Container Management Infrastructure (ADR RFC)

Title
Container Management Infrastructure

Status
Proposed

Context

https://project.ostc-eu.org/projects/open-source-technology-center-eu/work_packages/159/activity

With market demand for running applications in containers, we need to add support for running containers. Maybe even a full-blown container management solution.
An existing partner have put forward a concrete wish for Docker support.

Later on, we might want to add support for a more IOT compatible solution for application container devlivery, with support for things like transactional update OTA.

With Jasmine release being close, if we are to include this requirement for that, we need something that is low-effort to add and integrate.

Options are:

Docker

  • Docker
  • Podman
  • runc
  • crun

In order to provide most value to developers, it is desirable to go with a full container management solution (such as Docker or Podman), and not only a more low-level container run-time solution (such as runc and crun).

Both Docker and podman is already available in the meta-virtualization OpenEmbedded layer.

Docker is by far the most well known container management solution, where as Podman might be technically more attractive.

Decision
Add Docker and runc or crun to OS.

Consequences

ASOS will be attractive for developers wanting to run apps in a container, even more if they have a preference for using Docker to manage them.

Adopting Podman later on will be harder, as existing Docker users might be negatively affected if we replace Docker with Podman.

1 Like

Did we consider LXC?

We’ll also need to evaluate also if it’s relevant on possible on weaker devices (MCUs) if not is there any common denominator between both contexts ?

LXC is aimed at running complete OS system, so I guess a bit overkill for running applications on resource constrained embedded devices.

Running containers requires setting up its security correctly too. It means at least:

  • container daemon running as non-root, what means configuring the infrastructure for non-root users for services

  • Mandatory Access Control configured with the right policies

IMO before starting with containers we should finish the above