Oracle only recently declared its support for Kubernetes and partnered with CoreOS to bring container Linux to Oracle Cloud Infrastructure. It looks like Oracle technologists Mark Cavage and T.J. Fontaine meant business when they said they didn’t expect a free pass, and in July Oracle announced the release of three new open source tools to improve both the performance and security of containers. It also looks like they’ve realized the advantages of open sourcing and have submitted to the fact that license renewals are soon going to be a thing of the past.
Although Oracle was late to acknowledge the cloud and is also late in regards to containers, one of the advantages of going last is that you get to see everyone else’s mistakes. When you’re a pioneer like Docker and Kubernetes or even Prometheus, there really isn’t much to go by except an image in your head. But by waiting, Oracle has a complete map of all the mistakes made by everyone. There is also a host of firsthand experiences being shared by different companies with regards to production environments, and Oracle itself has also been working with Docker containers for over two years, including in production with OpenStack.
Taking a ride on Oracle Railcar
The first offering from Oracle, named Railcar, aims right at the heart of the stack or the “container runtime” as we are used to calling it, which in most cases is RunC. Oracle cloud development architect Vish (Ishaya) Abrams points out that Go is a poor choice of language for a container runtime, and Railcar is written in the open source language called Rust instead. The benefits of using Rust over Go, according to Abrams, is that Rust is a memory-safe programming language that affords both performance and security benefits.
What he means by “memory safe” is that unlike Go, which uses garbage collection (GC), Rust safely allows for manual memory management, which effectively negates the need for counted pointers or garbage collection. Also, the zero-overhead abstractions of Rust are obviously better matched for deployment on lean container-like systems when compared with Go’s large runtime and binaries.
Another advantage is in regards to security, and both Rust and Go take different approaches here. Go leans more on its garbage collection and Rust more on its inbuilt memory management. Rust may be viewed as superior by some in this regards because exposed invariants are better than relying on a runtime that you cannot practically keep track of.
Oracle has also created what it’s referring to as “microcontainers,” which isn’t a new unit of production as the name suggests but rather a different method for constructing a container with better security and stability in mind. Some standout features are the fact that microcontainers contain only a single executable and its dependencies run with a read-only root filesystem and have no user and group filesystem ownership. In other words, everything is owned and readable by a single user. Additionally, microcontainers have no filesystem timestamps or special capabilities. They’re pretty generic and can be replicated using the same image countless times.
Oracle Smith sounds like something out of a “Matrix” movie, but it’s what’s next on our list of open source tools on Oracle’s goody train. Apart from coming up with a new runtime that aims to be OCI compliant, Oracle has also launched a tool called Smith that enables developers to build more secure application containers. Smith is built on the principles of “microcontainers” mentioned above and is being branded as a “secure” microcontainer builder designed to help Ops teams deal with container images.
Additionally, Smith can be used to build a microcontainer from yum repositories and (optionally) an rpm file and can also take existing Docker containers and convert them to microcontainers. This way containerization is done within the ops tooling and developers can continue using whatever tools they’re used to. Smith builds images in the standard OCI format, but it can also upload and download images from Docker repositories
The advantage of starting late is you get a fresh outside-the-box opinion on a subject or a fresh perspective. Abrams recently highlighted an extensive list of problems with the Docker build, one of which was the fact that the build process is more suited for Dev teams but does nothing to make the life of the Ops team easier. Among the problems listed by Abrams with the Docker build, Smith is said to solve privilege escalation, vulnerability management, lack of user namespaces, layers, and overlays.
With a new runtime and a swanky new tool for the Ops team, in order to complete their response to “real-world” issues faced with containers in production, the third open source tool is called Crashcart. You have to prepare for the worst if you want to be a high performance organization, and Crashcart is for when it all goes wrong. As opposed to manually logging in during such an event and trying to figure out what went wrong amid hundreds of microservices, an easier way is to let Crashcart automate the process for you. Crashcart is also being branded as a microcontainer debugging tool that helps developers fix problems, containerize applications, and connect to the database. It also improves performance, according to Abrams, who stated Crashcart was built to access the filesystem as the container sees it, especially since it can often be challenging to identify operational issues within application containers.
Crashcart also promises to make debugging easier with hacks, tricks, and mounting tools to containers like ones that load binaries to figure out issues. Oracle also plans to add more functionality and capabilities to the tool such as the ability to set uids and gids in containers.
Miles to go before they sleep
While Oracle is definitely making a statement about its intent in the world of microservice architecture, coming up with a new container engine and claiming it’s superior because of the language it’s written in might not be music to everyone’s ears. Especially the thousands of people who have contributed to the runC container runtime in the Go language. Agent Smith on the other hand seems to be a good idea on the surface as microservice architecture starts with Ops, according to Bob Wise, CTO of Samsung’s Cloud Native Computing team, and the fact that Oracle’s releasing an Ops-side container tool means they’re definitely paying attention.
Frankly, it is a bit cheeky of Oracle to start off by saying everyone else has been doing it wrong all along and we have a better way, especially since they were so dismissive of the cloud initially and so late to acknowledge containers. Nobody was waiting around watching to see whether Oracle was going to jump on the container train, but it’s definitely jumped both feet in and already wants to drive. Will Railcar actually solve all the issues it says it does and will it effectively become a replacement for RunC? Only time will tell, but with a brand new engine, a Crashcart, and agent Smith, it looks like Oracle is thinking about hijacking the whole train.
Photo credit: Oracle