​CNAB: Docker and Microsoft's Cloud Native Application Bundle

Wouldn't it be nice if there was a packaging system for cloud native applications? Docker and Microsoft thought so, as they've created one: Cloud Native Application Bundle.

​Cloud Native Computing Foundation seeks to forge cloud and container unity

Google is turning over its container management program, Kubernetes, to this new open-source foundation.

Read More

Installing cloud-native applications can be tricky. The technology is still new enough that finding a cloud-native savvy developer or system administrator can be harder than finding hen's teeth, So, it was that Docker and Microsoft decided to make it easier for everyone with the Cloud Native Application Bundle (CNAB).

What does that mean for you? Brendan Burns, Microsoft software engineer and Kubernetes co-founder tweeted: "Imagine installing a complete distributed application from a USB stick." Ultimately, that's exactly what CNAB will mean to you.

Also: 8 steps to becoming a 'cloud-native' enterprise

In partnership with Bitnami, HashiCorp, and others, CNAB is an open-source package format specification. The CNAB format is meant to deal with cloud-native packaging, installing, and managing distributed applications. It's built on top of JSON, Docker containers, and OpenPGP.

As Matt Butcher, Microsoft's principal engineer on the open-source Kubernetes Helm project, pointed out, "With CNAB, you can manage distributed applications using a single installable file, reliably provision application resources in different environments, and easily manage the application lifecycle without having to use multiple toolsets."

Or, as Gareth Rushgrove, Docker put it, "Today's cloud-native applications typically use different technologies, each with their own toolchain. Maybe you're using ARM templates and Helm charts, or CloudFormation and Compose, or Terraform and Ansible. There is no single solution in the market for defining and packaging these multi-service, multi-format distributed applications." Until now.

Also: Enterprise developers keep reaching for the cloud

CNAB isn't just tool-chain agnostic. CNAB will work with any cloud. Butcher added, "By design, it is cloud agnostic. It works with everything from Azure to on-prem OpenStack, from Kubernetes to Swarm, and from Ansible to Terraform. It can execute on a workstation, a public cloud, an air-gapped network, or a constrained IoT environment."

Specifically, Microsoft stated it brings the following new features to cloud-native computing:

  • Manage discrete resources as a single logical unit that comprises an app.
  • Use and define operational verbs for lifecycle management of an app (install, upgrade, uninstall).
  • Sign and digitally verify a bundle, even when the underlying technology doesn't natively support it.
  • Attest (or attach a signature to any moment in the life cycle of that bundle) and digitally verify that the bundle has achieved that state to control how the bundle can be used.
  • Enable the export of the bundle and all dependencies to reliably reproduce in another environment, including offline environments (IoT edge, air-gapped environments).
  • Store bundles in repositories for remote installation.

That all sounds great, but CNAB is still a work in progress. Both Microsoft and Docker are strongly encouraging other to join them in making it a working, production-level specification.


Must read


In the meantime, Microsoft has released Duffle. This is an open-source CNAB client reference implementation. With it you can install, upgrade, and uninstall CNAB bundles. You can also use it to create new bundles, cryptographically sign them with PGP, and verify their integrity.

Docker has also released a new tool, Docker app, and with it, you can get your feet wet using Docker technology with CNAB.

If you have any plans on working with cloud-native computing -- and you should -- you should work with both. The future of cloud-native computing may well lay with CNAB.

Related stories: