Oracle is expanding its container efforts with the official public debut of three new open-source utilities designed to help improve application container security and performance. The tools include the Smith secure container builder, Crashcart container debugging tool and the Railcar container runtime.
The new Oracle container tools were publicly revealed by Oracle cloud development architect Vish (Ishaya) Abrams, who is a well-known figure in the OpenStack cloud community. Prior to joining Oracle in April 2015, Abrams had served as the project technical leader of the OpenStack Nova compute project which supports multiple virtualization technologies.
The new Railcar container runtime is an alternative to existing container runtimes, including the runc runtime used in docker, that are written in the open-source Go programming language.
"Go is a poor choice of language for a container runtime," Abrams wrote in a blog post." Go is a great language, but for small system utilities that need tight control over threads and make a high volume of syscalls, there are better options."
Rather than using Go, Railcar uses the open-source Rust programming language which was initially developed by browser vendor Mozilla. Abrams noted that Rust is a memory-safe programming language that provides performance and security benefits. The Railcar container runtime also aims to be compliant with the Open Container Initiative (OCI) runtime specification, which is an effort to define a container runtime standard.
In addition to aiming to provide a more secure runtime for containers, Oracle wants to enable developers to build more secure application containers with the open-source Smith project. On the Smith Github project page, Oracle's developers detail several key principles they have embraced as part of the process for building containers. Among those principles is the notion that a container should only contain the required process that needs to run and its direct dependencies. Another key principle advocated by Oracle is that containers files do not include user ownership or special permissions beyond what is required for the executable components.
"In order to be comfortable with using containers in production we had to make some changes to our container build process," Abrams wrote. "After analyzing some of the problems with our process, we developed a method for building and running containers that dramatically improved their stability and security for our environment. "
The third tool being open-sourced by Oracle is the Crashcart debugging tool that aims to help developers fix problems and improve container application performance. Abrams commented that it can often be challenging to identify operational issues with application containers.
"Most debugging can be done from the host, but sometimes you need access to the filesystem as the container sees it," Abrams wrote. "Crashcart was built for this use case."
Oracle has been actively working with docker containers over the course of the past two years including using containers to build and deploy Oracle's OpenStack platform. Oracle also has its own Container Cloud Service that provides enterprises with container deployment and management capabilities.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.