Create your cloud code installer with CNAB and Duffle

When you build code, you need to deliver it in a way it installs and runs with as little friction as possible. That’s easy in the traditional application world, where you can target an installer at the end of a build, delivering your code to repositories, stores, and system and service management platforms. But things are harder in the cloud, especially when you’re building distributed systems that rely on cloud-hosted orchestration platforms, running on Kubernetes, or deploying in a service mesh.

Tools like Terraform and Helm help with deployments that deliver to Kubernetes, Azure’s ARM templates handle building resource groups, and Dockerfiles are used to construct containers from libraries of images. What’s needed is a single tool that can bring all these elements together, describing an entire distributed application and then using that description to handle deployment to any cloud.

Introducing CNAB

Microsoft and Docker have been collaborating on a specification that handles both service description and deployment for container-based applications. The Cloud Native Application Bundle (CNAB) is a way of bundling the components needed to deliver an application, along with details of how the application should be installed.

One key aspect of CNAB is that it’s cloud-agnostic; there’s no requirement for it to work with a specific cloud platform. There’s also no requirement for it to target any specific orchestration layer. All that matters is that it uses containers, so your code can be delivered to on-premises systems running on IaaS or to cloud platforms. CNAB bundles can be thick, containing all the files needed to deploy and run your application, or they can be thin, with only a definition of the files and images that need to be deployed, along with locations for image repositories.

Both types of bundle have their place. If you’re treating CNAB like a traditional desktop installer for systems running on the edge of a network where connectivity may be an issue, you’re likely to want to use a thick bundle. If, however, you’re deploying onto Azure or Amazon Web Services, with high-bandwidth connections to your image repositories, a thin bundle will work well. Either way, bundles can be signed, ensuring that only trusted images are used to deploy an application.

At the heart of a CNAB bundle is the invocation image, a container that hosts the commands used to run the install, setting up of orchestrators, deploying images, and connecting to cloud resources. You can also use it to host applications needed to deploy your code; for example, a copy of Helm to handle any charts in your bundle. CNAB defines the directory structure of the invocation image, with sections for charts and for service-mesh definitions.

Duffle: a CNAB reference implementation

With a new deployment specification, it helps to have a reference implementation. For CNAB, that’s Duffle, a command-line installer for CNAB bundles. Written in Go, Duffle gives you a tool to both build CNAB bundles and install applications from a bundle. A CNAB bundle needs to contain what’s called an invocation image, which hosts a run file of instructions for installing an application. This file can be written in your choice of language, though most of the examples in the CNAB documentation are written in standard Unix shell scripting languages. You take the run file and copy it into a Dockerfile for the invocation image, ready for use by Duffle.

Duffle’s build command takes the files in its directories and constructs a signed JSON file, using PGP to add a cryptographic signature to the CNAB content. This contains a pointer to the invocation image used to install your application.

Once a bundle has been built, it can be delivered to a target system and Duffle run again to handle installation. CNAB doesn’t only define installation details, it can also describe updates and uninstalls, so you can use Duffle to handle these as well. One useful aspect of CNAB is the option to run a status check on an install, letting you check if it installed correctly.

The Duffle team has put together a library of different CNAB bundles, so you can see how to go about constructing your own, more complex installations. These include a bundle that uses Terraform to set up an IaaS install with a VM on Azure, configuring not only the VM but also its networking and an Azure storage account. Similarly, there’s a bundle that uses Ansible to handle the same process. Another sample bundle uses Azure ARM templates to create a container running in an Azure Container Instance, and another sample builds a Kubernetes cluster on the Azure Kubernetes Service, deploying code via Helm and setting up role-based access controls for the Kubernetes cluster it’s deployed.

Building CNAB bundles with Duffle

Building CNAB bundles requires some scripting knowledge, like most modern devops tools—it’s automating installations in code. A Visual Studio Code extension helps construct bundles, using Duffle with support for shared code snippets and predefined templates. It’s designed to use Duffle definitions to build CNAB bundles, and it can work with local repositories to modify existing bundles. One of its more useful features is a set of tools to add appropriate credentials to Duffle installers, so you can use them to deploy apps to your public cloud instances.

Microsoft has also put together a proof-of-concept GUI for Duffle-based installers. Duffle-bag extends the CNAB model by adding text files to a bundle, using HTML for formatting. These can contain descriptions of the code that’s being installed, as well as success or failure messages in addition to those that are generated by the underlying Duffle process. It’s a simple Electron-based wrapper for Duffle, and because it’s available through GitHub, it should be easy for package vendors to customize.

By delivering a standard installer for cloud-hosted distributed applications, Microsoft and Docker are doing more than making it easy for developers to deploy their own code: They’re providing a mechanism that vendors can use to deliver their own apps, giving cloud and containers a new economic model. Using CNAB and Duffle, signed installers can be sold through cloud marketplaces that assemble complex cloud architectures in much the same way as preconfigured VMs have delivered software to virtual infrastructures.

James Governor, one of the founders of analyst firm RedMonk, describes 2018 as the year Kubernetes won. While his comment may well have been an off-the-cuff tweet, there’s a certain truth at its core. If Kubernetes is the winner of the cloud infrastructure wars, then CNAB may well be how the open distributed cloud seals its victory by co-opting the commercial software industry.