The Cloud Native Application Bundle (CNAB) is an open source specification that aims to facilitate the bundling, installing, and managing of containerized apps. With this bundle, users can define resources that can then be deployed to a number of runtime environments, such as Docker, Azure, Kubernetes, Helm, automation services (such as those used by GitOps), and more.
The CNAB specification was created by multiple companies, including Microsoft, HashiCorp, Bitnami, Intel, Pivotal, and DataDog. Although many of the companies involved offer their own cloud services, CNAB was created to be a cloud-agnostic specification, which means it doesn’t care what infrastructure or software you use for deployment. Because of this, there is no vendor lock-in.
Recently the CNAB spec reached version 1.0, which means it is ready for production deployment. Any IT pro, with their fingers deep in the cloud/container pie, should be up to speed with CNAB.
A Bit More Understanding
“As modern applications continue to grow in complexity, there’s an immediate need to simplify how these multiservice, distributed applications are built, shared and run,” said Robert Duffner, director of alliance marketing at Docker. To anyone who’s worked with Kubernetes, that’s an understatement, as Kubernetes can very quickly become quite complex. Duffner continued, “Modern applications are made up of a wide range of components and services — they can be comprised of multiple cloud resources, managed services, SaaS offerings, containers, configuration formats (Helm charts, Kubernetes YAML and Docker Compose files), functions, and more.”
But how does CNAB come into play? “CNAB pulls these disparate components together, providing a common packaging format for multiservice applications. These bundles can be developed, managed and shared (across a registry like Docker Hub) as one immutable composite unit without forcing any specific environment/clouds,” Duffner said.
To clarify this, I focused the conversation toward Kubernetes and Docker (as those are the two technologies at the forefront of container deployment). As to what CNAB does for both Kubernetes and Docker, Duffner said, “CNAB is helping to advance how we look at building, sharing and running containers because it elevates the conversation to the application level.” Adding to that, Duffner addressed Docker App by saying, “This has been the case with Docker App, our implementation of the CNAB specification, which is designed to bring the simplicity associated with Docker images to building, sharing and running multiservice applications across multiple configuration formats.”
In the end, what CNAB bolts together containers and services into a seamless whole, that places a strong focus on standardization. The CNAB spec is broken down into the following chapters:
- CNAB — explains the fundamentals of the CNAB core 1.0.
- CNAB Registry — will describe how CNAB bundles can be stored inside of OCI Registries (this section is not yet complete).
- CNAB Security — explains the mechanisms for signing, verifying, and attesting CNAB packages.
- CNAB Claims — describes the CNAB Claims system, which describes how records of CNAB installations may be formatted for storage.
- CNAB Dependencies — describes how bundles can define dependencies on other bundles.
What Is a Bundle?
Currently, there are numerous ways to deploy a containerized application. You can use Docker, Docker Compose, Kubernetes and other tools, each of which has its own specification for laying out configuration files. What CNAB does is create a single bundled metadata in a bundle.json file. This .json file is broken down into:
- The schema version.
- Top-level package information.
- Information on invocation images.
- Map of images.
- Specification for parameter override (with a reference to a validation schema).
- List of credentials.
- Optional description of custom actions.
- A list of outputs produced by the application.
- A set of schema definitions used to validate input.
Bundles come in two formats:
- Thin bundles contain only one object, the Bundle descriptor and is a JSON file (which MUST be represented as Canonical JSON).
- Thick bundles contain multiple objects: The bundle descriptor, one or more invocation image, and zero or more images. The thick bundle will include a bundle.json file, which must be at the root of the compressed archive.
A bundle.json is similar to a docker-compose.yml file, in that it describes a complex configuration for image deployment. The difference is, the CNAB bundle is very clearly defined as to how it should be laid out, encoded, and where all associated files must reside.
On the subject of bundles, Duffner said, “Building, sharing and running modern distributed applications which are composed of a variety of parts – from web components to machine learning, functions, APIs, and more – is a massively complicated process.” Anyone who has attempted to deploy complicated containers knows this. How does CNAB address such complexity? To that Duffner added, “One of the benefits of Docker App (implementation of CNAB) is to simplify apps using Docker Compose and then deploy natively to the cloud. So yes, a discrete immutable approach and having a standard way to deploy cloud native applications is important.”
Who Benefits the Most
It should come as no surprise that CNAB is focused primarily on enterprise-level deployments. After all, a simple container deployment doesn’t require nearly the complexity of a service used by a fortune 500 company. To that point, Duffner said, “We are already seeing enterprises be big proponents of CNAB since many are home to hundreds or thousands of distributed applications and are looking for ways to more easily build, manage and secure these applications across the software supply chain.” But CNAB won’t just benefit enterprise-level businesses. In fact, Duffner added that developers and DeOps teams who are struggling with the complexity of modern application deployment will greatly benefit from the CNAB spec. With the help of the CNAB spec, teams will enjoy “better collaboration and faster time to market.”
Make sure to read through the entire CNAB 1.0 spec here.
HashiCorp is a sponsor of The New Stack.