Some Thoughts on the Docker-Kubernetes Announcement
Today at DockerCon EU, Docker announced that the next version of Docker (and its upstream open source project, the Moby Project) will feature integration with Kubernetes (see my liveblog of the day 1 general session). Customers will be able to choose whether they leverage Swarm or Kubernetes for container orchestration. In this post, I’ll share a few thoughts on this move by Docker.
First off, you may find it useful to review some details of the announcement via Docker’s blog post.
Done reviewing the announcement? Here are some thoughts; some of them are mine, some of them are from others around the Internet.
- It probably goes without saying that this announcement was largely anticipated (see this TechCrunch article, for example). So while the details of how Docker would go about adding Kubernetes support was not clear, many people expected some form of announcement around Kubernetes at the conference. I’m not sure that folks expected this level of integration, or that the integration would take this particular shape/form.
- In looking back on the announcement and the demos from today’s general session and in thinking about the forces that drove Docker to provide Kubernetes integration, it occurs to me that Continue reading
Container-Relevant Kernel Developments
This is a liveblog of a Black Belt track session at DockerCon EU in Copenhagen. The session is named “Container-Relevant Kernel Developments,” and the presenter is Tycho Andersen.
Andersen first presents a disclaimer that the presentation is mostly a brain dump, and the he’s not personally responsible for a lot of the work presented here. In fact, all of the work Andersen will talk about is not yet merged upstream in the Linux kernel, and he doesn’t expect that they will be accepted upstream and see availability for average users.
The first technology Andersen talks about IMA (Integrity Management Association, I think?), which prevents user space from even opening files if they have been tampered with or modified in some fashion that violates policy. IMA is also responsible for allowing the Linux kernel to take advantage of a system’s Trusted Platform Module (TPM).
Pertinent to containers, Andersen talks about work that’s happening within the kernel development community around namespacing IMA. There are a number of challenges here, not all of which have been addressed or resolved yet, and Andersen refers attendees to the Linux Kernel mailing list (LKML) for more information.
Next, Andersen talks about the Linux audit log. Continue reading
LinuxKit Deep Dive
This is a liveblog of the DockerCon EU session titled “LinuxKit Deep Dive”. The speakers are Justin Cormack and Rolf Neugebauer, both with Docker, and this session is part of the “Black Belt” track here at DockerCon.
So what is LinuxKit? It’s a toolkit, part of the Moby Project, that is used for building secure, portable, and lean operating systems for containers. It uses the moby tooling to build system images. LinuxKit uses YAML files to describe the complete system, and these files are consumed by moby to assemble the boot image and verify the signature. On top of that is containerD, which runs on-boot containers, service containers, and shutdown containers. Think of on-boot and shutdown containers as one-time containers that perform some task, either when the system is booting or shutting down (respectively).
LinuxKit was first announced and open sourced in April 2017 at DockerCon in Austin. Major additions since it was announced include:
- arm64 support
- Improved Kubernetes support
- Linux containers on Windows (LCOW) preview support
- Improved platform support (Azure, packet.net, IBM Bluemix, AWS, GCP, VMware, Hyper-V, etc.)
- Multi-arch build system
- Fully immutable system images
- Namespace sharing
- Support for the latest Linux kernels
After reviewing the changes Continue reading
Rock Stars, Builders, and Janitors: You’re Doing it Wrong
This is a liveblog of the session titled “Rock Stars, Builders, and Janitors: You’re Doing it Wrong”. The speaker is Alice Goldfuss (@alicegoldfuss) from GitHub. This session is part of the “Transform” track at DockerCon; I’m attending it because I think that cultural and operational transformation is key for companies to successfully embrace new technologies like containers and fully maximize the benefits of these technologies. (There’s probably a blog post in that sentence.)
Goldfuss starts out by asking the audience some questions about what they’ve been doing for the last 3 months, and then informs the attendees that they are, in fact, part of the problem.
Goldfuss now digs into the meat of the presentation by covering some terminology. First, what is a rock star? They’re the idea person, the innovator. They’re curious, open-minded, iterating faster, and always looking for the new things and the new ideas. They’re important to our companies, but they do have some weaknesses. They get bored easily, they have no patience for maintenance, and they’re not used to thinking about end user experience. Thus, according to Goldfuss, you can’t have a team of only rock stars.
