LIA Project Proposal: Docker vs. CoreOS rkt

Joseph Hill & Dana Geist

February 22, 2016

1 Introduction

Modern day software development life-cycle has become more complicated. In addition, the varietyof software stacks and hardware infrastructures that applications run has drastically increased.

Virtual Machines tried to address the hardware resource issue by abstracting the hardware fromthe operating system, and providing the ability to allocate computing resources as needed. Thebig benefit was server consolidation and better utilization of hardware resources. However, virtualmachines did not solve issues related to the shipment of code.

In containerization, also referred to as OS-level virtualization, the host and the guests share thesame kernel. This approach reduces resource wastage since each container only holds the applicationand its related libraries and binaries. The role of Hypervisor is handled by a containerization engine,which is installed on top of the host operating system.

The main advantage of containers is that they reduce the operating system overhead, whichmakes them considerably smaller, easier to download and more importantly, faster to provision.This advantage also allows a server to potentially host far more containers than virtual machines.Scalability, portability and ease of deployment are some derived advantages [SAN16].

As containers are being used more and more in the industry, it becomes important to study andunderstand container engines. In this context, we find it relevant to compare Docker (as one of thelead container engines in the market [Vau16]) to its direct competitor CoreOS rkt. CoreOS rkt,claims to be ”the” container engine designed for security, efficiency and composability [Pol16].

The objective of this research is to evaluate whether CoreOS rkt can be considered as a betteralternative than Docker for deployments in large-scale systems.

2 Research Questions

Our main research question is: Could CoreOS rkt be considered as a better alternative than Dockerfor deployments large-scale systems?

In order to guide our study we decided to sub-divide this research questions into different sub-questions:

• What security and composability features are offered by CoreOS rkt? How these compare tothe features provided by Docker?

• Does CoreOS rkt comply with its advertised compatibility capabilities with Docker?

• Are there any relevant performance differences between the platforms?

1

3 Related work

Tuomas Vase [Vas15] shows in his study a comparison between Docker and different containerengines, including CoreOs rkt. He mentions in his research that by December 2015, CoreOS rktwas not a stable solution, as it was still in alpha phase. However, CoreOS has recently released aproduction ready [Ker16] stable version of rkt which is yet to be studied.

In addition, CoreOS provides a brief (but not comprehensive) comparison between Docker andrkt, which basically shows differences regarding the process model and the privilege separationbetween the two container engines [OS16].

The main purpose of this project is to fill this knowledge gap by comparing in depth the latestversions of the container engines, available at the moment of the study.

4 Scope

In order to perform this research within the imposed time constraints, certain limitations to thescope of the research must be made. The examination of security features will be limited to thosethat one container engine claims to provide while the other does not. This research will considerwhether security features are truly exclusive of one container engine or if they are rather calleddifferently or done in another way by the competing one. Testing the implementation of thosesecurity features that both have in common will be considered outside the scope of this research.

When examining CoreOS rkt’s compatibility with Docker containers, the research will focuson the differences in features that could affect this compatibility. We will also study if there arerestrictions on the additional features that CoreOS rkt provides, when using Docker containers.Compatibility testing will be limited to whether CoreOS rkt can run a Docker container in apractical way.

The purpose of this research is not to measure relative performance of each container engine.However, if performance is impacted to such a degree as to make a certain scenario impractical inproduction use, it will be taken into consideration and measured.

5 Methodology

Our methodology consists of two parts. First of all, we are going to study both container engines,and perform a theoretical comparison of their features. The result of this phase, is going to beused in order to detect the most relevant aspects for the second phase of the research, which isthe comparison though implementation. In order to accomplish this second phase, we are goingto create a test environment, and deploy several container instances of both container engines.The idea is to create different use cases that can guide the testing of the most relevant security,composability and compatibility features. Based on the empirical results we are going to be ableto extract results and draw conclusions.

2

6 Requirements

For this project we have the following requirements:

Software: We are going to work with the latest version of Docker engine (1.10 [Eng16]) andthe latest version of CoreOS rkt (1.0 [Cor16]). In addition, we might use virtualization tools suchas VirtualBox [Ora16]. As they are all open source software we do not foresee any license issues.

Hardware: In order to deploy the container engines we are going to use our assigned SNEdesktops and servers.

7 Planning

Week Work1 Study general characteristics of the container engines.2 Set up testing environment.3 Study security and composability features of both platforms and compare them.4 Study CoreOS compatibility with Docker.5 Prepare presentation and report.

8 Ethical Considerations

The purpose of this project is to evaluate and compare Docker and CoreOS rkt. We will set up ourown testing environment with new accounts and data. As it is not an offensive research, we do notexpect any ethical issues to arise. However, if we come across any weaknesses or vulnerabilities inany of the container engines analyzed, we will inform the Ethical Committee of OS3. In addition,we will follow Responsible Disclosure procedures if needed.

References

[Cor16] CoreOS. rkt 1.0.0 Documentation. Feb. 21, 2016. url: https://coreos.com/rkt/docs/latest/.

[Eng16] Docker Core Engineering. Docker 1.10: New Compose file, improved security, network-ing and much more! Feb. 21, 2016. url: https : / / blog . docker . com / category /

engineering/docker-releases/.

[Ker16] Sean Michael Kerner. CoreOS Launches Docker Rival Rkt 1.0. Feb. 21, 2016. url: http://www.serverwatch.com/server- news/coreos- launches- docker- rival- rkt-

1.0.html.

[Ora16] Oracle. Welcome to VirtualBox.org! Feb. 21, 2016. url: https://www.virtualbox.org/.

[OS16] Core OS. rkt vs other projects. Feb. 21, 2016. url: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html#rkt-vs-docker.

[Pol16] Alex Polvi. The Security-minded Container Engine by CoreOS: rkt Hits 1.0. Feb. 21,2016. url: https://coreos.com/blog/rkt-hits-1.0.html.

3

[SAN16] ANAND MANI SANKAR. Containers (Docker): A disruptive force in cloud computing.Feb. 21, 2016. url: http://anandmanisankar.com/posts/container-docker-PaaS-microservices/.

[Vas15] Tuomas Vase. “ADVANTAGES OF DOCKER”. University of Jyvaskyla, 2015.

[Vau16] Steven J. Vaughan-Nichols. Docker 1.0 brings container technology to the enterprise.Feb. 22, 2016. url: http : / / www . zdnet . com / article / docker - 1 - 0 - brings -

container-technology-to-the-enterprise/.

4