Docker adds orchestration and more at DockerCon 2016

DockerCon 2016, held in Seattle in June, included many new feature and product announcements from Docker Inc. and the Docker project. The main keynote of DockerCon [YouTube] featured Docker Inc. staff announcing and demonstrating the features of Docker 1.12, currently in its release-candidate phase. As with the prior 1.11 release, the new version includes major changes in the Docker architecture and tooling. Among the new features are an integrated orchestration stack, new encryption support, integrated cluster networking, and better Mac support.

The conference hosted 4000 attendees, including vendors like Microsoft, CoreOS, HashiCorp, and Red Hat, as well as staff from Docker-using companies like Capital One, ADP, and Cisco. While there were many technical and marketing sessions at DockerCon, the main feature announcements were given in the keynotes.

As with other articles on Docker, the project and product are referred to as "Docker," while the company is "Docker Inc."

Catching up: Docker 1.11

In version 1.11, the project restructured how Docker works almost entirely in order to pave the way for later features. Prior to that release, the Docker daemon, container manager, and container runtime were a unified program with a single API.

Docker 1.11 separated these functions into three separate pieces: the Docker Engine takes commands from the UI, passes appropriate commands to the containerd daemon, which starts each container using the runc binary. Notably, runC is the first container runtime built according to the specification from the Open Container Initiative. This restructuring has caused some problems, especially with external software integration, and meant that few new features were added to 1.11.

The architecture changes also delivered some strong benefits, not the least of which was an alpha release of "native" versions for Mac and Windows platforms in March. These versions use the built-in hypervisor support included in those operating systems to run Docker under a Linux kernel, instead of using VirtualBox as the prior Docker Toolbox and other solutions did.

Docker 1.12 and built-in orchestration

In contrast to the "big break-up" in the prior version, 1.12 will involve integrating what had been separate tools into the Docker Engine. Docker founder Solomon Hykes explained how and why Docker is integrating container-orchestration features that had previously been included only as external tools. According to him, the developers felt that existing orchestration tools had "solved the problem," but were "usable only by experts." Orchestration consists of scheduling and managing deployment of containerized microservices across a group of servers.

The goal in integrating more things into Docker was to make orchestration usable by non-experts. As such, in Docker 1.12, a full suite of orchestration tools based on Docker's previous generation of tools, primarily Swarm and Compose, will be integrated into the Docker Engine. These orchestration changes consist of four major features:

• Swarm mode
• Cryptographic node identity
• A new service API
• A built-in network routing mesh

Users can enable Swarm mode in Docker 1.12 to have each node join a named cluster of nodes. This causes the Docker Engine to start up a built-in distributed configuration store (DCS), which shares information among the nodes in the cluster using the RAFT consensus algorithm. Other orchestration tools use external DCSes such as etcd or Consul to store cluster metadata. Hykes said that setting up a separate DCS was a significant barrier to deployment for many users.

The second feature, cryptographic node identity, actually encompasses a bunch of encryption features added to Swarm mode. This includes cryptographic keys identifying each node, built-in TLS-encrypted communication, and fully automated key rotation. All of that depends on an integrated public key infrastructure (PKI) feature that is now also part of Docker Engine. Hykes said that this creates a completely secure system by default.

Docker 1.12 also includes a new service API that allows developers and administrators to define applications as services, so that they can be deployed to a Swarm cluster. The services facility includes support for application health checks and auto-restart of failing containers. This seems to work very similarly to Deployments in Kubernetes.

The last piece of the new orchestration stack is what Hykes called a "routing mesh." The project has added a built-in network overlay and DNS-based service discovery for containerized services, similar to CoreOS's Flannel. This new feature supports built-in load balancing and works with external load balancers. According to Hykes, this is implemented using Linux IP Virtual Server (IPVS) for performance and stability.