Next, Goldfuss talks aboutbuilders. Builders Continue reading
DockerCon EU 2017 Day 1 Keynote
This is a liveblog of the day 1 keynote/general session at DockerCon EU 2017 in Copenhagen, Denmark. Prior to the start of the keynote, attendees are “entertained” by occasional clips of some Monty Python-esque production.
At 9:02, the lights go down and another clip appears, the first of several cliups that depict life “without Docker” and then again “with Docker” (where everything is better, of course). It’s humorous and a good introduction to the general session.
Steve Singh, CEO of Docker, now takes the stage to kick off the general session. Singh thanks the attendees for their time, discusses the growth of the Docker community and the Docker ecosystem, welcomes new members of the community (including himself), and positions Docker less as a container company and more as a platform company. (Singh comes to Docker from SAP, following SAP’s acquisition of Concur.) Singh pontificates for a few moments about his background, the changes occurring in the industry, and the “center stage front-row” seat that Docker has to witness—and affect/shape—these changes.
Singh pivots after a few minutes to talk about Docker growth in terms of specific metrics (21 million Docker hosts, for example). This allows him to return to the Continue reading
Docker Platform and Moby Project add Kubernetes
Today we’re announcing that the Docker platform is integrating support for Kubernetes so that Docker customers and developers have the option to use both Kubernetes and Swarm to orchestrate container workloads. Register for beta access and check out the detailed blog posts to learn how we’re bringing Kubernetes to:
- Docker Enterprise Edition
- Docker Community Edition on the desktop with Docker for Mac and Windows
- The Moby Project
Docker is a platform that sits between apps and infrastructure. By building apps on Docker, developers and IT operations get freedom and flexibility. That’s because Docker runs everywhere that enterprises deploy apps: on-prem (including on IBM mainframes, enterprise Linux and Windows) and in the cloud. Once an application is containerized, it’s easy to re-build, re-deploy and move around, or even run in hybrid setups that straddle on-prem and cloud infrastructure.
The Docker platform is composed of many components, assembled in four layers:
- The containerd industry-standard container runtime implementing the OCI standards
- Swarm orchestration that transforms a group of nodes into a distributed system
- Docker Community Edition providing developers a simple workflow to build and ship container applications, with features like application composition, image build and management
- Docker Enterprise Edition, to manage an end Continue reading
Extending Docker Enterprise Edition to Support Kubernetes
At DockerCon Europe, we announced that Docker will be delivering seamless integration of Kubernetes into the Docker platform. Bringing Kubernetes to Docker Enterprise Edition (EE) will simplify and advance the management of Kubernetes for enterprise IT and deliver the advanced capabilities of Docker EE to a broader set of applications.
Swarm and Kubernetes Side-by-Side
Docker EE is an enterprise-grade container platform that includes a private image registry, advanced security features and centralized management for the entire container lifecycle. By including Kubernetes for container orchestration, customers will have the ability to run both Swarm and Kubernetes in the same Docker EE cluster while still leveraging the same secure software supply chain for building and deploying applications.
Figure 1. Docker EE Architecture with Multiple Orchestrators
This is possible because Docker EE has a modular architecture that is designed to support multiple orchestrators. The Linux nodes are both Swarm and Kubernetes-ready and application teams can decide which orchestrator to use at app deployment time.
When creating a new Stack in Docker EE, you are given the choice of deploying it as Swarm Services or as Kubernetes Workloads:
Figure 2. Selectable modes at app deployment time
Upon deployment, the Docker EE dashboard has a “Shared Resources” area Continue reading
Beta Docker for Mac and Windows with Kubernetes
Today, as part of our effort to bring Kubernetes support to the Docker platform, we’re excited to announce that we will also add optional Kubernetes to Docker Community Edition for Mac and Windows. We’re demoing previews at DockerCon (stop by the Docker booth!) and will have a beta program ready at the end of 2017. Sign up to be notified when the beta is ready.
With Kubernetes support in Docker CE for Mac and Windows, Docker Inc. can provide customers an end-to-end suite of container-management software and services that span from developer workstations, through test and CI/CD through to production on-prem or in the cloud.
