Containers are more popular than ever. Here at Oracle, we use containers for many of our cloud services. While preparing for containers in production, we developed tools to help with building and operating containers. Today we are happy to announce that we are Open Sourcing these tools so that others can benefit from our work. You can find smith, crashcart, and railcar on the oracle github page. Read on for more information about them.
We have run into a number of operational issues with conventional container build processes. Smith is a tool that solves these issues by making container builds more consistent and secure. It builds microcontainers from rpms, yum repositories, or even existing docker containers. For more information on the operational challenges that led to our usage of microcontainers check out The Microcontainer Manifesto.
When containers are minimized for production use, missing tools make it more challenging for operators to diagnose and remedy any issues that arise. Most debugging can be done from the host, but sometimes you need access to the filesystem as the container sees it. Crashcart was built for this use case. It allows you to load a set of binaries into a running container so that you can figure out what might be going wrong. Find out why side-loading binaries is hard and how crashcart accomplishes it in Hardcore Container Debugging.
Go is a poor choice of language for a container runtime. (NOTE: The runtime is the component that deals with isolation via namespaces and cgroups. Go is still an excellent choice for container daemons and CLIs.) To understand some of the problems, you can read this blog post by weave works. In order to work around this issue and others, runc (the default implementation of the oci-runtime spec) has some code written in c that runs before the go runtime starts. Go is a great language, but for small system utilities that need tight control over threads and make a high volume of syscalls, there are better options. Rust gives low level control like c, but is memory safe and avoids whole classes of bugs and vulnerabilities. There is more information about the development of railcar in Building a Container Runtime in Rust.