Recently I had the opportunity to attend DockerCon 2017 in Austin, TX. Though Docker just celebrated its fourth birthday, its adoption has spread like wildfire throughout the software industry and to all kinds of applications. With 5000 attendees and over fifty talks, the sheer size of this year’s conference is a reflection of Docker’s popularity.
Over the past year and a half, Docker has evolved from merely a container runtime to an entire platform centered around containers. In 2016, the Docker platform added tools to provision infrastructure (InfraKit and Docker for AWS/GCP) as well as tools for container orchestration (SwarmKit). At this year’s conference, Docker announced two new projects to help round out the platform: LinuxKit and Moby.
LinuxKit is a toolkit that can be used to build lightweight Linux images dedicated to running containers. The project came out of Docker for Mac & Windows, where a Linux virtual machine is required to run Linux containers. LinuxKit is more of an advanced tool and won’t be all that useful for the average Docker user. But it will make it much easier for those who have specific requirements for their container host or who need to test applications against a particular version of the Linux kernel.
The Moby Project was the other big announcement at DockerCon this year. Moby sparked some confusion, as it is not really a new tool, but rather a restructuring, rebranding, and revised vision of what was previously known as the core Docker software. As Docker has evolved, the scope has grown beyond containers to things like networking and orchestration. At the same time, the new components have been factored out into separate projects like runC, containerd, libnetwork, and SwarmKit. Moby is the unifier of these components and others. It’s a framework for managing the infrastructure, containers, networking, orchestration, and whatever other components are needed to build a “container system”.
The Enterprise is big. Docker CEO Ben Golub touted Docker’s scalability and widespread use across applications such as healthcare, genomics, and “keeping planes in the air”. Golub said that Docker Inc. now has about 400 enterprise-level customers, including Visa, Metlife, and Inuit. Docker’s focus on the enterprise has pros and cons for non-enterprise users. Large corporate customers usually demand scalability, stability, and security, which are all positives. Widespread adoption also means a large community, often making it easier to find solutions to problems. On the other hand, it seems that Docker is single-handedly trying to build the container ecosystem. While many backend components are modular, Docker (or now, Moby) has grown large and somewhat monolithic from a user perspective. Though some components (networking and volumes) support plugins, vendor lock-in and dependence on Docker Inc. tools seem like a possible danger. Hopefully Docker Inc. will be more open to collaborating with other container projects like rkt and Kubernetes in the future.
Security is in focus. Many Docker components now offer good security by default, which is a very positive thing. SwarmKit automatically manages TLS certificates and application secrets. Containers can be secured in a fine-grained manner using cgroups, capabilities, and seccomp. Ecosystem tools like Cilium offer secure networking. As more applications move to containers, including payments and banking, security will only become more important, so it’s wonderful to see Docker continuing to move in this direction.
The evolution of Docker and the container ecosystem provides many exciting possibilities for us at Appsembler. Appsembler Virtual Labs relies heavily on Docker containers to provide students with hands-on learning experiences. Here, security is vital since users have the ability to run code in their containerized environment. We also plan to take advantage of recent improvements in orchestration and networking. In all, it’s a very exciting time to be involved in the movement towards containerization.
Talks to watch
These are my three favorite talks from the conference. Be warned, these are from the Deep Dive and Black Belt tracks, so may require some advanced knowledge of Docker and Linux 🙂
- Cilium: Network and Application Security with BPF and XDP — Thomas Graf discusses Cilium, a tool based on BPF that provides fine-grained network security controls at the HTTP level.
- What Have Namespaces Done for You Lately? — Liz Rice implements a basic container runtime in ~50 lines of Go. A great talk if you’re interested in namespaces and container internals.
- Container Performance Analysis — Brendan Gregg talks about his favorite tools for profiling and diagnosing containerized applications.