Skip to content
Open Source Blog

Last year at Microsoft Connect and DockerCon we announced the Cloud Native Application Bundle (CNAB) specification in partnership with Docker, HashiCorp, and Bitnami. Since then the CNAB community has grown to include Pivotal, Intel, Datadog, and others, and we are all extremely pleased to announce that the CNAB core 1.0 specification has reached Final Draft status.

But there’s more. In addition, now that the core specification has reached 1.0, we are even more pleased to announce the official formation of the Cloud Native Application Bundles project under the Joint Development Foundation (JDF). Microsoft is proud to work with its partners and friends in the open source community to improve software development and operations for everyone.

In honor of the milestone, at HashiConf we’re reintroducing Porter, our opinionated CNAB development and deployment tool, along with Terraform and Kubernetes mixins. With these new mixins and Porter, you can use Terraform with any number of other deployment tools, including scripts, to bundle up and use a complex distributed application.

CNAB Core specification reaches 1.0

Along with our partners Docker, Pivotal, Datadog, and Intel – and those who started the journey with us early, contributors from Bitnami, IBM, and HashiCorp – we couldn’t be more pleased to announce that the Cloud Native Application Bundle (CNAB) Core 1.0 specification has reached Final Draft status.

Last year, Microsoft, Docker, Bitnami, HashiCorp, and others announced the CNAB specification, a format for describing not only the artifacts that a cloud-native distributed application needs to install and run, but also how to install, upgrade, and delete the application as a whole. (For a quick overview of the CNAB Core spec, see The State of CNAB: Part 1 – CNAB Core.)

With the Final Draft of the Core spec, we expect to see broader adoption and a large number of CNAB tools. Questions about CNAB and how it can be used have increased as we have gotten closer to 1.0. CNAB is being seen as a strong solution for a series of scenarios for which there is not a broad-based, open source solution.

This milestone is made up of individual steps and lots of hard work, and I’d like to celebrate each contributor, each commit, and each meeting. It’s been a long road, and 28 individual contributors brought us to this milestone.

Infrastructure advances aren’t pretty; but they are critical. They make other, flashier things even faster, with yet more features that seem “easy.” We wanted to create the very same magic that Docker did when you created and ran a container for the first time. CNAB does this. CNAB describes how to take an entire distributed application and make it a Docker image – something you know how to create, push to a registry, pull, and run. That means that you can store, share, and operate entire distributed applications just like you can with individual binaries and services.

What comes next 

Now that the CNAB Core 1.0 specification is in Final Draft status, we are going to focus on the tooling ecosystem and finish off the remaining specifications. There is so much to do with all the tools, including ensuring that both Duffle – the reference implementation of the spec – and all other CNAB tools become Core 1.0 compliant. That’s a lot of great tools, each of which can either create or install and manage bundles – multiservice apps in a container – created by the others.

  • Duffle (https://duffle.sh) is the reference implementation of the specification, and its goal is to exercise all parts of the specification. You can use it to build, install, and manage bundles, as well as export bundles in thick format for distributing in air-gapped environments. Or steal the code for your stuff.
  • Porter (https://porter.sh) is Microsoft’s CNAB builder that gives you building blocks to create a cloud installer for your application, handling all the necessary infrastructure and configuration setup. It is a declarative authoring experience that lets you focus on what you know best: your application.
  • Docker App (https://blog.docker.com/2018/12/docker-app-and-cnab/) is an opinionated CNAB builder and installer that leverages the Docker Compose format to define your applications. To facilitate developer to operator handover, you can add metadata and runtime parameters. These applications can easily be shared using existing container registries. Docker App is available as part of the latest Docker release.
  • The Pivotal Build Service (alpha), a declarative way to build an OCI-compatible container image from source code that uses CNAB to deploy the service on Kubernetes clusters. In fact, Pivotal has a great description of how to think about CNAB and their use of it at Cloud Native Application Bundles: A Simple Way to Install Software on Kubernetes (or Any Other Runtime).
  • VS Code Porter extension and graphical installer for bundles – graphical user interfaces for interacting with CNAB bundles.

