The latest in Docker Engine
Jessie Frazelle
Software Engineer, Docker
Arnaud Porterie
Senior Engineering Manager, Docker

The past
What happened since last DockerCon?

Engine recent history
3
Activity since last DockerCon
2,162 pull requests
… from 438 contributors
… we closed 420 😕 (sorry!)
… we merged 1,615 😇 (80%)

(+) 311,780 lines of code added
(-) 163,350 lines of code removed
Engine recent history
4
Activity since last DockerCon

Engine recent history
5
Releases since last DockerCon
2015-06-16 - Docker Engine 1.7
ZFS support
Experimental plugins
Experimental multihost networking
2015-06-22 - Open Container Initiative
Runtime (libcontainer) donated to the Linux Foundation
2015-08-11 - Docker Engine 1.8
Docker Content Trust
Docker daemon subcommand
Many, many, many bugfixes

The present
Docker Engine 1.9.0

Docker Engine 1.9.0
7
Builder improvements
Build time arguments
New ARG Dockerfile instruction
Builtin support for HTTP_PROXY at build
Custom stop signal
New STOPSIGNAL Dockerfile instruction
Configure which signal should terminate the entrypoint

Docker Engine 1.9.0
8
Networking
Multihost networking is out of experimental
Out of the box overlay networking
New docker network command
Manage networks as a top-level object
Extensibility through plugins
Already 6 implementations done or under development

Docker Engine 1.9.0
9
Volume management
New docker volume command
Manage volumes as a top-level object
Extensibility through plugins
Already several implementations (e.g., Flocker)
See github.com/calavera/dkvolume for Go bootstrapping

Docker Engine 1.9.0
10
Experimental: user namespaces
GID/UID remap
Root in the container != root on the host
Key feature for multi-tenancy
Doesn’t come without drawbacks!
Storage dir is scoped by gid/uid
No more --net=container or --net=host

The future
What’s next for Docker Engine?

What’s next?
12
Distribution rework
Motivations
Ease maintenance
Fix long running structural issues
New manifest format
Enable multi-architecture images (“fat manifests”)
Few user visible changes
Layers != image
Images identified by sha256sum(manifest)

What’s next?
13
More platforms
Official ARM support
Currently being worked on (thanks Hypriot!)
Windows Server 2016
Tech preview 3 was released in August 2015
IBM Power Systems, IBM z Systems, Solaris, …

What’s next?
14
Security
Default Docker Content Trust
Released in 1.8.0, currently opt-in
Seccomp
Syscall filtering
Stable user namespaces
Help us by testing in experimental
API authorization / authentication
Current working on a proposal from Twistlock

What’s next?
15
Split, split, split!
Ongoing effort to decouple pieces of the Engine
Motivations
Ease maintenance
Get more dedication to subsystems (e.g., builder)
Options! (e.g., remove/wrap pieces, drop privileges, …)
Split runtime
RunC, standalone containers supervision
Split builder
Allow to build client-side

What’s next?
16
Converge, converge, converge!
Studying convergence of Swarm and Engine
Motivations
Lot of technical overlap
Engine as a degenerated single-node cluster
First hints in 1.9.0
Engine node discovery (--cluster-advertise)

Demo
Containers are not lightweight VMs

Demo
18
Linux namespaces
N
etw
ork
M
ount
PID
IPC
U
ser
U
TS

Demo
19
Linux namespaces
M
ount
PID
IPC
U
ser
U
TS
M
ount
PIDIPC
U
ser
U
TS
App Wireshark
Host
N
et
N
et
���������������

Demo
20
Linux namespaces
M
ount
PID
IPC
U
ser
U
TS
Wireshark
N
et
M
ount
PID
IPC
U
ser
U
TS
N
et
App
M
ount
PID
IPC
U
ser
U
TS
VNC
N
et
���������������
�������������

Thank you!
@frazelledazzell
princess@docker.com
Arnaud Porterie
@icecrime
arnaud@docker.com
Jessie Frazelle