A report from the first DockerCon

Docker Inc. and the Docker community celebrated a 1.0 release at the first DockerCon, which was held in San Francisco on June 9 and 10. The conference slogan was "Containers Are the New Virtualization", which was not only a vision for Docker, but also a challenge to virtualization software projects. DockerCon was packed with new product and project announcements as well as demos by Docker Inc., Google, Amazon, IBM, Red Hat, and other Docker-adopting companies. The conference certainly demonstrated the excitement around Docker that has built over the last year. While almost every presenter and keynote speaker had something new to show off, the most interesting announcements and demos came from Docker Inc. itself, and from Google.

First, however, a recap on the Docker project and technology for those unfamiliar is in order. If you already know about Docker and containers on Linux, you can skip to the next section.

Some background

According to its GitHub page: "Docker is an open source project to pack, ship and run any application as a lightweight container". More technically, Docker is a management tool that enables users to easily package and deploy single-service "containers" as an alternative to virtual machines or traditional installation scripts and packages. The project's goal is to deliver the advantages of virtual machines, including isolation, portability, and easy deployment, without the overhead.

The first thing to understand is: containers are not virtual machines. A virtual machine (VM) creates an isolated runtime environment for software based on "hardware virtualization", where the VM emulates a complete hardware environment for a full guest operating system and kernel. Containers operate at a different layer: they provide an isolated operating system (OS) and filesystem environment that supports an isolated guest user space that all runs on the same kernel as the host OS.

Containers have a long history, and Docker is just the latest implementation. Within open source, FreeBSD pioneered containers with jails in version 4.0. This was followed by Solaris Zones and Solaris Containers in OpenSolaris 10. Container support came to Linux in several competing libraries starting with OpenVZ in 2005 and LXC in 2006. Docker was originally based on LXC, but switched to using its own libcontainer in release 0.9.

Docker was created by the company DotCloud as part of its platform-as-a-service (PaaS) infrastructure. The company open-sourced Docker in March 2013 under the Apache License, and it quickly came to eclipse the company's cloud services in popularity. In October, the company was renamed to Docker Inc., and began planning for the first DockerCon.

The advantages of containers over VMs are that they require fewer system resources, start up much faster, and are smaller and easier to deploy. For example, on my laptop a VirtualBox VM running PostgreSQL on Ubuntu uses about 2GB of disk space and takes a couple minutes to start up, whereas a Docker container uses around 200MB of space and starts up in less than five seconds. This enables the Docker approach of "one application, one container", as it is reasonable to run dozens of containers on a single commodity server.

Compared to VMs, the main limitation of containers is that they run on the same kernel as the host operating system. This means that you cannot run a completely different operating system, such as Windows, on top of Linux using a container, and even the ability to run different Linux distributions is limited by kernel compatibility. Right now, this is especially restrictive since Docker recommends using Linux kernel 3.8 and higher for technical reasons. It will seem less restrictive as Red Hat Enterprise Linux 7.0, which is based on the 3.10 kernel, becomes more widely deployed.

What Docker adds to containers is a suite of integrated management tools. First there's the concept of "images", which are stripped-down sets of operating system files that supply the foundation of a container. There are a number of "base images" for various Linux distributions, including Ubuntu, CentOS, and Amazon Linux. Users then make their own changes to the OS environment and save new images. These sets of changes are known as "layers" and are implemented either via a union file system, such as aufs or, more commonly these days, using Btrfs snapshots.

The second major thing Docker does for you is allow you to customize these containers through the "Dockerfile", which is a configuration file that runs commands on the container and launches the service that will be the "main service" for the container. For example, if you have a container that is your Apache HTTPD container, that's the main service, and when HTTPD shuts down, so does the container. This makes it easier to use containers as part of automated testing and deployment, and is a great deal like the virtual machine management offered by Vagrant. Docker also helps create and manage virtual networking, file sharing, and system resource allocations for the containers.

Docker 1.0 and DockerHub

Docker CEO Ben Golub kicked off DockerCon with a keynote announcing two things: the release of Docker 1.0, and the launch of Docker Hub. Golub, who previously was CEO of Gluster, joined Docker in July 2013, after the first open-source release. He spent some time talking about the momentum and accomplishments of Docker Inc. and the Docker community, including the success of its open source community-building effort. Thanks to the Apache license and an open contribution policy, he said, it has received contributions from over 450 people, including nearly 400 outside contributors.

Then he unveiled Docker 1.0, which was released the day before DockerCon. For those who have been following Docker development, there were no big surprises; 1.0 was identical to the release candidate 0.12.0. For those who haven't touched Docker in a while, though, there are a bunch of changes, some of them fairly fundamental, which have come about in the last three months since Docker 0.8.