Docker for Mac and Windows are the most popular way to configure a Docker dev environment and are used everyday by hundreds of thousands of developers to build, test and debug containerized apps. Docker for Mac and Windows are popular because they’re simple to install, stay up-to-date automatically and are tightly integrated with macOS and Windows respectively.
The Kubernetes community has built solid solutions for installing limited Kubernetes development setups on developer workstations, including Minikube (itself based partly on the docker-machine project that predated Docker for Mac and Windows). Common to these solutions however, Continue reading
Technology Short Take 88
Welcome to Technology Short Take #88! Travel is keeping me pretty busy this fall (so much for things slowing down after VMworld EMEA), and this has made it a bit more difficult to stick to my self-imposed biweekly schedule for the Technology Short Takes (heck, I couldn’t even get this one published on Friday!). Sorry about that! Hopefully the irregular schedule is outweighed by the value found in the content I’ve collected for you.
Networking
- Christopher Davis has an article discussing a recommended VPC subnet configuration. This is, of course, just one way of handling subnets within a VPC, but some of the principles outlined in Christopher’s article are definitely sound.
- Speaking of VPCs and subnets, here’s an example of a Terraform module for a VPC with public, private, and internal subnets (similar to the article in the previous bullet).
- Prefer SaltStack to Terraform? No worries, Calvin Hendryx-Parker has an example of building AWS VPCs with SaltStack formulas.
- Phil Bedard (TME at Cisco) has a post discussing telemetry in Cisco IOS-XR.
- Fidelis Ekezue has a high-level “compare-and-constrast” between AWS VPCs and Azure VNETs. This article is pretty high-level; I wish it had a bit more depth to it.
- Abdullah Continue reading
Videos series: Modernizing Java Apps for IT Pros
Today we start releasing a new video series in Docker’s Modernize Traditional Apps (MTA) program, aimed at IT Pros who manage, maintain and deploy Java apps. The video series shows you how to move a Java EE 7 application written to run on Wildfly 3, move it to a Windows Docker container and deploy it to a scalable, highly-available environment in the cloud – without any changes to the app.
These are the first 4 of a 5 part video series in Docker’s Modernize Traditional Apps (MTA) program, aimed at Java IT Pros. The video series shows you how to move a Java EE app on JBoss Wildfly to a Docker container and deploy it to a scalable, highly-available environment in the cloud – without any changes to the app.
Part 1 introduces the series, explaining what is meant by “traditional” apps and the problems they present. Traditional apps are built to run on a server, rather than on a modern application platform. They have common traits, like being complex to manage and difficult to deploy. A portfolio of traditional applications tends to under-utilize its infrastructure, and over-utilize the humans who manage it. Docker Enterprise Edition (EE) fixes that, giving Continue reading
Least Privilege Container Orchestration
The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator.
Orchestrators are responsible for critical clustering and scheduling tasks, such as:
- Managing container scheduling and resource allocation.
- Support service discovery and hitless application deploys.
- Distribute the necessary resources that applications need to run.
Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties.
Motivation and threat model
One of the primary objectives of Docker EE with swarm mode is to provide an orchestrator with security built-in. To achieve this goal, we developed the first container orchestrator designed with the principle of least privilege in mind.
In computer science,the principle of least privilege in a distributed system requires that each participant of the system must only have access to the information and resources that are necessary for its legitimate purpose. No Continue reading
Register for DockerCon Europe 2017 Livestream
For those of you who can’t make it to DockerCon Europe 2017 in Copenhagen, we are thrilled to announce that the General Sessions on both Day 1 and Day 2 of DockerCon will be livestreamed!
Find out about the latest Docker announcements live from Steve Singh (CEO) and Solomon Hykes (Founder and CTO) and enjoy the highly technical demos the Docker team has prepared for you!
Livestream schedule:
- General Session Day 1 on 10/17 from 9am UTC +2
- General Session Day 2 on 10/18 from 9am UTC+2
The livestream player will be embedded on the DockerCon site a few hours prior to the event. Be sure to sign up here to receive an email with the link to the livestream before the general session starts!
Sign up for the DockerCon EU Livestream
We invite you to follow the official Twitter account: @DockerCon and hashtag #DockerCon in order to get the latest updates.
