Introducing CNAB: a cloud-agnostic format for packaging and running distributed applications

“The day of the distributed app is near.” That is the mantra we’ve been repeating for years. But with robust cloud offerings, the microservice pattern, orchestration platforms like Kubernetes, and the REST-ification of everything, we’re already there. It is the day of the distributed application. Almost. We’ve gotten the “distributed” thing down, but in doing so, we may have neglected the “application” part. And that’s where CNAB – Cloud Native Application Bundles – comes in.

When we talk about distributed applications, we are referring to an architecture for building applications using the rich array of cloud services and/or on-premises resources at our disposal. But distributed applications introduce a layer of complexity, using numerous resources, tracking different versions, and managing multiple environments. If we want to treat a distributed application as a single app, there are three distinct pain points we need to address:

1. We need to be able to describe our application as a single artifact, even when it is composed of a variety of cloud technologies;
2. We must be able to provision our applications without having to master dozens of tools; and
3. We need to manage lifecycle (particularly installation, upgrade, and deletion) of our applications.

We partnered with Docker to solve these problems for ISVs and enterprises. And today we are excited to announce CNAB: Cloud Native Application Bundles, a new open source package format specification created in close partnership with Docker and broadly supported by HashiCorp, Bitnami and more. With CNAB, you can manage distributed applications using a single installable file, reliably provision application resources in different environments, and easily manage the application lifecycle without having to use multiple toolsets.

CNAB relies on a handful of technologies you are already familiar with – JSON, Docker containers, and OpenPGP – and describes a format for packaging, installing, and managing distributed applications. By design, it is cloud agnostic. It works with everything from Azure to on-prem OpenStack, from Kubernetes to Swarm, and from Ansible to Terraform. It can execute on a workstation, a public cloud, an air-gapped network, or a constrained IoT environment. And it is flexible enough to accommodate an array of platform needs, from customer-facing marketplaces to internal build pipelines.

Broadly, CNAB brings several features that aren’t currently in the ecosystem:

• Manage discrete resources as a single logical unit that comprises an app.
• Use and define operational verbs for lifecycle management of an app (install, upgrade, uninstall).
• Sign and digitally verify a bundle, even when the underlying technology doesn’t natively support it.
• Attest (or attach a signature to any moment in the lifecycle of that bundle) and digitally verify that the bundle has achieved that state to control how the bundle can be used.
• Enable the export of the bundle and all dependencies to reliably reproduce in another environment, including offline environments (IoT edge, air-gapped environments).
• Store bundles in repositories for remote installation.

While CNAB is a specification, we wanted to simultaneously demonstrate how it works by providing tools to get you started. We’re excited to announce Duffle – an open source reference implementation of a CNAB client. Duffle provides all the core capabilities for working with CNAB. It can install, upgrade, and uninstall CNAB bundles. It can create new bundles, cryptographically sign them, and verify their integrity. And as a reference implementation, it provides an example of how you can build CNAB-based solutions.

To ease the process of building and hosting CNAB bundles, we’re also releasing a VS Code extension. And to top it all off, we’ve written a graphical installer that can turn a bundle installation into a simple point-and-click experience!

With this combination of specification and tooling, we’re optimistic that you can get started with CNAB today. Whether you’re focused on running your own apps for your own cloud platform, writing applications for air-gapped networks, or planning to distribute your application to a wide variety of cloud environments, CNAB is a packaging format that can help.

To drive CNAB forward in the industry, our ecosystem of partners – Docker, HashiCorp, and Bitnami – are going to offer standardized content (CNAB bundles) that customers would be able to host or download from a CNAB compliant destination such as DockerHub, GitHub, etc.

We would love to have you be part of this journey! Take a look at the specification (https://cnab.io) to learn in depth, or get started quickly with Duffle (https://duffle.sh)

And if you are in the Seattle area on December 10, join us for a hands-on workshop with Docker. You can learn more and register here.

Matt Butcher

Principal Software Engineer

See more articles from this author