The document provides an overview of Docker for developers. It summarizes Docker Toolbox, the previous solution for using Docker on Mac or Windows, and introduces Docker for Mac. Docker for Mac uses a new virtualization technique called HyperKit that embeds a lightweight Alpine Linux distribution. It also discusses networking and storage solutions in Docker for Mac that aim to provide a native Mac experience while integrating with existing developer workflows. The document concludes with brief discussions of Docker Cloud for security scanning and automation capabilities.
2. OVERVIEW
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
2
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
3. DOCKER TOOLBOX
3
All the Linux tools collected in one installer:
Bundle includes a full VirtualBox installation
Boot2Docker Virtual Machine
The Kitematic UI controlled these pieces
A relatively loose collection of components:
Installation and lack of integrated updates
caused numerous user issues
Performance not ideal due to the layering,
especially for file sharing
Yet most Docker users use a Mac or Windows
host as their development environment
4. OVERVIEW
4
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
5. DOCKER FOR MAC
Easy drag and drop installation, and autoupdates to get latest Docker.
Secure, sandboxed virtualisation architecture without elevated privileges.
Native networking support, with VPN and network sharing compatibility.
File sharing between container and host: uid mapping, inotify events, etc.
5
Aiming for a native OSX experience that
works with existing developer workflows.
6. OVERVIEW
6
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
7. DOCKER FOR MAC > VIRTUALIZATION
7
Uses the new HyperKit framework, which is in turn based on xHyve and
FreeBSD's bHyve.
Sandbox friendly: processes
largely run as non-root, with
privileges of the local user.
OSX Kernel
Hardware
virt: VMX,
nested
paging
Userspace
User ProcessHypervisor.
framework
Process
Linux Kernel
VirtIO IPC
VirtIO Block
VirtIO Net
Alpine Linux
Userspace
Latest Docker
preconfigured
Logs redirected to
OSX host
QCow2
VPNKit
8. DOCKER FOR MAC > VIRTUALIZATION
8
Embeds Linux: includes an
embedded lightweight
Alpine Linux distribution
optimised for fast boot and
stateless operation for
containers.
$ docker info
Containers: 358
Running: 13
Paused: 0
Stopped: 345
Images: 485
Server Version: 1.11.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 4.4.9-moby
Operating System: Alpine Linux v3.3
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.858 GiB
Uses the new HyperKit framework, which is in turn based on xHyve and
FreeBSD's bHyve.
9. DOCKER FOR MAC > VIRTUALIZATION
9
Sandbox friendly: processes largely run as non-root, with privileges of the local user.
Embeds Linux: includes an embedded lightweight Alpine Linux distribution optimized for fast boot
and stateless operation for containers.
Drag 'n drop installation: Docker.app is self-contained, installs symlinks from app bundle into /usr/
local, and autoupdates.
Uses the new HyperKit framework, which is in turn based on xHyve and
FreeBSD's bHyve.
11. OVERVIEW
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
11
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
12. DOCKER FOR MAC > NETWORKING
Want to hide the gory details of virtualisation from the user. The Linux VM should be "invisible".
Not solving this leads to many user complaints:
VPN software and corporate installations do not like bridged virtual machines or custom routing.
Result: container traffic cannot connect to Internet.
Services cannot be exposed on localhost or the external interface and are instead on the Linux VM IP address.
Result: breaks common web oAuth workflows.
12
13. DOCKER FOR MAC > NETWORKING
13
Challenge #1: Deal with custom VPN software on the host that makes it
difficult to bridge.
Solution:
VPNKit, efficiently reconstructs
container traffic into separate
TCP/IP flows and translates
them into native OSX/Windows
sockets.
OSX Host Linux Host Container
RUN <...>com.docker.hyperkit-net
Reconstruct traffic
TCP flows
Translate to OSX
socket calls
Ethernet bridge
DHCPv4
NTP
14. DOCKER FOR MAC > NETWORKING
14
Challenge #1: Deal with custom VPN software on the host that makes it
difficult to bridge.
OSX Host Linux Host Container
RUN <...>com.docker.hyperkit-net
Reconstruct traffic
TCP flows
Translate to OSX
socket calls
Ethernet bridge
DHCPv4
NTP
Benefit:
All network traffic is generated
from normal socket calls (e.g.
gethostbyaddr) on the Mac, so
interacts well with firewalls,
VPNs, and any local security
policies.
15. DOCKER FOR MAC > NETWORKING
15
Challenge #2: Challenge: Services publishing ports should be exposed
on localhost without needing VM info.
Solution:
VPNKit forwards container port
requests to a OSX service which
binds them natively on its
external interface.
OSX Host Linux Host
Privileged Port
Service
Container
EXPOSE
Port Service
VSock Binder
RUN <...>
VSock Listener
Userland Proxy
16. DOCKER FOR MAC > NETWORKING
16
Challenge #2: Challenge: Services publishing ports should be exposed
on localhost without needing VM info.
Benefits:
docker run -P on the Mac now
works without requiring any
knowledge of the VM innards.
External oAuth workflows
operate with web apps.
OSX Host Linux Host
Privileged Port
Service
Container
EXPOSE
Port Service
VSock Binder
RUN <...>
VSock Listener
Userland Proxy
18. OVERVIEW
18
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
19. DOCKER FOR MAC > STORAGE
19
Challenge #1: Share arbitrary OSX directory tree into Linux container
without requiring extensive modification of either side.
Solution:
Use a FUSE forwarding layer
and translate Linux filesystem
calls to OSX equivalents.
OSX Host Linux Host Container
VOLUMEcom.docker.osxfs
Track extra
metadata
Translate to OSX
filesystem calls
FUSE
20. DOCKER FOR MAC > STORAGE
20
Challenge #1: Need filesystem activation so events on the Mac wake up
container servers and vice-versa.
Solution:
osxfs uses FSEvents API and
injects inotify activation events
into container.
OSX Host Linux Host Container
VOLUMEcom.docker.osxfs
FSEvents watches
open files
Events from Linux
causes OSX apps
to wake up
FUSE
22. DOCKER FOR MAC
22
MULTI-CPU ARCH
$ docker run resin/armv7hf-debian uname -a
Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00
UTC 2016 armv7l GNU/Linux
$ docker run justincormack/ppc64le-debian uname -a
Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00
UTC 2016 ppc64le GNU/Linux
23. OVERVIEW
23
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
25. DOCKER CLOUD: SECURITY SCANNING
25
Deep visibility into security profile
Continuous monitoring and notifications
Secure across the content lifecycle
27. OVERVIEW
27
Current state of things (Docker Toolbox)
Docker for Mac
Virtualization
Networking
Storage
Docker Cloud
Docker Security Scanning
Automation (CI/CD)
Build,Test, Deploy
28. Dev Deploy ManageBuild
CI CD
Code
repo
Image
repo
Monitoring
Logging
Scaling
Deploy Manage
DOCKER CLOUD: AUTOMATION