Docker Inc Release 'Docker Datacenter' to Support On-Premise 'Containers as a Service' (CaaS)
Docker Inc, have released Docker Datacenter (DDC), a subscription-based platform and support service that enables organisations to run a Docker-based Containers as a Service (CaaS) for building, deploying and managing containerised applications and infrastructure. The DDC is comprised of Docker Universal Control Plane (UCP) and Docker Trusted Registry (DTR), and contains embedded support for the open source Docker projects, such as Engine, Swarm and Compose.
The Docker DDC press release states that the new platform will enable organisations of all sizes to deploy a Containers as a Service (CaaS) on-premise or within a virtual public/private cloud. The term ‘CaaS’ is not a new creation, and has previously been applied to container orchestration platforms such as Kubernetes, Apache Mesos / Mesosphere Marathon, and Amazon Web Services’ ECS. Typically within a cloud-based model of computing, CaaS sits below Platform as a Service (PaaS), with less opinionated design primitives and functionality provided ‘out-of-the-box’, but above Infrastructure as a Service (IaaS), which offers infrastructure components that must be aggregated and configured for a typical application deployment use case.
The Docker blog states CaaS enables developers and operations to work more effectively together, with the separation of concerns associated with the creation and deployment of applications being more clearly defined. A typical CaaS workflow is shown in the diagram below, with developers (“build”) on the left pulling and pushing application content from a library of trusted base images, and operations teams (“run”) on the right monitoring and managing deployed applications and infrastructure. Control of the registry (“ship”) can be centralised for stricter governance, or decentralised to individual departments or application teams for greater flexibility.
The image registry (DTR) and control plane (UCP) components of the DDC are packaged and run as containers, and can be deployed rapidly within a host environment that supports the execution of Docker containers (most modern Linux kernels). Puppet Labs have also released a corresponding docker_ucp (v 0.1.0) module as an alternative deployment mechanism. The DDC provides a web-based administration user interface (UI), which allows the configuration of storage, networking and security certificates. A general-purpose UI is also provided, which enables the management of applications, repositories, networks and volumes. Role-based security controls can be applied to user accounts, and the DDC integrates with existing LDAP/AD servers.
DDC supports the Docker API and embeds the open source projects like Docker Engine and Docker Swarm directly into the platform. The Docker blog states that developers utilising Docker Compose to define application composition and configuration can work directly with the UCP by using the same tooling, such as Docker Toolbox or the command line applications. The diagram below shows the DDC components, marked in blue, in the context of the wider application development and deployment toolchain.
The Docker blog states that the DDC has ‘built-in high availability’ and the UCP can be deployed across multiple hosts for increased fault tolerance. In the case of a host outage or failure, the system will preserve the state of the Swarm cluster along with UCP settings, accounts, and permissions. Transport Layer Security (TLS) is also automatically configured on Docker hosts that join a cluster, ensuring secure communication within the Docker environment.
DDC provides ‘integrated content security’ across the software development lifecycle through the integration of Docker Content Trust and DTR. Content Trust provides the ability sign images with digital keys and then verify the signature of those images. For example, a central IT team can create base images, sign them and upload to their instance of a DTR. With Content Trust activated, the Docker Engines in the secured environment cannot gain access to or run images that are unsigned.
In relation to security, the recent release of Docker Engine 1.10 also includes several low-level security improvements, such as the support of Seccomp profiles, User Namespaces and authorisation plugins. It is worth noting that the Docker daemon still requires root privileges to run successfully. In comparison, the CoreOS rkt container runtime that was recently released as generally available (rkt v1.0) can run unprivileged, and does not require execution with root.
InfoQ discussed the release of DDC with David Messina, VP enterprise marketing at Docker Inc, and asked if Docker will be focusing on supporting only the management of the container infrastructure, or also assisting with the creation of containerised applications?
With [the DDC], IT operations teams are able to secure, provision and manage both infrastructure resources and base application content while developers are able to build and deploy their applications in a self-service manner.
As an example, IT is building a centralized IT model where they manage the infrastructure and microservices content that they share with developer who in turn, use the templates to build and deploy microservices.
InfoQ also asked how the Docker vision of ‘CaaS in the datacenter’ differs from other modern hybrid IT approaches, such as the Microsoft Azure Stack that was recently announced?
Docker and its CaaS solution aligns well with these types of hybrid approaches. Whether that means you have multiple private data centers, a hybrid cloud or multiple cloud providers, the critical component is the ability to move workloads from one environment to another, without causing application issues.
With Docker Datacenter and CaaS, you can abstract the infrastructure away from the application, allowing the application containers to be run anywhere and portable across any infrastructure, from on-premises datacenters to public clouds, across a vast array of network and storage providers.