Last week I attended DockerCon along with many of my colleagues at Aqua. It was a great event, with over 5,000 attendees, making it the biggest DockerCon ever. Also, this year 20% of attendees were women - still room for improvement, but we’re on the right track. As usual, it was packed with interesting announcements and events. Here are a few of my highlights.
Hello Moby!
Welcome Moby! The biggest announcement was that Docker are moving much of their code to this new open source project, which will be the upstream community source on which Docker products will be based.
The Moby project is designed to be used by system builders who want to build container systems. They can mix-and-match pluggable infrastructure components from the Moby project to create a deployable container system. It’s not intended for application developers and Docker users, who will continue using the Docker tools they’re familiar with today.
Source: Solomon Hykes on Twitter.
Docker will use the Moby project to develop new components and collaborate with the ecosystem on new container technologies. All of Docker’s open source collaboration will move to the Moby project.
This change clarifies the relationship between Docker the company and its products, and the open source code. It makes it easier for Docker to build value-add features into their products that might not necessarily be the right thing for the upstream codebase, something the community should welcome. At the Internals Summit on Day 3 of DockerCon Solomon gave a great example of this: they can now build a feature into the Docker Command Line to allow people to directly raise support issues with Docker through their login ID, without requiring other versions of the CLI tool based on the open source code to provide the same level of support.
Here’s more information about the Moby project on Docker’s blog.
Introducing LinuxKit
LinuxKit is a new open source toolkit for building Linux distributions. You can pick and choose the components you need to build a minimal immutable image that suits your particular system needs - and by “minimal” we mean that the OS can be 35MB, with a boot load time of just a few seconds. Because all system services are actually containers, you can replace, or even remove them if not required.
There are additional benefits for running system services in containers: you get the benefit of sandboxing and the fact that every service runs in its own cgroup.
Creating a bootable OS with LinuxKit is super-easy - this post by Docker Captain Alex Ellis shows how to create a minimal LinuxKit OS distribution with OpenSSH in less than 10 minutes.
Source: Alex Ellis’s Blog
LinuxKit has a lot of interesting applications - for example, building minimal images for IoT devices, or dedicated machine images for your application cluster with only the components you need, which reduces the attack surface.
Running Linux Containers Natively on Windows Server
Hold on! What is the world coming to? Linux on Windows?? That’s right - you’ll be able to run Linux containers natively on Windows Server.
Up until now you could only run Windows containers natively on Windows Servers. You will soon be able to run both Windows and Linux containers, side by side, on the same Windows server. This is going to be awesome!
The new support is achieved by using Hyper-V isolation as described in this announcement from Microsoft.
Secure orchestration
At Aqua we’re always interested in container security! So it was good to see Diogo Monica’s demo of the security features in Docker Swarm, including cryptographic node identity and MTLS between all nodes by default, making it easy for Swarm users to ensure their container traffic is encrypted and not vulnerable to man-in-the-middle attacks.
Enterprise focus
The branding around the conference had a somewhat retro look-and-feel. It turned out that this related to the concept of moving traditional (sometimes decades-old) enterprise apps into containers.
There’s definitely a sense that more and more large companies are embracing the world of containers - for example Oracle, MetLife and Visa all took to the stage during the keynote sessions. This in turn means that the container community is not just about open source projects; there is no doubt that real business is being done at DockerCon these days. Our team was booked solid throughout with back-to-back meetings.
Moby Mingle Areas
The exhibition and sessions are awesome, but perhaps the greatest thing about DockerCon is the community! This year there was a new networking platform called “Moby Mingle” which was a great success. Attendees published offers of expertise, so that others could request 1-on-1 sessions in the “Moby Mingle” areas to discuss those topics.
Several of us from the Aqua team offered Mingles on the topic of container security, which turned out to be very hot at this year’s DockerCon. Between us we held more than 50 Moby Mingle sessions, which was a great way to meet other attendees and share knowledge and expertise.
The Expo
The expo area was buzzing all three days. At the Aqua Security booth we gave away more than 100 drones to smiling winners. We also gave out our now famous (or infamous?) “Keep Calm and :() { : | : }; :” T-shirts that became particularly popular after my conference talk where I demonstrated a fork bomb (that’s what that cryptic-looking string of punctuation is, by the way).
