Container images that rock (ROCKs manifesto)

Container images that rock (ROCKs manifesto)

Welcome to the ROCKs category! Are you wandering around, wondering what this ROCKs thing is about? Stop here. You are in the right place. On this Discourse topic, we’ll discuss ROCKs and its community: why & what.

A distribution of container images

Containers are great. They enable faster development, faster deployments, faster scaling.

Containers are available at (open source) developers’ fingertips to build and ship their software to the world without having to care about their destination environments. They also enable developers to care less about dependencies… however… is that really a good thing?

In fact, we think that the way we distribute container images is broken. Publishing random software to random places with random dependencies. There are no consistent expectations, no consistent developer experience, no consistent support, no consistent versioning…

What was supposed to be a blessing turned into a curse. Not caring much about dependencies has resulted in container images that are unmaintained and shipping known vulnerabilities. Often, there are no clear expectations, ownership, or accountability.

For some of you, this will remind you of the first days of the Debian software community.
The OCI format is a fantastic approach to packaging and deploying cloud software; and what we need, now, to ensure the continued success of open source software in cloud applications, is a strong, passionate community who is committed to building an open distribution of Docker (OCI) images.

Ultra-small, traceable, consistent

This post is an open invitation to join the Ubuntu ROCKs community, and start contributing to the world’s best portfolio and community for production-grade Docker images.

Historically, when Docker got hugely popular, revolutionising developer experience, we — developers — did what we used to know: we packed entire Linux distributions along with our newly containerised applications.

Beyond missing the point of containerised processes, this had quite unfortunate consequences: more data moving around, more attack surface leading to more exploitable vulnerabilities, and it created bad habits of using containers like virtual machines, thus leading to less efficient or scalable designs.

Fortunately Google came up with “Distroless” and Docker introduced “Multi-stage builds”; in a big push to promote from-scratch container images: only shipping the strict minimum runtime requirements along with the containerised process.

Instead of containerising the entire Linux distribution, what we need is building a distribution of small, appliance-type, container images.

This is what ROCKs is about. Building the tooling, machinery, and community that are required to create a secure, stable, consistent distribution of container images: Ubuntu ROCKs.

To make this happen, we are introducing a few concepts and initiatives:

  • ROCKs (the images)

Rocks are OCI-compliant artefacts, designed for the secure software supply chain, in order to provide a solid foundation for cloud-native software.

We aim to ship these Rocks in a consistent, cohesive distribution (the Ubuntu ROCKs) with two different types of channels: LTS (long-term supported) channels, and rolling channels providing the latest and greatest software (should we have named them ‘stones’?).

Rocks follow the OCI specification but introduce and standardise new ideas and concepts in order to bring more consistency, security, stability, supportability, and performance.

This Discourse category offers you a venue to help shape and upgrade the OCI experience and improve open-source software security, improving software supply chain security.

  • Rockcraft (the tooling)

To build Rocks, we are building Rockcraft: a tool designed to craft secure and stable containers.

Rockcraft provides a declarative framework designed for the secure software supply chain. It generates OCI-compliant images, built following the best industry practices and with a focus on tracked and well-maintained dependencies.

Rockcraft is also able to drive Chisel, a new “package manager” that manipulates slices of Ubuntu packages in order to build designed-for-purpose ultra-small container images.

Rockcraft reuses the language, concepts, plugins and the “Parts lifecycle” that is also used in Snapcraft and Charmcraft; enabling a common framework to aggregate and distribute software across the entire compute spectrum… from IoT devices to hyperscalers.

  • Rockstars (the community)

This is all you: Rockers and Rockstars. Here to build a better way to distribute open-source software as container images to be used by other cloud projects and communities.

We’d like you to focus on the stuff you like to do and the software you want to build. We also want you to feel a part of something bigger, together building a consistent portfolio of container images that is more than the sum of its parts: the Ubuntu ROCKs distribution.

Like Ubuntu, Canonical will support our Ubuntu ROCKs community and container images distribution with infrastructure and long-term support commitments, making sure that Ubuntu ROCKs are production-ready and can scale up at the enterprise level.

Where to get started?

You are convinced by our mission and want to join us on our journey to building a first-class distribution of production-grade Docker images? Even though we are just getting started here, there’s already a few places for you to contribute:

Looking forward to meeting some of you in-person at the Ubuntu Summit!