Each of these tools can create or install bundles built by the other tools once they are all CNAB Core 1.0 compliant. But there’s more to do: finish the other specifications that are critical for more than merely application sharing and management.

CNAB Registry and Security specifications 

The CNAB specification has its own work to complete. The CNAB Core spec is just the first specification. Work continues apace on the CNAB Registry specification (The State of CNAB: Part 2 – CNAB Registries), which describes how bundles can be stored in remote locations and exported reliably to operate in other environments, including offline (or “air-gapped”) environments. The CNAB Security specification (https://github.com/deislabs/cnab-spec/blob/master/300-CNAB-security.md) describes how to use two open source standards, The Update Framework (TUF) and in toto, to build compromise-resilient OCI registries.

This means that even if the infrastructure is compromised anywhere between developers and end-users, attackers should not be able to cause end-users to install malicious versions of images or bundles that were not released by developers. Indeed, Datadog is already using both technologies to protect users of its Agent integrations.

Both specifications enable critical features of which all tools can take advantage. Bundles can be stored in public or private OCI registries, just like any other Docker container. And, whether in a connected or disconnected environment, bundles can be validated both for identity and for the proper steps in an entire supply chain.

To most developers, being able to pull a distributed application from a registry, verify its authenticity and integrity even if it had been pulled from an untrusted registry, and then install it without knowing about the internal stack at all, is tremendously powerful and useful stuff. To most users who work with risk glaring over their shoulders, the ability to verify signatures and even entire software supply chains is like a warm wind in early summer. Just what the doctor ordered.

CNAB project created in the Joint Development Foundation 

Community collaboration is liberating in many ways, but it remains so only when individualare assured that their voices are heard and their contributions respected – and large organizations are certain that they have precisely the same stake in the projects as anyone else. To cement these objectives for the CNAB community, today founding members Docker, Pivotal, Datadog, Intel, and Microsoft are announcing that they have created the Cloud Native Application Bundles project of the Joint Development Foundation (JDF), the standards wing of the Linux Foundation. This is our collective commitment to all contributors that they can have legal and personal confidence that the governance serves the community interest and the code of conduct supports the engaged contributions of everyone.

The Joint Development Foundation enabled us all to do precisely this. The JDF provides the corporate and legal infrastructure to enable groups to quickly establish and operate lightweight collaborations to develop technical specifications, standards, and source code. Matt Butcher of Microsoft and Chris Crone of Docker have accepted the responsibility of being the two initial Executive Directors of the CNAB Project, and each working group has founding members as well. We thank them all for their time, energy, and talent.

There are two initial working groups:

  • The CNAB specification working group, responsible for creating and approving the specifications.
  • The Reference Implementation working group, which continues the work on Duffle to exercise all aspects of the specifications.

To follow along, see pull requests to the CNAB Security specification and join in with the community.

Terraform, Porter, and CNAB 

Porter is the opinionated, open source bundle builder and deployment tool from Microsoft. Porter not only installs, upgrades, and uninstalls CNAB bundles, but also makes it possible to create bundles from resources and tools you may already have in a declarative format. Using the much beloved YAML (with help from Visual Studio Code and IntelliSense), you can describe what steps, and from which types of components, the installation, upgrade, or uninstallation must take.

HashiCorp’s Terraform is a deployment tool that we both use and help customers with; it’s a great, solid open source tool from a great company. With HashiConf here, we thought it would be a great opportunity to demonstrate not only how you can use Porter’s Terraform mixin to make a CNAB bundle, but also combine Terraform with other out-of-band processes to create a seamless installation of a complex application that anyone can install – even if they don’t know Terraform – and anyone can share, because it can be pushed and pulled to and from OCI registries.

If you want to explore the experience at HashiConf, be sure to see Lachie Evenson and Rita Zhang’s talk, Tooling for the Modern Cloud Native Application Stack. If you’re really interested, you can build it and run for yourself at https://github.com/jeremyrickard/do-porter. Have a Digital Ocean account and follow along with the README. Because CNAB works with whatever you do.

From there, you’re on your way!

Questions or feedback? Let us know in the comments below.