Oracle is helping development teams build and operate containers with three new tools it is releasing into open source. The tools — Smith, Crashcart and Railcar — are designed to tackle containerization challenges commonly faced.
“Containers are more popular than ever. Here at Oracle, we use containers for many of our cloud services. While preparing for containers in production, we developed tools to help with building and operating containers,” Vish Abrams, architect for cloud development at Oracle, wrote in a post.
Smith is a secure microcontainer builder. This solution is designed to help operators deal with container images. “Unfortunately, while the standard build process for containers is ideal for developers, but the resulting container images make operators’ jobs more difficult,” Abrams wrote.
The problems it solves include large images, privilege escalation, vulnerability management, lack of user namespaces, layers, and overlays. According to Abrams, microcontainers help by providing better security and stability. Smith allows users to build microcontainers that only containers the process to be run and direct dependencies, has files with no user ownership, and is able to run read-only.
Crashcart is a microcontainer debugging tool that helps users containerize their applications and connect to the database. “Containers can be a challenge to debug, especially when you are a little fuzzy on exactly what a container is and how it works. Some people treat containers like miniature vms, and go so far as to run an ssh daemon inside their container so that they can login when things go crazy. Others stick a bunch of useful tools inside their container and use `docker exec` to get a shell inside their container. But for those of us with slightly-more-sane operational practices, what do we do when things go wrong” Abrams wrote.
Crashcart also aims to make debugging easier by providing tricky hacks and mounting tools to containers on demand. It enables users to load binaries into a container to figure out problems. Currently, Crashcart doesn’t work with user namespaces prior to kernel 4.8, according to the project’s GitHub page. Oracle plans to add more functionality and capabilities to the tool such as the ability to set uid and gid in the containers.
RailCar is an alternative container runtime impentation built with Rust. “These days, almost all container utilities are in c or go. c is great for interacting with the linux kernel, but has security drawbacks. Go is great for speed of development and memory safety, but it has some limitations that create problems interacting with namespaces. Rust sits at a perfect intersection of these two languages: it has memory safety and higher-level primitives, but doesn’t sacrifice low level control over threading and therefore can handle namespaces properly. It is a great choice for container utilities and we hope to see the rust community and the container community collaborate more in the future,” Abrams wrote.
According to Abrams, Railcar is similar to runc, but with Rust it is able to provide memory safety without any overhead.
All three projects are available on Oracle’s GitHub page.