Simple orchestration demo

Andrea Luzzardi and Mike Goelzer of Docker Inc. demonstrated the new orchestration features by setting up a three-node Swarm and deploying services to it. Luzzardi started from a new machine running Docker 1.12, and initialized the first node:

    # ssh node-1
    node-1# docker swarm init
    Swarm initialized: current node is now a manager

This creates a one-node "cluster." Adding nodes to the cluster requires telling each of them to join that node, by telling them to connect to the node by DNS name on port 2377:

    # ssh node-2
    node-2# docker swarm join node-1:2377
    This node joined a Swarm as a worker.

Deploying a containerized microservice to this cluster uses the new service command. Luzzardi showed deploying the Instavote Python container from Docker Hub, and had it listen on port 8080 in the cluster:

    node-1# docker service create --name vote -p 8080:80 instavote/vote

He then showed that you could connect to the web service on any node on port 8080. The service can be "scaled" using the same service command. For example, the command below scales up to six containers by adding five more:

    node-1# docker service scale vote=6

Luzzardi and Goezler finished by showing automated redeployment of containers on node failure. They also demonstrated rolling updates of container versions.

Docker for Mac and Windows

"Native" Docker for Mac and Windows has been available since March in an invitation-only beta. Hykes introduced a new release of Docker for Mac that came about from the feedback, bugs, and test cases submitted by the beta testers. Tester reports were invaluable, especially for troubleshooting hardware compatibility.

According to Hykes, creating Docker for Mac and Windows required hiring new engineers with deep systems knowledge, which is why Docker Inc. acquired Unikernel Systems in January. The company also made use of hires out of the gaming industry for user-experience improvements. He promised a "seamless" developer experience.

Aanand Prasad, an engineer at Docker Inc., demonstrated the new Mac integration. He live-debugged the Instavote demo application, showing off being able to reload the application based on editing code in a desktop editor on the Mac. This gives Mac users a similar experience to programmers on Linux desktops.

As of DockerCon, Docker for Mac and Windows are now public betas.

Comparisons with other tools

The orchestration features in Docker 1.12 are quite similar to orchestration features offered by existing tools, such as Kubernetes and Mesos Marathon. For example, Kubernetes offers service deployment and auto-failover, encryption support, rolling updates, pluggable network overlays, and service discovery. The older version of Docker Swarm also has some of those.

This is in line with Hykes's keynote. He emphasized that Docker engineers haven't invented anything new; instead, they've made complex infrastructure that was already available easy to use. "We're making powerful things simple," he said.

Further, version 1.12 will enable Docker Inc's own tools to reach near-parity on orchestration with tools offered by other companies or externally governed open-source projects. As Docker Swarm and Compose had previously lagged competing solutions in features considerably, this puts a lot of pressure on projects like Mesos and Kubernetes to add features and address ease-of-use issues. Kubernetes seems to be focusing on adding features; version 1.3 was released in early July and includes many new configuration options for microservices as well as enhancements to scalability.

Hykes also assured attendees that the older Swarm and Docker Compose APIs would continue to work and be supported.

Docker 1.12 is currently in its third release candidate. The Docker for Mac and Windows betas include version 1.12. Linux users will need to get the 1.12RC by downloading the "experimental" Docker packages.

Public clouds and the future of Docker

Hykes finished up by announcing integrated public cloud tools: "Docker for AWS" and "Docker for Azure." These two offerings automate deployment of the new Docker Swarm on Amazon Web Services or Microsoft Azure, respectively, including integration with accounts, permissions, and network security. People can apply to test these by requesting an invitation on the Docker web site.

The tools and features announced at DockerCon 2016 once again change the landscape of container tools. The near-native Mac and Windows versions remove what was perhaps the largest barrier to wider developer adoption of Docker as their main deployment technology. It's possible that they also remove a strong reason for developers to move to Linux on the desktop.

The container ecosystem is still fast-moving and changing substantially every few months. While it's hard to know what to expect in the next three or four months, we know that we can expect it to be different.

[ Josh Berkus works on container technology for Red Hat. ]