runtime around the new shared container format. Our goals for rkt are unchanged: a focus on security and composability for the most demanding production environments.
[+] [-] craneca0|10 years ago|reply
http://www.eweek.com/enterprise-apps/docker-rivals-join-toge...
[+] [-] gtirloni|10 years ago|reply
[+] [-] Alupis|10 years ago|reply
Yes but even ACI and Rkt were being worked on months before the announcement.
[+] [-] evidencepi|10 years ago|reply
[+] [-] wereHamster|10 years ago|reply
[+] [-] advanderveer|10 years ago|reply
[+] [-] bjt|10 years ago|reply
Are layers not part of the opencontainers spec, or is the sample just missing that bit?
[+] [-] shykes|10 years ago|reply
This is by design: it turns out layers, as implemented by Docker, are not the only way to download or assemble a container. The appc specification uses a different, incompatible layer system. Many people like to "docker import" tarballs which bypasses layers entirely. The next version of Docker is gravitating towards pure content-addressable storage and transfer (a-la git), possibly eschewing layers entirely.
runC is not concerned by how you got a particular runnable object. It's only concerned with its final, runnable form. The result is a nicely layered design where different tools can worry about different levels of abstraction.
[+] [-] MyDogHasFleas|10 years ago|reply
In this way, the notion of layers is external to the container spec.
Again I'm no expert, so corrections welcome.
[+] [-] atonse|10 years ago|reply
[+] [-] haosdent|10 years ago|reply
[+] [-] andrewguenther|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] unknown|10 years ago|reply
[deleted]