Basically if installed on disk (you can also boot it over the network or from a USB stick etc.) it updates by having two system partitions - one "known good" because you've successfully booted from it, and one used to download new updates to, and then will (by default) automatically reboot and switch to update.
The system you end up in is basically systemd + Etcd + Fleet (with Kubernetes on the way) + Docker and rkt, with very little else included.
If you want to spin up a large cluster where everything will run in Docker or rkt containers, that's something CoreOS is well suited for.
(I've seen this meme before, with people - not you - dismissing CoreOS because it's "based on Gentoo," due to the presence of emerge in the build. Pass this clarifying point on to your friends.)
Nobody who built containers before Docker came along shipped an operating system in the image. Now we have gigabytes of Ubuntu alongside nginx thanks to Docker. Cool.
> Nobody who built containers before Docker came along shipped an operating system in the image. Now we have gigabytes of Ubuntu alongside nginx thanks to Docker. Cool.
First: I believe shipping the entire distro in each container was in fact the most common use of containers before Docker, since openvz/vserver/lxc were focused on "mini-servers" (to this day you can still rent openvz-based vps). So I think your statement is incorrect.
I also think your (eternal?) anger might be misplaced. Yes, today most people who use Docker build containers with unnecessary distro bits in them. But before Docker, 99% of them didn't build containers at all, and struggled with non-repeatable deployments and dependency hell. Even better, now all these people use a standardized Dockerfile which can be changed and improved over time - for example to move away from a heavyweight distro like fedora or ubuntu, to something like alpine or even more minimalistic.
Incidentay, we have hired Natanael Copa, the awesome creator of Alpine Linux and are in the process of switching the Docker official image library from ubuntu to Alpine. You can help us with pull requests to https://github.com/docker-library if you want :)
Even one such pull request could go a long way to promoting smaller containers, since those images have been downloaded over half a billion times.
>... to move away from a heavyweight distro like fedora or ubuntu, to something like alpine or even more minimalistic.
The distro package management is one of the biggest reasons why people still stick with heavyweight distros like Ubuntu.
This is why DockerSlim  was created (at one of the Docker hack days, by the way :-)) It lets you use heavyweight distros as-is eliminating everything you don't need. You get the best of both worlds where you don't have to change your process and you still get small images (7, 10, 20 and even 30 times smaller than the original).
 - http://dockersl.im
It is safe for use in production :)
And if you are using 3rd party Docker images Alpine won't help :)
Docker has regressed the container term completely and irreversibly. I'm glad you're switching to Alpine (and kudos on spinning a negative comment like a top), but you skipped over that I said static builds, as in: the container doesn't carry hundreds of files to support a full Linux distribution with the weight of legacy support atop it. A container should be one binary. Dependencies are one thing, and yes, they often have to ship in the image. I don't find /sbin/init or /etc/nsswitch.conf when I open up JARs built by the average CI, though, so what the hell are they doing in Docker containers? Now the term is so blown out that my comment alone is probably causing crossed eyes and tilted heads among readers, because nobody really knows what a container is any more.
You know this opinion exists, too, because certain folks have reminded you numerous times in the political theater that containerization has become behind the scenes. Also largely thanks to Docker. (Not solely. Largely.)
`FROM scratch` should have been the default. Come on. You know it just as much as I do, Solomon. Imagine if you had shipped a build chain to automate the same dependency work that Google did to build containers, instead of just dumping ubuntu-minimal into a container so dynamic linking and such works and finally trapping us in a hell where Alpine is seen as better.
Disclaimer: I work at Docker on unikernels. You might like this approach to containers.
But we call [0.0, 1.0] the same thing now, so the tooling has to support all cases, and now just pulling a Docker image down might cost me gigabytes of network transfer that I don't need to spend. Combined with the HTTP-strong architecture, Docker encourages fat containers but then falls apart on them at higher sizes because of the HTTP mechanics.
Example: I need to ship about 1 TB of static data alongside my app in a separate container. Try that in Docker. The answer will invariably be Docker not being designed for that, but I thought Docker encouraged the jail-style fat container case? What happens when the jail you're renting out because that's a container too actually uses a bunch of space and you try to `docker commit` into whatever you're managing your containers?
You shouldn't be using containers for that, but features of Docker encourage it, and thinking fat like that has numerous pitfalls. (My example is borne from reality: I watched Docker wash out from a team in two days once they tried to commit a 100+ GB container. I assume the docs guided them there.)
