DCEU 18: State of the Docker Engine
1 like1,199 views
The document outlines the state of the Docker engine, highlighting its architecture, features in Docker Engine 18.09, and differences between community and enterprise versions. It details new functionalities, such as build improvements, Kubernetes support, and Docker on Windows. The document also specifies support timelines and compliance standards, particularly for enterprise users.
DCEU 18: State of the Docker Engine
- 1. Manik Taneja Sr Product Manager, Docker @manikt State of the Docker Engine
- 2. Docker Engine: Fueling the container revolution 8M+ Monthly Active Docker Engines 74B+ Docker Image Downloads from Docker Hub
- 3. Agenda ● Docker Engine Architecture ○ Containerd overview ● Features in Docker Engine 18.09 ● Differences between Docker Engine - Community and Enterprise ● Docker Enterprise only features ○ Docker on Windows ● Future
- 5. Docker Engine Architecture Docker Engine - Enterprise Docker Engine - Community containerd runc Certified Plugins, ISVs Signature Verification FIPS 140-2 Support SLA Plugins Storage Networking Docker Compose dockerd Docker CLI/API Storage mgmt libnetwork BuildKitSwarmKit Docker Content Trust Image mgmt Logs Mgmt
- 6. Docker Engine Architecture Docker Engine - Enterprise Docker Engine - Community containerd runc Certified Plugins, ISVs Signature Verification FIPS 140-2 Support SLA Plugins Storage Networking Docker Compose dockerd Docker CLI/API Storage mgmt libnetwork BuildKitSwarmKit Docker Content Trust Image mgmt Logs Mgmt
- 7. Docker Engine Architecture Docker Engine - Enterprise Docker Engine - Community containerd runc Certified Plugins, ISVs Signature Verification FIPS 140-2 Support SLA Plugins Storage Networking Docker Compose dockerd Docker CLI/API Storage mgmt libnetwork BuildKitSwarmKit Docker Content Trust Image mgmt Logs Mgmt
- 8. Docker Engine Architecture Docker Engine - Enterprise Docker Engine - Community containerd runc Certified Plugins, ISVs Signature Verification FIPS 140-2 Support SLA Plugins Storage Networking Docker Compose dockerd Docker CLI/API Storage mgmt libnetwork BuildKitSwarmKit Docker Content Trust Image mgmt Logs Mgmt
- 9. Docker Engine Architecture Docker Engine - Enterprise Docker Engine - Community containerd runc Certified Plugins, ISVs Signature Verification FIPS 140-2 Support SLA Plugins Storage Networking Docker Compose dockerd Docker CLI/API Storage mgmt libnetwork BuildKitSwarmKit Docker Content Trust Image mgmt Logs Mgmt
- 10. Image Push, Pull containerd overview Create, Start, Stop, Delete Union mount filesystem Container Execution Container Filesystem Image Management
- 11. New Features in Docker Engine 18.09
- 12. containerd 1.2 merged ● Feature parity with open source ○ in upstream containerd 1.2 ● Building block changes to support: ○ buildkit ○ CE→EE activation ● New runtime shim added for better support of runtimes
- 13. Build improvements ● Performance improvements: Re-designed concurrency and caching model: ○ Parallel build stages ○ Skip unused stages and unused context files ○ Incremental context transfer between builds ● Build-time secrets ● SSH forwarding ● Feature parity with the old builder except UX ● Extensibility: Create extensions for Dockerfile parsing by using the new #syntax directive
- 14. Enabling BuildKit support export DOCKER_BUILDKIT=1 … or enable on daemon level in /etc/docker/daemon.json
- 15. ● Dockerfile Best Practices ○ Tue, Dec 4, 5:25PM ○ Using Docker for Developers: Room 115 ● Supercharged Docker Build with BuildKit ○ Wed, Dec 5, 12:00 PM ○ Black Belt: Room 114 Docker build sessions
- 16. Connections to remote Docker daemon via SSH, TLS and plain HTTP are now supported: Support for SSH connections to remote Host $ docker -H ssh://me@example.com
- 17. Support for Compose on Kubernetes $ docker stack deploy --orchestrator=kubernetes ● Use Compose files to deploy apps to Kubernetes on EE Move applications between Kubernetes and Swarm, and simplify application configuration ● Create native Kubernetes Stack object Able to interact with Stacks via the Kubernetes API ● Improve UX and move out of experimental Functionality now available in the main, supported Docker CLI
- 18. Docker Engine - Community vs Enterprise
- 19. Release Cadence EE 18.09 EE 19.03 EE 19.09 EE 20.03 CE 18.09 CE 19.03 CE 19.09 CE 20.03 7 MONTHS 24 MONTHS Support extends one month after the next release Support extends 18 months after the next release
- 20. Extended Docker - Enterprise Support Timeline Description of Support Interaction Provided Severity and Criticality of Patches provided GA to 12 months Support for all issue types: Break-fix, troubleshooting, RCA, etc. Patches provided for defects related to Urgent and High priority issues and security issues 13-18 months Support for all issue types: Break-fix, troubleshooting, RCA, etc. Patches for Urgent (S0) issues and critical security issues 19-24 months Limited support for existing installations* Patches for critical security issues only * Excludes Feature Enablement, Bugfix, Patch Backport (exclusive of security issues, which are covered), and post-outage Root Cause Analysis
