This article is more than 1 year old

Docker, Microsoft serve container turducken: CNAB spec is a container of containers

DevOps can look forward to packaging their distributed apps

Write once, run anywhere. You've perhaps heard that before in the context of Java, Flash, or Xamarin, among other cross-platform technologies. It's been more or less possible for a while, though seldom to everyone's satisfaction. But with the widespread adoption of cloud services and containers, operating across platforms has become more complicated.

Container debutante Docker and anything-but-phones biz Microsoft have a fresh take on the dream, an open source spec for packaging and running distributed applications called a Cloud Native Application Bundle (CNAB).

It sounds a bit like what the Docker software – an open source project for wrapping applications in containers and automating their deployment – is supposed to do.

But, as the rapid rise of Kubernetes demonstrated, those running applications at scale have a more expansive set of concerns – managing clusters of containers, and the distributed applications therein, across diverse infrastructure.

CNAB aims to meet that broader operations goal. It's an attempt to unify the packaging, deployment, and lifecycle management of distributed applications, multiple services, and varied tool chains through the use of a single package format specification. It's one spec to describe them all, based on JSON, Docker containers and OpenPGP.

In a phone interview with The Register, Scott Johnston, chief operating officer of Docker, said, "When Docker came on the scene in 2013, we were solving a problem for a single component application. ...That's what we're solving for in distributed applications. ...A container of containers is how we've referenced it internally."

CNAB combines a bundle definition (bundle.json) to define the app and an invocation image to install the app. The bundle definition looks something like this:

    "schemaVersion": "v1.0.0-WD",
    "name": "helloworld",
    "version": "0.1.2",
    "description": "An example 'thin' helloworld Cloud-Native Application Bundle",
    "maintainers": [
            "name": "Matt Butcher",
            "email": "",
            "url": ""
    "invocationImages": [
            "imageType": "docker",
            "image": "technosophos/helloworld:0.1.0",
            "digest": "sha256:aaaaaaa..."
    "images": [
            "image": "technosophos/microservice:1.2.3",
            "description": "my microservice",
            "digest": "sha256:aaaaaaaaaaaa...",
            "uri": "urn:image1uri",
            "refs": [
                    "path": "image1path",
                    "field": "image.1.field"
    "parameters": {
        "backend_port" : {
            "type" : "int",
            "defaultValue": 80,
            "minValue": 10,
            "maxValue": 10240,
            "metadata": {
               "description": "The port that the back-end will listen on"
    "credentials": {
        "kubeconfig": {
            "path": "/home/.kube/config",
        "image_token": {
            "env": "AZ_IMAGE_TOKEN",
        "hostkey": {
            "path": "/etc/hostkey.txt",
            "env": "HOST_KEY"

"By design, it is cloud agnostic," explains Matt Butcher, a principal engineer at Microsoft, in a blog post.

"It works with everything from Azure to on-prem OpenStack, from Kubernetes to Swarm, and from Ansible to Terraform. It can execute on a workstation, a public cloud, an air-gapped network, or a constrained IoT environment. And it is flexible enough to accommodate an array of platform needs, from customer-facing marketplaces to internal build pipelines."

Girl lighting firecracker

It doesn't work with Docker, K8s right now, but everyone's going nuts anyway for AWS's Firecracker microVMs


As Kubernetes co-founder and Microsoft engineer Brendan Burns put it, "Imagine installing a complete distributed application from a USB stick." PC users know that joy, but only in the context of desktop applications. CNAB promises something similar for applications that sprawl across clusters and cloud platforms, with assorted monitoring and deployment tools.

Supported by vendors Bitnami and HashiCorp and others Johnston said weren't ready to be named, CNAB provides the ability to: manage varied app resources as a single unit; to define and use specific actions for lifecycle management like "install" or "uninstall"; and to sign, verify, export and store bundles.

Docker intends to bring CNAB support to its docker-app tool. Its software will let people package CNAB bundles as Docker images, which will allow distribution through Docker Hub and Docker Trusted Registry. The company is also planning to implement CNAB support in its enterprise offering in a few months.

Microsoft meanwhile has built an open source reference implementation of a CNAB client called Duffle, to help developers get started with the spec. It can create bundles, sign them and verify them.

Johnston suggests the industry growth that followed Docker's popularization of containers could repeat itself with CNAB. "If you think what Docker did in 2013 with dependencies and libraries, we think this has the potential to do the same for distributed apps." ®

More about


Send us news

Other stories you might like