As Docker the company continues to push its eponymous platform for building, deploying, and running applications in Linux containers into more enterprise data centers, more and more improvements are focused on the traditional enterprise IT musts, such as high availability and security.
The latest release of Docker, Docker 1.10, which came out earlier this month, adds a lot of features that are important to IT managers that deploy containerized applications in their data centers. Scott Johnston, Docker’s senior VP of product, ran us through some of the key additions in the latest release that will matter to them the most:
1. Automatic Rescheduling when Servers Fail
Swarm, Docker’s tool for managing server clusters to containerized applications run on, can now automatically reschedule containers when a node in the cluster fails. Because it is aware which containers run on which node, if one of the nodes fail, it will schedule those containers to run on a healthy node in the cluster.
The feature is experimental, meaning Docker isn’t ready to commit to productizing it just yet or guarantee that it will work as expected. Rescheduling workloads upon failure is fundamental to high-availability IT systems, and Docker wants to bring that to infrastructure that hosts Docker containers.
2. Better Clustering Capabilities for Servers
Until this release, if a node failed to attach itself to its intended cluster, the cluster would just launch without it. Now, the node will continue trying to join the cluster until it makes a pre-determined number of failed attempts.
3. Separate Privileges for Container and Host
Addressing a security issue, Docker has separated access privileges inside a container from access privileges outside. In other words, if a user has a certain set of privileges inside a container, those privileges do not necessarily apply at the host level. If a user with root access inside a container can install malicious code, it doesn’t mean they’ll be able to do the same to the host, containing the scale of damage they can do.
4. Simpler Way to Lock down Docker Engine
Docker has exposed application syscalls to system administrators to help them secure the Docker environment in the past, but it required some deep kernel knowledge to implement. The latest release introduces seccomp profiles, which is an industry standard way to limit the types of syscalls an application can make. seccomp stands for “secure computing node.”
The feature abstracts a highly technical level of kernel calls to the level of security policy. In many cases sysadmins are likely to already have seccomp profiles for Linux hosts, and now they can apply those to the Docker Engine and containers running on it.
5. Content-Addressable Image IDs
This new feature maps the name of a Docker container to the content inside. This adds an extra level of security: if a container image gets tempered with, it no longer matches with the address of the content, and it will be easy to detect the tempering.
6. Authorization Plugins
New plugins give the administrator an easy way to set policies for access to the Docker daemon.
7. DNS Server Comes to Docker
DNS, the well known and loved system for managing IP addresses within a system is now embedded in Docker Engine. Hostname lookups can now be done with a DNS server, which makes the system overall more reliable and scalable.
8. Network Becomes an Object for Compose
Compose, Docker’s system that defines a containerized application and all of its infrastructure requirements, so that it can be deployed in any environment, now treats networks as objects, which is the same way it treats containers and storage.
When developers build containerized apps, they usually don’t know what network stack their apps will run on in the data center. To them, the network is an abstraction. When IT managers deploy the app, they want to reference a specific network stack, and this new feature allows easy mapping between the application’s abstraction of the network as defined by the developer and the implementation of that network interface in the data center.