DockerCon 2014 Highlights
The first big news of DockerCon was the launch of Docker 1.0, but there was more to come. The back of the DockerCon t-shirts said ‘Containers everywhere!’, and there was plenty of evidence of that from the large Bay area service providers. There were also some additional launches - libswarm ‘a minimalist toolkit to compose network services’, libchan ‘an ultra-lightweight networking library’, and more partners getting involved with libcontainer.
Google, Facebook and Twitter were all talking about how they use containers at huge scale. Right now they’re mostly not using Docker containers, though some have plans to migrate from home grown environments built before Docker came along. A common theme was that each firm had built its own orchestration system. Drone.io founder Brad Rydzewski commented ‘what I learned at #dockercon: everyone is building their own orchestration platform. seriously. everyone’. Docker Inc CTO Solomon Hykes addressed that issue in his day 2 keynote with the announcement of libswarm, a library that can be used to drive multiple orchestration systems. A video demo by Orchard was then played to show multiple docker services being controlled from the same command line environment. For more detail on libswarm Activestate’s Phil Whelan has an article that includes an interview with Solomon Hykes.
There was a significant presence from Google at the event, with a keynote from Eric Brewer and presentations by Craig Mcluckie, Bendan Burns and Ekaterina Volkova. The most significant news from Google was the release of Kubernetes, an open source container management system (and a cut down version of the Omega platform that’s used within Google to launch ). Google also launched cAdvisor, a tool that analyzes resource usage and performance characteristics of running containers. Internally Google has committed to moving to the Docker image format for its own containers. There were also announcements of improved Docker features in the Google Cloud Platform in Google Compute Engine (GCE) and Google App Engine (GAE).
IBM’s Boden Russell presented his benchmarking of Docker versus KVM looking particularly at memory and CPU consumption. Boden had previously blogged his findings, which show that a container based approach can lead to substantial savings in memory utilisation (which is a key driver of cost in the data center) and startup time. IBM also demoed their integration with Netflix OSS tools, running a sample application under attack from Chaos Monkey on a laptop, then migrating the application to their Softlayer cloud.
Docker is written in Go, so the developers have taken a cue from Go channels in the creation of libchan, which is described as ‘like Go channels over the network’. In addition to working in memory the channels can run across Unix sockets, raw TCP, TLS, HTTP2/SPDY and websockets. Channels are intended for message passing and synchronization for concurrent programming, and can be nested, so channels can send channels. The library aims to support micro services messaging needs such as:
- Request/response with arbitrary structured data.
- Asynchronous events flowing in real-time in both directions.
- Requests and responses can flow in any direction, and can be arbitrarily nested, for example to implement a self-registering worker model.
- Any message serialization format can be plugged in: json, msgpack, xml, protobuf.
Libcontainer is a standard interface to Linux OS sandboxing. It was initially launched with Docker 0.9, but it has now been broken off to become a standalone project. A number of significant contributions have come from outside Docker Inc; with SElinux and systemd integration from Red Hat, a unified cgroup interface from Ubuntu and LXC, OpenVZ and a C implementation of libcontainer from Parallels and two Google engineers joining the project as core maintainers.
Red Hat showed off their Project Atomic cut down Linux distribution for Docker that incorporates GearD, a Docker orchestration system that can integrate with OpenShift. Red Hat’s Dan Walsh also presented his work on incorporating SELinux into Docker, which was accompanied by his amusing SELinux coloring book. Dan explained exactly what containment means from a security perspective, and how additional controls can be put in place using a variety of kernel supported tools, including SELinux.
Anatole Tresch Mar 03, 2015