Learn More about DockerCon
- Visit the DockerCon Europe 2017 Website
- Save the date for DockerCon 2018
Watch the live stream of keynotes at #DockerCon Europe | Oct 17 – 18, 9-11am UTC +2
Click To Tweet
The post Register for DockerCon Europe 2017 Livestream appeared first on Docker Blog.
8 Use Cases for Modernizing and Automating Workflows
Managing an organization’s many tools and business processes is becoming increasingly complicated as technology expands. Whether your teams are performing their weekly system reboot, or looking to configure instances to a desired state, it’s no secret that automation is critical to increase speed, efficiency, productivity, and accuracy. Listed below are several instances1 where automation can help across your enterprise.
- Weekly system reboot: There’s nothing worse than doing the same thing for 8 hours a day! Eliminate repetitive, manual processes with automation.
- Enforce security guidelines: Rules are rules. It’s best to automate in an effort to achieve strict security standards.
- Monitor configuration drift: Use check mode with Ansible tasks to enforce desired settings and see if your configuration has drifted.
- Disaster recovery: Disaster recovery can involve a wide range of components. Act across different variables of the technology stack to identify problems and eliminate cross team dependencies.
- Command blaster: Remarkably easy to write, you can run commands across your environment for any number of servers.
- Database binary patching: Several databases use outdated binary sets. Patch the binaries in accordance with the release of the latest patch.
- Instance provisioning: Use modules for several cloud providers to create new instances and tailor Continue reading
Fumbling Through Networking
This blog post is written by a systems person who has always dodged networking ... until now. I gave Ansible networking modules a try with a vyos Vagrant image. This blog describes how I fumbled through the process of writing my first Ansible playbook to successfully gather facts from a running vyos virtual machine.
First things first, I need a network thingy to run commands on. I don’t have a physical networking thingy so let’s go searching for a virtual one. After some googling for a Cisco IOS virtual machine I found and started to download an ISO. While that was going on I pinged my co-worker Ben on Slack. Ben’s a networking guy within Ansible. I asked him what virtual device he uses. He pointed me at a vyos Vagrant image. So I canceled the Cisco IOS ISO download and ran the needed vagrant commands.
vagrant init higebu/vyos
vagrant up
Ok, that did something but what did it do? Let me try the old vagrant ssh. Nope, that didn’t work. Oh, I got another message from Ben on slack. He mentions I’m going to need a plugin to make this work smoothly with Vagrant and to run:
vagrant plugin install Continue readingBrace yourselves, DockerCon Europe 2017 is coming!
DockerCon Europe 2017 is just around the corner and the whole European Docker community is getting ready for four days of incredible learning, networking and collaboration!
If you’re a registered attendee, login on to the DockerCon Europe Agenda Builder using the information you set up during the registration process. You can use the keyword search bar or filter by topics, days, tracks, experience level or target audience to get recommended sessions and build you schedule.
Every DockerCon Europe Attendee should have received an invitation to join the Docker Community Slack (dockercommunity.slack.com). If that’s not the case, please reach out to [email protected] and we’ll make sure to resend the invitation.
Monday 16 October
Attendees who have signed up for Paid-Workshops or want to check in and pick up their badge and backpacks early should plan to be in Copenhagen by Monday morning.
Registration
Registration will be open from 12:00 – 19:30.
Workshops
Interested in attending a DockerCon EU Workshops on Monday? Here is the list of the workshops that are still available:
- Introduction to Docker for Enterprise Developers
- Docker on Windows: From 101 to Production
- Docker for Java Developers
- Learn Docker
If you’ve already registered for a workshop, Continue reading
Introducing Hallway Track: Learn from People Around You at DockerCon
Photo by: Youssef Shoufan at DockerCon Austin 2017
The DockerCon Hallway Track is coming to DockerCon Europe in Copenhagen. We’ve partnered with e180.co once again to deliver the next level of conference attendee networking. Together, we believe that education is a relationship, not an institution, and that a conversation can change someone’s life. After the success of our collaboration in Austin with Moby Mingle, we’re happy to be growing this idea further for Copenhagen.
DockerCon is all about learning new things and connecting with the right people. The Hallway Track will help you meet and share knowledge with community members and practitioners at the conference.
So, what’s a Hallway Track?
DockerCon Hallway Track is a one-on-one or group conversations based on topics of interest that you schedule with other attendees during DockerCon. Hallway Track’s recommendation algorithm curates an individualized selection of Hallway Track topics for each participant, based on their behavior and interests.
