Framework Installs with Docker to Add Unikernel Techniques Based on Solo5 & runnc
IBM recently launched a new container standard that functions as a type of plugin alternative to Docker's native format with the intention of creating more isolated sandbox environments for cloud architecture. Similar to the gVisor framework released by Google this year, Nabla Containers seeks to reduce the number of attack vectors that can be targeted by exploits for apps operating in production at scale. Rather than functioning as a true competitor to Docker, Nabla basically works as an alternative format that can be installed on the same hardware and software platforms (i.e. public/private cloud hosts) to provide more robust security. Nabla uses library OS/unikernel techniques via the Solo5 project middleware that reduces the number of Linux system calls required to 9 when operating a container. The main difference is that Nabla uses runnc as "the OCI-interfacing container runtime," whereas gVisor (another new hardened container sandbox alternative) is built around runsc and Docker containers are based on runC as the universal container runtime. Docker donated the code for runC to the Open Container Project in 2015 "as a standalone tool, to be used as plumbing by infrastructure plumbers everywhere." The Solo5 project was originally started by Dan Williams at IBM Research during work to port the MirageOS to support the Linux KVM hypervisor. The main components of Solo5 are the kernel, ukvm, a testing suite, and a set of tools which support various virtualization requirements across different operating systems & hardware devices. Nabla Containers will mostly appeal to programmers and developers who have a drastic need to reduce the number of system calls permitted to a VM in production to implement higher levels of security, although this will require custom formatted disk images that are not cross-compatible with Docker's runC code.