First, Docker is no longer based on LXC, and as of version 1.0 works with multiple container libraries. This means it's possible to run Docker instances using libcontainer, LXC, OpenVZ, and various virtualization tools. It is also theoretically compatible with Solaris Zones and FreeBSD jails, although there were no demonstrations of that. Not all Docker features will work with all container types, and it seems likely that only libcontainer will support everything. The developers have also made the filesystems pluggable, supporting Btrfs, aufs, and device-mapper for storage, with plans to support other filesystems, such as XFS, in the near future.

Docker 1.0 adds the ability to pause and resume containers to save CPU cycles. It has improved security and made Docker compatible with SELinux and AppArmor for high-security environments. There were also a bunch of minor improvements to Dockerfiles and Docker commands to fix longstanding issues. Boot2docker, a lightweight VM that allows Mac and Windows users to use Docker, has also been brought up to 1.0 status. Finally, libcontainer has become its own, standalone project.

More importantly, with the 1.0 release, the Docker project is declaring this a stable version of the software, and Docker Inc. will be offering long-term support for it. The project is promising a stable API with a commitment to backward compatibility for the future. Accordingly, Docker has requested and received its official port numbers from the Internet Assigned Numbers Authority (IANA) for HTTP and HTTPS API traffic: 2375 and 2376, respectively.

The other big new thing is Docker Hub, which is a centralized repository for container images. Users can upload and download images of OS and application containers from it, and downloading from Docker Hub is the default option for new container deployments in the Docker API. The images stored at Docker Hub include users' personal application images and "Official Repositories", which are vetted and curated images managed by Docker staff and trusted outsiders. These include both base-level OS images, like "Ubuntu", and application images, such as "WordPress".

Docker Hub and the namespace for images are organized like GitHub, except for the official images. For example, the official PostgreSQL image is at "postgres", and if I create and release my own version, it will be at "jberkus/postgres". Also like GitHub, public image repositories will be free, but private ones will require a paid account.

Google's Docker tools

During DockerCon, multiple companies, including Amazon, Red Hat, Rackspace, and IBM, announced and demonstrated various products and tools designed to work with Docker. To me, the most interesting of these talks was the keynote given by Google's Eric Brewer on the second morning of DockerCon. It was engaging because not only is Google using Docker, it is releasing a whole bunch of internal tools for Docker as open source.

According to Brewer, Google has been using containers for a while, which are based on an internal management tool set that was never open sourced. Containers are "application-centric", which is how Google does things, and are suitable for large-scale application framework load-balancing. "Google deploys over two billion containers per week," said Brewer. "We run containers inside VMs on top of containers."

So when Docker came along, Google decided to embrace it and portions of the company's infrastructure have been converted to using Docker. And, starting recently, Google has been contributing to it.

In October 2013, Google released its own container system that was originally in competition with Docker. It bears the cute name of "LMCTFY", which stands for "Let Me Contain That For You", after a well-known web site. LMCTFY offers resource-managed containers, which use control groups to limit CPU, memory, and I/O usage by each container so that more containers can share a single machine. LMCTFY also supports nested containers, which enables grouping containers.

Google plans to take this resource management code and move it into Docker to give it the same capabilities. Its first effort, released for the hackathon on the day before DockerCon, is cadvisor, which is a tool that reports container resource usage on the host system.

Like the Docker project, Google also endorses the mantra of "one service, one container". However, this means that you have a lot of closely related containers which need to be deployed, then start and stop together. For example, you might have a container which has a web application server, a second container which has mapped file storage, and a third which has a logger service. Google uses nested containers to group these containers into "pods", which are deployed as a unit and are intended to share a single IP address.

To support this architecture, Google has released the Kubernetes project, which is an "orchestration" system for groups of containers organized into pods. These pod configurations are controlled through a configuration file in JSON that also supports the idea of load-balanced groups of pods. Pods communicate through ports assigned to each service at declaration time. All of this is designed to enable the rapid provisioning of large groups of servers based on a declarative configuration.

Brewer said that Google plans to open source more internal container-management tools in the future to make Docker the "open standard" for containerization on the web. All of these projects will be under the Google Cloud Platform group of tools.

More DockerCon

Of course, there were many other presentations and demos during the conference. Amazon announced that it was changing its application deployment service, Elastic Beanstalk, to be based on Docker in the future. Speakers from Chef, SaltStack, and Puppet each showed off using their management tools to deploy containers. Red Hat talked about its new Project Atomic, a lightweight version of RHEL designed to both run, and be run on, containers.

One of the major areas of technical competition among the various companies at DockerCon was "orchestration", which means tools to manage large numbers of containers on many physical hosts. In addition to Google's Kubernetes project, there were talks and demos of Red Hat's GearD and Apache Mesos. Docker Inc. is also working on a new orchestration tool called libswarm.

Overall, DockerCon was impressive in the amount of enthusiasm, adoption, and technology arrayed around a project which is only fifteen months old. In a little over a year, it has acquired a full ecosystem of dependent projects and competing corporate contributors of which any open source project would be proud. I could not help but come away from the conference convinced that I'll see a lot more of Docker in the future. In fact, I'm already working on improvements to the official PostgreSQL image.