It’s simple:
- Explore the knowledge Offer and Requests –where all participants post the knowledge they are willing to share.
- Pick something you want to learn or create your own Offer or Request.
- Book your Hallway Tracks and meet in person at Continue reading
Ansible Tower 3.2: Available Now
We're happy to announce that Red Hat Ansible Tower 3.2 is now generally available.
With Red Hat® Ansible® Tower 3.2, we're working to make sure you can automate more flexibly, and manage more globally across your enterprise. For more information:
- Check out the Ansible Tower 3.2 documentation
- See our Deep Dive into Ansible Tower 3.2
- Join us for our What’s New in Ansible Tower 3.2 Webinar on Tuesday, Oct 10th at 2PM EDT
Go get it now via local install, Vagrant, or Amazon AMI. Ansible Tower 3.2 is available for Red Hat Enterprise Linux 7, CentOS 7, Ubuntu 14.04, and Ubuntu 16.04. If you have any questions, or run into any issues, don't hesitate to contact us via the Red Hat Customer Portal.
Your Docker Agenda for JavaOne
If you are one of the thousands that will be in San Francisco for JavaOne Oct 1-5th, don’t miss the opportunity to level-up your knowledge around container technology and Docker Community and Enterprise Edition. We’ve listed our must-attend sessions below:
Monday, October 2nd
Monday, Oct 02, 11:00 a.m. – 11:45 a.m. | Java in a World of Containers [CON4429]
Speakers: Paul Sandoz and Mikael Vidstedt, Oracle
This session explains how OpenJDK 9 fits into the world of containers, specifically how it fits with Docker images and containers. The first part of the session focuses on the production of Docker images containing a JDK. It introduces technologies, such as J-Link, that can be used to reduce the size of the JDK and discusses the inclusion of class-data-sharing (CDS) archives and ahead-of-time (AOT) shared object libraries. The second part describes how the Java process can be a good citizen when running within a Java container and obeying resource limits. The presentation also covers the role of CDS archives and AOT shared object libraries that can be shared across running containers to reduce startup time or memory usage.
Tuesday, October 3rd
8:30 a.m. – 10:30 a.m. | Continue reading
Kubernetes 1.8 release integrates with containerd 1.0 Beta
Intent of containerd effort
When containerd was first developed it had two goals. The first was to solve the upgrade problem with running containers and provide a codebase where OCI runtimes, like runc, could be integrated into Docker. However, as needs change in the container space and after speaking with various members of the community at the beginning of this year, we decided to expand the scope of containerd and make it a fully functional container daemon with storage, image distribution and runtime.
containerd fully supports the OCI Runtime and Image specifications that are part of the recently released 1.0 specifications. Additionally, it was important to build a stable runtime for users and platform builders. We wanted containerd to be fully functional; but also, it needed to retain a small core codebase so that it is easy to maintain and support in the long run with an LTS release receiving backported patches on a stable API.
To demonstrate the progress made on the project, Stephen Day presented the current status of containerd 1.0 alpha at the Moby Summit in LA two weeks ago,:
Check out the getting started with containerd guide to get your feet wet with containerd if you want to integrate Continue reading
Introducing the Docker Global Professional Certification Program
Docker is excited to announce the first and only official professional certification program for the Docker Enterprise Edition (EE) platform.
The new Docker Certified Associate (DCA) certification, launching at DockerCon Europe on October 16, 2017, serves as a foundational benchmark for real-world container technology expertise with Docker Enterprise Edition. In today’s job market, container technology skills are highly sought after and this certification sets the bar for well-qualified professionals. The professionals that earn the certification will set themselves apart as uniquely qualified to run enterprise workloads at scale with Docker Enterprise Edition and be able to display the certification logo on resumes and social media profiles.
The DCA is the first in a comprehensive multi-tiered certification program and the exam was created by top practitioners using a rigorous development process. It consists of 55 questions to be completed over 80 minutes covering essential skills on Docker Enterprise Edition. The exam can be taken anywhere in the world at any time and is delivered using remote proctoring technology to ensure exam security while creating a simple and streamlined test taking experience for candidates.
Be among the first to earn the DCA designation and gain recognition for your enterprise container skills.
Get Started now