- 21. ● Enterprise-class support with defined SLAs ● Community Support ● 24 months of extended software maintenance ● 7 months of software maintenance ● Engage with Docker products teams on roadmap priorities ● Community driven roadmap ● FIPS 140-2 compliant Engine ● Certified ecosystem plugins and ISV containers ● Docker logs support for all logging drivers ● Enterprise readiness testing: Scalability, Stress, Longevity ● Support for Compose on Kubernetes ● Windows Server Support
- 22. Docker Engine - Enterprise only
- 23. ● New file based `local` cache logging driver ● Automatically enabled for log drivers that do not support reads ● Logs available at: ● Supports compression and rotation Logs support for all logging drivers $ /var/lib/docker/container/<id>/container-cached.log
- 24. FEATURE BENEFITS • Linux support included in 18.03 Engine, 18.09 now adds FIPS compliance for Windows • Automatically enable FIPS mode for Docker engine based upon host OS FIPS status • Use env variable to override O/S FIPS state • Meet regulatory requirements by deploying Docker Engines in a FIPS compliant mode • Prevent non-FIPS nodes from joining a FIPS compliant cluster DOCKER ENGINE containerd Docker API Networking Docker Build (BuildKit) Orchestration VolumesDistribution Docker CLI Plugins FIPS 140-2 Validated Encryption Module FIPS 140-2 Validated Engine
- 25. Easy setup for Docker Content Trust ● Simplified image signing through ● Validated for DTR 2.5 & Docker Hub $ docker trust Commands Description docker trust key Manage keys for signing Docker images docker trust signer Manage signing entities docker trust inspect Retrieve signing information of images docker trust revoke Remove trust for an image docker trust sign Sign an image
- 26. Run trusted images with Engine Signature Verification Developer signs an image and checks it into a registry Engine verifies that image is signed before pulling to local environment FEATURE BENEFITS • Verify that images are signed before pulling from registry • Enable or disable on a per-shell or per-invocation basis • Prevent the deployment of containers that use unsigned images • Enforce policies around image signing
- 27. Infrastructure Integrates with your Existing Tooling
- 29. Pain Point Details Image Compatibility ● Windows version: Major.Minor.Build.Revision ● WS2016: host OS image and container base images must have same Revision (patch) number ● WS1709 / WS1803: host and container images must have same Build (release) number (easier) Image sizes ● WS2016 server core 6GB, nanoserver 420MB ● WS1709 server core 3GB, nanoserver 136MB ● WS1803 server core 2GB, nanoserver 141MB (smaller = better) Networking ● WS2016: host mode and DNSRR networking ● WS1709 / 1803: add ingress networking & VIP load balancing (equivalent to Linux) Kubernetes Support ● Beta support in Kubernetes 1.9 and WS1709 ● Kubernetes community GA expected in 1.14 (~ Mar 2019) Windows Server Support Lifecycle ● Microsoft has a multiple release channels with different support lengths: ● Long term service channel (LTSC, e.g. WS2016, WS2019) -- 5 years support ● Semi-annual channel (SAC, e.g. WS1709, WS1803) -- 18 months support Windows Server support with Swarm
- 30. Windows improvements Access daemon from within container Mounted via standard volume mount syntax • Enable Windows developers to create apps that require access to the host docker daemon or other host pipe • Use Docker for Desktop to build and test apps the same way they will run in production Named pipe mounting FEATURE • Equivalent to Unix domain sockets on Linux • Process and Hyper-v isolated containers BENEFITSdocker run -it -v '.pipedocker_engine:.pipedocker_engine' microsoft/windowsservercore:1803 powershell
- 31. Future
- 32. containerd evolution containerd process-shim containerd-shim kata-shim runc runhcs kata-runtime gvisor-shim runsc v2 shim interface Community Supported Future direction for dockerd
- 33. Docker evolution containerd dockerd v1 dockerd v2 process-shim process-shim
- 34. Ready to see for yourself?
- 35. Let’s activate the Enterprise features from Docker Engine - Community
- 36. Get Started Today! 1 2 3 Download and Develop with free Docker Engine - Community Access self-paced training @ https://training.play-with-docker.com/ Upgrade to Docker Engine - Enterprise with a free trial license from Docker Store
- 37. Take A Breakout Survey Access your session and/or workshop surveys for the conference at any time by tapping the Sessions link on the navigation menu or block on the home screen. Find the session/workshop you attended and tap on it to view the session details. On this page, you will find a link to the survey.
- 38. Come Join Us In San Francisco April 29-May 2 2019
- 39. Thank you Questions? or find me in the Hallway Track: “Learn about containerd and Docker Engine - Community/Enterprise”