Apcera Open Sources New Kurma Project Built on App Container Specification

While much of the press and action in the container space has centered around Docker to date, it’s important to consider containerization alternatives currently under development. One in particular is the App Container Specification (AppC), initially proposed by CoreOS, which is being built as an open specification with input from across the industry, much like the conventional standard-development process.

The goal of AppC is to build an industry specification for how you define a container, rather than defining the implementation details. The efforts behind AppC focus on things like the format of the file and and the metadata for the processes it'll run. This approach was attractive to Apcera for a number of reasons. We liked that we could contribute to defining AppC, and that we could alter our solutions to conform to it. Also, it offered a different distribution model from Docker. App Container Images result in immutable images that can easily be shared and distributed, rather than a file with a script or calling out to an image repository to retrieve the content.

In late 2014, we started to take a harder look at the deployment topology of Apcera’s Hybrid Cloud Operating System (HCOS). Apcera’s HCOS ran all of its workloads as containers, however our HCOS itself wasn't run as containers. We had a chicken vs. egg conundrum to resolve. Because policy and governance were at the core of Apcera’s HCOS, much of the solutions control plane already had to be running to be able to launch a container. Additionally, in the course of looking at how we could containerize our HCOS, we had a number of operational complexities we wanted to reduce. We had tooling for creating and managing virtual machines, Chef for configuration management, multiple packaging formats, and still a rather heavy OS image that was always too much of an attack surface.

So we began to explore whether we could take the basics of our HCOS and start a separate project aimed at containerizing the HCOS itself. We wanted to build a system that didn’t have security and governance IN it, but rather would allow it to be layered ON TOP. The containers running Apcera’s HCOS would then still have the ubiquitous security and governance, which is our core focus. The benefits of this approach would include isolating the workloads from each other, so there are no outside dependencies on the host set-up, and enabling easy distribution of the workloads. And the overall system would be slimmed down to a point where it was easy to distribute, easy to run, and had a minimized attack surface.

These efforts were the genesis of Kurma. Kurma is a new architecture and topology for our system, in which every system service – from clock syncing to log forwarding to console logins – can be run as a container. While Apcera’s HCOS continues to be about security and policy, Kurma is the base container environment that can improve operational efficiencies as the cornerstone for a HCOS deployment. AppC became attractive to us, as we saw how the specification was evolving since its introduction. A lot of the aspects it was tackling was of high importance to us, and in line with the problems we wanted to continue tackling. Things like network ontologies, image discovery, image validation/encryption, and application identity are all topics we’re keen on.

Today, while on the 9:45 a.m. App Container Spec Technical Panel at CoreOS Fest, I’ll be announcing that we’re ready to open source all of Kurma – including repositories and images – so that others can try it locally, adopt the architecture and even contribute to its further development. At CoreOS Fest, I also look forward to engaging with other panelists – including Twitter’s Charles Aylward, Vincent Batts from Red Hat, Google’s Tim Hockins, and Jonathan Boulle and Brandon Philips, both from CoreOS – and talking about how we at Apcera have invested in secure container technology to power our core platform, and how the future development AppC specification is important to the evolution of our solution.

Images are currently available. Feel free to check out the Kurma repository where the code lives, and the KurmaOS repository where our build scripts live. Links to our current images are available from both.