
The Security-Minded Container Engine by CoreOS: rkt Hits 1.0 - polvi
https://coreos.com/blog/rkt-hits-1.0.html
======
mkobit
> "Despite the importance of a shared standard, after six months of effort the
> Open Container Initiative (OCI) body has yet to decide whether it should or
> should not develop and standardize an image format. Today, the primary focus
> of the OCI community is creating standards for the container runtime
> environment, rather than the container image. Specs for container runtime
> features are also a worthy discussion, but we think there is a more urgent
> need – and a more open, industry-wide upside – for a standard container
> image specification."

I haven't been following the OCI at all, but could somebody shed some light as
to why the runtime is the most important part to standardize? Also, any
insight as to whether or not the container image format should be
standardized?

~~~
wmf
I want to assume good faith, but OCI is starting to look like standard-
washing. What good is runC if you have to use docker pull to download images
first?

~~~
justincormack
runc doesnt use docker format containers, you just provide a filesystem. You
can store your containers for runc by curling a tarfile if you like.

~~~
wmf
That isn't adequate. The reason LXC languished and Docker took off is because
of immutable images, layers, Dockerfiles, and push/pull. If OCI has none of
those then it is pointless.

------
23david
Systemd-approved, nonetheless?

“I believe in the rkt model,” said Lennart Poettering, systemd lead developer.
“Integrating container and service management, so that there’s a 1:1 mapping
between containers and host services is an excellent idea. Resource
management, introspection, life-cycle management of containers and services –
all that tightly integrated with the OS; that’s how a container manager should
be designed.”

------
u320
I think we're seeing a shift in focus in the container world from container
runtimes such as Docker, to container orchestration systems such as
Kubernetes. At some point the container runtime becomes just an implementation
detail.

Unless Docker finds a way of moving up the stack they are going to have a hard
time defending their current valuation. Their current efforts provides close
to zero monetizable value.

~~~
wmf
If only Docker was working on orchestration... oh hey Swarm/Compose, I didn't
see you over there.

~~~
jjm
I'm pretty sure that comparing Swarm/Compose's feature set to Kubernetes would
yield large gap.

------
Perceptes
Congratulations to CoreOS and the rkt team. I've been waiting for this to
really dig into rkt, as I am a big fan of how CoreOS has been approaching this
project, and eager for a container system that is _not_ Docker.

------
mixmastamyk
Security is good, but it isn't a big problem for my current local container
apps. However, I've found Docker clumsy in various areas. Does this improve on
the design any?

Also, is there a PPA planned for Ubuntu, or plans to get it into Debian soon,
now that it has reached 1.0?

~~~
xaduha
I can only speak for myself, but for me it does, by forcing you to do stuff
differently.

Eventually you realise that Dockerfiles are fine and dandy, but this mechanism
isn't really needed and it can be an obstacle. You realise that a good package
manager is your real friend. So now I use wonderful xbps-install from Void
Linux to create a complete rootfs + actool to make an ACI file and that's it.
A basic webserver can work as a repo for your xbps packages and your ACI
images. No need to use Docker Hub or Quay, etc.

------
jamra
If I'm developing on OS X, would it still be possible to use rkt?

How are the tools for managing your rkt deployments? Since Hashicorp supports
it, I'm starting to think that I would be better off using their tooling to
abstract myself from the specific container implementation.

~~~
u320
You can use kubernetes to deploy rkt containers.

~~~
compsciphd
more like, "you will be able to", its not released yet. but lots of active
work.

~~~
mjibson
rkt support in k8s has been in for a while. See:
[http://kubernetes.io/v1.1/docs/admin/kubelet.html](http://kubernetes.io/v1.1/docs/admin/kubelet.html)
(search for "rkt") and
[https://github.com/kubernetes/kubernetes/tree/master/docs/ge...](https://github.com/kubernetes/kubernetes/tree/master/docs/getting-
started-guides/rkt).

~~~
compsciphd
yes, support exists today, its just not complete, i.e. its close but not
completely feature parity with docker as the runtime. When it does get there
we will all be happy.

So I should have been more clear, you can specify rkt today, but many things
wont work, a lot of things have improved for the upcoming 1.2 k8s release but
still not perfect. hence what I meant by "released", something that is can be
viewed as a complete replacement for the docker runtime.

~~~
ownagefool
Care to elaborate whats missing?

~~~
tssuser
A lot of the remaining work is being tracked at
[https://github.com/kubernetes/kubernetes/issues/8262](https://github.com/kubernetes/kubernetes/issues/8262)
and
[https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+...](https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Adependency%2Frkt)

------
kentt
OT: Is rkt pronounced 'are kay tee'?

~~~
squiguy7
It says 'rock it' in the README [1].

[1]: [https://github.com/coreos/rkt](https://github.com/coreos/rkt)

------
DoubleMalt
Any plans on supporting rkt for ARM? That would be a killer feature for me :)

~~~
jzelinskie
>Huawei has contributed to rkt in multiple ways, both with a container
registry and by providing ARM support.

It looks like it already supports a bunch of different ARM targets[0].

[0]:
[https://github.com/appc/spec/blob/3972f6a1b657f38e30100d2a7e...](https://github.com/appc/spec/blob/3972f6a1b657f38e30100d2a7ef377cc8690c8db/schema/types/labels.go#L23-L27)

------
inquisitiveio
Good to see they are confident enough to cut a 1.0 release. We have been
happily mixing the cgroup and kvm/Clear Containers runtimes for a for a couple
of months now.

------
jvoorhis
TPM support caught my eye. Brushing off the controversy surrounding EFI secure
boot, the TPM is the under-appreciated "Secure Element" in business laptops
and high end servers.

------
tychuz
Open source project hitting 1.0 - truly breaking news, especially when looking
at all these JavaScript libraries.

