SlideShare a Scribd company logo
1 of 23
An Insight into
Docker for Mac and
Docker for Windows
Ben Bonnefoy @FrenchBen
Member of Technical Staff
Transforming the Development Landscape
3
4
DOCKER TOOLBOX
All the Linux tools collected in one installer:
• Bundle includes a full VirtualBox installation
• Boot2Docker Virtual Machine
• The Kitematic UI controlled these pieces.
A relatively loose collection of components:
• Installation and lack of integrated updates caused numerous user
issues.
• Performance not ideal due to the layering, especially for file sharing.
• Yet most Docker users use a Mac or Windows host as their
development environment.
Docker for Mac
Aiming for a native OSX experience that works with existing developer workflows.
● Easy drag and drop installation, and auto-updates to get latest Docker.
● Secure, sandboxed virtualisation architecture without elevated privileges.
● Native networking support, with VPN and network sharing compatibility.
● File sharing between container and host: uid mapping, inotify events, etc
What’s under the hood?
The core building blocks of Docker for Mac
● Virtualization
● Networking
● Filesystem
Virtualization
● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve
● Sandbox friendly: processes largely run as non-root, with
privileges of the local user
Virtualization
● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve
● Embeds Linux: embedded lightweight Alpine Linux
distribution optimised for fast boot and stateless operation
for containers.
Virtualization
● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve
● Drag 'n drop installation: Docker.app is self-contained,
installs symlinks from app bundle into /usr/local, and
autoupdates - Docker from the terminal just works!
Virtualization Benefits
● Performance: The CPU performance of a Linux container is largely
the same as when running the same compute on the Mac, since
we use the hardware CPU virtualisation extensions.
● Battery life: Some battery life hit due to running containers instead
of MacOS X native processes, but not adverse for normal use.
● Disk usage: The app manages disk usage via a qcow2 file in its
data directory. This is a sparse file that is allocated on demand, up
to a (current) maximum of 64GB of disk space. Can be excluded
from Time Machine backups.
Notworking Networking
● Want to hide the gory details of virtualisation from the user. The
Linux VM should be "invisible".
● Not solving this leads to many user complaints:
• VPN software and corporate installations do not like bridged
virtual machines or custom routing. Result: container traffic
cannot connect to Internet.
• Services cannot be exposed on localhost or the external
interface and are instead on the Linux VM IP address.
Result: breaks common web oAuth workflows.
Notworking Networking
● Challenge: Deal with custom VPN software on the host that makes
it difficult to bridge.
● Solution: VPNKit, efficiently reconstructs container traffic into
separate TCP/IP flows and translates them into native
OSX/Windows sockets.
Notworking Networking
● Challenge: Deal with custom VPN software on the host that makes
it difficult to bridge.
● Solution: VPNKit, efficiently reconstructs container traffic into
separate TCP/IP flows and translates them into native
OSX/Windows sockets.
● Benefits:
• All network traffic is generated from normal socket calls (e.g.
gethostbyaddr) on the Mac, so interacts well with firewalls,
VPNs, and any local security policies.
Notworking Networking
● Challenge: Services publishing ports should be exposed on
localhost without needing VM info.
● Solution: VPNKit forwards container port requests to a OSX
service which binds them natively on its external interface.
Notworking Networking
● Challenge: Services publishing ports should be exposed on
localhost without needing VM info.
● Solution: VPNKit forwards container port requests to a OSX
service which binds them natively on its external interface.
● Benefits:
• docker run -P on the Mac now works without requiring any
knowledge of the VM innards.
• External oAuth workflows operate with web apps.
Filesystem Sharing
● Challenge: Share arbitrary OSX directory tree into Linux container
without requiring extensive modification of either side.
● Solution: DataKit; use a FUSE (Filesystem in Userspace)
forwarding layer and translate Linux filesystem calls to OSX
equivalents.
Filesystem Sharing
● Challenge: Need filesystem activation so events on the Mac
wake up container servers and vice-versa.
● Solution: osxfs uses FSEvents API and injects inotify
activation events into container.
Filesystem Sharing
● New osxfs engine that bind mounts OSX filesystem trees into Docker
containers.
● Daemon that listens bidirectionally on shared volumes and translates
between OSX and Linux. Includes notifications, via FSEvents on Mac and
inotify on Linux.
● Runs as user and so cannot access system files on OSX host. Planning to
further restrict host access in future.
● All requesting processes are treated as owners and group members on all
bind mounted resources. User/group changes are persisted but not
discriminated on.
Bonus
Why yes, there is more
20
Multi-CPU architectures
$ docker run resin/armv7hf-debian uname -a
Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 armv7l GNU/Linux
$ docker run justincormack/ppc64le-debian uname -a
Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux
Summary of Open Source components
● HyperKit ™: A lightweight virtualization toolkit on OSX
https://github.com/docker/hyperkit
● VPNKit ™: A library toolkit for embedding virtual
networking
https://github.com/docker/vpnkit
● DataKit ™: A modern pipeline framework for distributed
components
https://github.com/docker/datakit
Docker for Mac / Windows are GA
and include Docker 1.12
https://www.docker.com/products/docker
Support:
https://github.com/docker/for-mac
https://github.com/docker/for-win
@FrenchBen
THANK YOU