And many folks don't, because the amount of unreadability from having to concat 20 statements in a && fashion to cut down layer size gets out of hand. This leads to folks then having to use scripts to clean the layers, which leads to reuse in things like Packer, which leads to even more problems when the base image changes culturally.
I'd also argue the that it's a matter of familiarity. Every time we change the base image culturally, we have to retool for a different method of making the things in it (apt/dnf/yum -> apk), so while large distro images are bad, they're familiar and predictable (with a mature package set and releases) to what we're used to doing on servers.
Or folks use another tool to abstract that (like Ansible or Chef), which brings us right back to not using Dockerfile.
This couldnt be more false - other systems had containers capabilities for years now (FreeBSD Jails, Solaris Zones, IBM LPAR's, Linux OpenVZ and so on) and since forever it was done in a way of running another full OS inside a container. Stripping that down to single processes was possible and done by some people but rarely, because it was relatively hard (since it often required hand-crafting the 'packages', hunting down single libs and their requirements using ldd and the like).
I myself was running both full OS jail containers on FreeBSD and stripped down single process/service jails more than 10 years ago.
Docker is not for the jail case. If it were, it would look like OpenVZ and come with completely different architecture and management tooling. It's for deploying artifacts to prod, and my entire point is that starting from `FROM ubuntu` for even a Go binary has muddled this picture irreversibly. Now I have to have this argument, which makes no sense, because we now take it as fact that containers and jails are the same thing, and anyone who says otherwise deserves to have very basic things explained to them carefully and rather condescendingly.
This reply applies to everyone who is calling me wrong. I spent last summer employed by CoreOS, have worked on Google Borg, and spent the first half of my career on the production artifact toolchain. I'm not just farting into the breeze here with my two personal servers and opinions.
Containers power the Heroku platform and it supports millions of apps by containerizing OS images.
When both the bamboo stack and cedar stack were available, we would:
Run a base AMI and update it frequently for kernel, security and performance updates.
Download a bamboo (Debian) OS layer
Dowbload a cedar (Ubuntu 12.04) OS layer.
Layer app slugs on top of which ever stack the customer wanted.
This was amazing for long term support of apps and backwards compatibility.
There are infinitely more rails apps out there that deeply depend on the OS layer than there are static binary apps.
Docker deserves and gets all its credit for making this technique available and easy for everyone.
What Docker integrates is a layered filesystem, in which the application can mutate the filesystem, but only it will see those changes (and they'll go away when the container is destroyed).
Inside the Docker (or rkt) containers you can run whichever distribution or static binary you like.
The combination of CoreOS+Kubernetes+Docker+Alpine Linux (inside the containers) works pretty well in my experience.
PS: the above is a very summarized, focused answer to your question. CoreOS is also much more than what I have mentioned.
I personally found this blog post a bit of a a-ha moment in terms of understanding what docker is vs. CoreOS (and, at the time I was also researching what kubernetes is and how to run it)
The feeling I get from them is their trying to have their own branded container stack.
In Docker's early days they made a big deal about how a standard container spec could revolutionize software the way the shipping container spec revolutionized the transport of goods.
An independent spec never emerged though. The Docker monolith got bigger and bigger. They threw out standalone mode, so instead of being able to just be a container runtime, Docker basically owned the whole host, and your logging, networking, process monitoring, etc. all had to be done Docker's way.
CoreOS created the App Container spec (https://github.com/appc) to deliver on the promise that Docker started with. They eventually shamed Docker into becoming part of the Open Container Initiative (https://www.opencontainers.org/). Hopefully that means we'll get to a point where application images can truly be shipped anywhere and run anywhere, without having to give any one company control of your whole stack.
But, today there just isn't anything to implement in rkt. The primary focus of OCI has been a rootfs on-disk and a json file that contains details of cgroups, namespaces, etc. This is fine work to be doing but it doesn't tackle the more difficult and useful work of creating inter-op for developers up the stack who don't care about the internals of containers.
Here is a high-level post on the state of the world: https://coreos.com/blog/making-sense-of-standards/
Here is a video that I gave that summarizes some of my thoughts: http://containersummit.io/events/sf-2015/videos/container-ec...
A more detailed discussion on the OCI mailing list from earlier this year: https://groups.google.com/a/opencontainers.org/d/msg/dev/uo1...
tl;dr Container formats are important to get right. But, today the OCI effort is largely irrelevant for people packaging and shipping their code in a application containers.
Also when OCI finally makes it to a stable release we will likely add tooling to help import into rkt: https://github.com/coreos/rkt/pull/1509