One of the reasons that containers have become so popular is the ease of deployment, but today’s distributed applications aren’t restricted to a single runtime or a single cloud provider. If you’re using a cloud database service and serverless functions in your app, you lose the simplicity of the Docker experience for packaging an application up as a bundle and pushing it into repos for people to pull out, because you need tools like Terraform and Azure Resource Manager templates and Ansible to handle provisioning all the different components.
“Today if you’re using just container-based applications maybe you’re building Helm artifacts or for Azure you’re targeting an [Azure Resource Manager] artifact or something like Terraform,” Gabe Monroy, head of Microsoft’s cloud native compute team told the New Stack. “The problem comes when the app you’re building is a mix of these things, so it’s got, say, Terraform and containers and functions, because we’re starting to see that diversity in different runtimes and cloud APIs emerge today. How do you wrap your hands around that and turn it into something you can manage like a simple application? Can we offer that familiar experience around repeatability, immutability and cryptographic assurances that the workload hasn’t been modified in a world that’s containers plus… or that doesn’t even include containers at all?”
The open source Cloud Native Application Bundle that Microsoft and Docker released at Microsoft’s Connect() developer conference Tuesday is a specification for package management that builds on the Open Container Initiative to create a manifest for distributed applications and will be supported in Docker’s public hub.
“The idea is to try and define the model for how folks can build these different bundles that have a management lifecycle associated with them, so you can install them, update them and uninstall them and have all the cryptography associated with ensuring that these are secure bundles, with the ability to push and pull them and so on,” Monroy explained.
CNAB could also help developers working in an increasingly multicloud environment. “We wanted to keep the specification very flexible so that you could model solutions across different cloud providers. Even customers who are primarily on Azure, they may have some containers in AKS, they may have some Cosmos DB and then they want to use third-party DNS services like Dyn DNS to stitch together the DNS records. CNAB allows them to model all of that and construct an application they can manage with a great amount of repeatability.”
CNAB’s parameterization is based on the Azure Resource Manager (ARM) template language. “This means that when you install a bundle using CNAB you can prompt for things and use strong validation on those entries right away.” — Gabe Monroy.
CNAB enables developers to define resources that can be deployed to any combination of runtime environments, in the cloud, on a local environment like on-premise OpenStack or Kubernetes (or the developer’s laptop), to a constrained IoT environment — or to disconnected edge and air-gapped environments where you can’t call to the cloud to pull down containers. “In a disconnected environment you can’t presume you’ll have access to cloud-based container registries so one of the key design goals was making sure we could have a version of this bundle that could be serialized into a ‘thick’ bundle,” Monroy explained. “That thick bundle includes all the container images and everything you need to pop this on a USB stick, walk it over to an air-gapped environment, hydrate the container registries and so on, and get a full fidelity version of the application running in the offline environment.”
Even applications built only with containers will benefit that offline option, as well as from the way CNAB uses parameters for configuration, so changing the network configuration for an existing application doesn’t mean copying the Docker compose file and editing the YAML — a manual process that can easily lead to errors. It also improves on Helm, which uses parameters so you can put in blocks to mark out, say, the firewall configuration, but doesn’t have structured schemas or strong typing to validate the field contents so again it’s easy to make a mistake and get an error after installation. CNAB’s parameterization is based on the Azure Resource Manager (ARM) template language, Monroy said. “This means that when you install a bundle using CNAB you can prompt for things and use strong validation on those entries right away.”
Distributed Resource Management
CNAB could also simplify audit and cost control for cloud resources and address container sprawl, by making it clearer which resources are associated with which applications, making it easier for developers to adopt different services and platforms without being overwhelmed by managing them.
“Right now, if you pull up your Azure subscription and take a look at all the things that are running that could be hundreds or thousands of resources and being able to tell which of those resources is part of which logical application is something too difficult to do today. Public cloud and the explosion of different resources has really moved the bar on flexibility, but the pendulum hasn’t swung back to good management constructs around what are all those resources you’re spinning up,” Monroy admitted. Modern tooling like CNAB will make it easier to track and audit the resources you have deployed. “You can’t manage cloud resources by hand, point and click through a GUI otherwise you wind up with this kind management of sprawl. You need to be more thoughtful around tooling and infrastructure as code to avoid falling into these traps.”
As well as the CNAB specification, Microsoft is announcing an initial set of tools, including a Visual Studio Code extension for building CNAB bundles and Duffle, a cross-platform open source reference implementation of a CNAB client. That’s a Docker-style CLI tool to create bundles, cryptographically sign and verify bundles, and push and pull the bundles to install, upgrade and uninstall them. There’s also a cross-platform Electron installer that puts a graphical front end onto CNAB bundles for installing, upgrading or installing applications.
“Once you’ve built one of these bundles, the Electron installer allows you to put it on a USB stick, double-click it on a laptop and it walks you through an installer,” he explained. “That will allow you to perform lifecycle management of one of these cloud-based distributed applications from your desktop using a standard [desktop installer] wizard.”
That interface relies on the parameter validation done in CNAB, the specification is flexible enough to allow install and manage desktop resources as well, opening up interesting possibilities for local app installation.
Microsoft also worked with Docker to create an example implementation for a bundle repository server. “For this to work we needed a new set of APIs around the Docker registry APIs and the OCI distribution API,” he said. “The plan is to roll this out in the standard Docker compatible registries as an add-on or an alternate set of APIs.” Over time by working with the community through the Open Container Initiative, Monroy expects CNAB support will become more integrated. “Docker has pledged to support CNAB in the public Docker hub, which is very exciting.”
Writing distributed applications and creating CNAB bundles will still require expertise but Monroy believes it will dramatically simplify installing and managing them through software marketplaces and in edge scenarios. “I think what we’ve done here is we’ve made it absolutely trivial for people to consume this stuff. If you want to install a complex Kubernetes-plus-containers-plus-Cosmos DB-plus-functions application right now, you’d be fumbling around with different ARM templates or Terraform and Ansible and a mix of tooling. Now you can literally duffle install a bundle that someone has prebuilt and have that whole environment stood up for you in a matter of minutes.”