More Related Content

What's hot

Photon Controller: An Open Source Container Infrastructure Platform from VMware
Photon Controller: An Open Source Container Infrastructure Platform from VMwarePhoton Controller: An Open Source Container Infrastructure Platform from VMware
Photon Controller: An Open Source Container Infrastructure Platform from VMware
Docker, Inc.
 

What's hot (20)

Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&A
 
In-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker ContainersIn-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker Containers
 
Docker for any type of workload and any IT Infrastructure
Docker for any type of workload and any IT InfrastructureDocker for any type of workload and any IT Infrastructure
Docker for any type of workload and any IT Infrastructure
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
 
Docker HK Meetup - 201707
Docker HK Meetup - 201707Docker HK Meetup - 201707
Docker HK Meetup - 201707
 
Docker on Docker
Docker on DockerDocker on Docker
Docker on Docker
 
Container orchestration from theory to practice
Container orchestration from theory to practiceContainer orchestration from theory to practice
Container orchestration from theory to practice
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET Apps
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to Docker
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of Containers
 
Docker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, Puppet
 
Photon Controller: An Open Source Container Infrastructure Platform from VMware
Photon Controller: An Open Source Container Infrastructure Platform from VMwarePhoton Controller: An Open Source Container Infrastructure Platform from VMware
Photon Controller: An Open Source Container Infrastructure Platform from VMware
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
 
DCSF19 CMD and Conquer: Containerizing the Monolith
DCSF19 CMD and Conquer: Containerizing the Monolith  DCSF19 CMD and Conquer: Containerizing the Monolith
DCSF19 CMD and Conquer: Containerizing the Monolith
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...
 
Node.js Rocks in Docker for Dev and Ops
Node.js Rocks in Docker for Dev and OpsNode.js Rocks in Docker for Dev and Ops
Node.js Rocks in Docker for Dev and Ops
 

Viewers also liked

Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
Docker, Inc.
 

Viewers also liked (13)

What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
 
Docker 101 Checonf 2016
Docker 101 Checonf 2016Docker 101 Checonf 2016
Docker 101 Checonf 2016
 
IT4IT™
IT4IT™IT4IT™
IT4IT™
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
 
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 

Similar to Docker Meetup 08 03-2016

Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
ICS
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
javaonfly
 

Similar to Docker Meetup 08 03-2016 (20)

Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and Windows
 
OSCON: Advanced Docker developer workflows on Mac OS and Windows
OSCON: Advanced Docker developer workflows on Mac OS and WindowsOSCON: Advanced Docker developer workflows on Mac OS and Windows
OSCON: Advanced Docker developer workflows on Mac OS and Windows
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library Hypervisor
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
 
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
 
Cloud computing components
Cloud computing componentsCloud computing components
Cloud computing components
 
Week 8 lecture material
Week 8 lecture materialWeek 8 lecture material
Week 8 lecture material
 
Discussing the difference between docker dontainers and virtual machines
Discussing the difference between docker dontainers and virtual machinesDiscussing the difference between docker dontainers and virtual machines
Discussing the difference between docker dontainers and virtual machines
 
Docker - Ankara JUG, Nisan 2015
Docker - Ankara JUG, Nisan 2015Docker - Ankara JUG, Nisan 2015
Docker - Ankara JUG, Nisan 2015
 
Virtualization workshop - part 1
Virtualization workshop - part 1Virtualization workshop - part 1
Virtualization workshop - part 1
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
 
Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
 
Containers and Docker
Containers and DockerContainers and Docker
Containers and Docker
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web Developers
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web Developers
 
Cloud Native Computing - Part III - Containers
Cloud Native Computing - Part III - ContainersCloud Native Computing - Part III - Containers
Cloud Native Computing - Part III - Containers
 

Recently uploaded

Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 

Docker Meetup 08 03-2016

  • 1. An Insight into Docker for Mac and Docker for Windows Ben Bonnefoy @FrenchBen Member of Technical Staff
  • 3. 3
  • 4. 4 DOCKER TOOLBOX All the Linux tools collected in one installer: • Bundle includes a full VirtualBox installation • Boot2Docker Virtual Machine • The Kitematic UI controlled these pieces. A relatively loose collection of components: • Installation and lack of integrated updates caused numerous user issues. • Performance not ideal due to the layering, especially for file sharing. • Yet most Docker users use a Mac or Windows host as their development environment.
  • 5. Docker for Mac Aiming for a native OSX experience that works with existing developer workflows. ● Easy drag and drop installation, and auto-updates to get latest Docker. ● Secure, sandboxed virtualisation architecture without elevated privileges. ● Native networking support, with VPN and network sharing compatibility. ● File sharing between container and host: uid mapping, inotify events, etc
  • 6. What’s under the hood? The core building blocks of Docker for Mac ● Virtualization ● Networking ● Filesystem
  • 7. Virtualization ● Use the new HyperKit framework, which is in turn based on xHyve and FreeBSD’s bHyve ● Sandbox friendly: processes largely run as non-root, with privileges of the local user
  • 8. Virtualization ● Use the new HyperKit framework, which is in turn based on xHyve and FreeBSD’s bHyve ● Embeds Linux: embedded lightweight Alpine Linux distribution optimised for fast boot and stateless operation for containers.
  • 9. Virtualization ● Use the new HyperKit framework, which is in turn based on xHyve and FreeBSD’s bHyve ● Drag 'n drop installation: Docker.app is self-contained, installs symlinks from app bundle into /usr/local, and autoupdates - Docker from the terminal just works!
  • 10. Virtualization Benefits ● Performance: The CPU performance of a Linux container is largely the same as when running the same compute on the Mac, since we use the hardware CPU virtualisation extensions. ● Battery life: Some battery life hit due to running containers instead of MacOS X native processes, but not adverse for normal use. ● Disk usage: The app manages disk usage via a qcow2 file in its data directory. This is a sparse file that is allocated on demand, up to a (current) maximum of 64GB of disk space. Can be excluded from Time Machine backups.
  • 11. Notworking Networking ● Want to hide the gory details of virtualisation from the user. The Linux VM should be "invisible". ● Not solving this leads to many user complaints: • VPN software and corporate installations do not like bridged virtual machines or custom routing. Result: container traffic cannot connect to Internet. • Services cannot be exposed on localhost or the external interface and are instead on the Linux VM IP address. Result: breaks common web oAuth workflows.
  • 12. Notworking Networking ● Challenge: Deal with custom VPN software on the host that makes it difficult to bridge. ● Solution: VPNKit, efficiently reconstructs container traffic into separate TCP/IP flows and translates them into native OSX/Windows sockets.
  • 13. Notworking Networking ● Challenge: Deal with custom VPN software on the host that makes it difficult to bridge. ● Solution: VPNKit, efficiently reconstructs container traffic into separate TCP/IP flows and translates them into native OSX/Windows sockets. ● Benefits: • All network traffic is generated from normal socket calls (e.g. gethostbyaddr) on the Mac, so interacts well with firewalls, VPNs, and any local security policies.
  • 14. Notworking Networking ● Challenge: Services publishing ports should be exposed on localhost without needing VM info. ● Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface.
  • 15. Notworking Networking ● Challenge: Services publishing ports should be exposed on localhost without needing VM info. ● Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface. ● Benefits: • docker run -P on the Mac now works without requiring any knowledge of the VM innards. • External oAuth workflows operate with web apps.
  • 16. Filesystem Sharing ● Challenge: Share arbitrary OSX directory tree into Linux container without requiring extensive modification of either side. ● Solution: DataKit; use a FUSE (Filesystem in Userspace) forwarding layer and translate Linux filesystem calls to OSX equivalents.
  • 17. Filesystem Sharing ● Challenge: Need filesystem activation so events on the Mac wake up container servers and vice-versa. ● Solution: osxfs uses FSEvents API and injects inotify activation events into container.
  • 18. Filesystem Sharing ● New osxfs engine that bind mounts OSX filesystem trees into Docker containers. ● Daemon that listens bidirectionally on shared volumes and translates between OSX and Linux. Includes notifications, via FSEvents on Mac and inotify on Linux. ● Runs as user and so cannot access system files on OSX host. Planning to further restrict host access in future. ● All requesting processes are treated as owners and group members on all bind mounted resources. User/group changes are persisted but not discriminated on.
  • 20. 20 Multi-CPU architectures $ docker run resin/armv7hf-debian uname -a Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 armv7l GNU/Linux $ docker run justincormack/ppc64le-debian uname -a Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux
  • 21. Summary of Open Source components ● HyperKit ™: A lightweight virtualization toolkit on OSX https://github.com/docker/hyperkit ● VPNKit ™: A library toolkit for embedding virtual networking https://github.com/docker/vpnkit ● DataKit ™: A modern pipeline framework for distributed components https://github.com/docker/datakit
  • 22. Docker for Mac / Windows are GA and include Docker 1.12 https://www.docker.com/products/docker Support: https://github.com/docker/for-mac https://github.com/docker/for-win @FrenchBen