New Docker Engine |
Written by Kay Ewbank | |||
Tuesday, 28 October 2014 | |||
Docker has released a new version, Docker Engine 1.3, and has signed a partnership with Microsoft to add the open container technology to the next Windows Server and Azure. Docker is an open platform that you can use to build, ship, and run distributed applications. It provides a way of using containers, essentially lightweight virtual environments that sit on top of an operating system instance, and let you run an isolated app. The advantage Docker offers is that you can run the same app on different hardware and operating systems. It consists of the runtime and packaging tool, Docker Engine, and Docker Hub, a cloud service for sharing applications and automating workflows. Until now it has been only available for Linux-based applications. The Microsoft agreement means Docker Engine will work with the next release of Windows Server, and Docker Hub will integrate directly into Microsoft Azure. Microsoft will now support Docker’s open orchestration APIs, and the companies will collaborate on the multi-Docker container model.
Ben Golub, Docker's CEO says the team has been making significant progress towards enabling multi-container, distributed applications in the past few months, and have also been making progress on other critical capabilities for orchestration including provisioning and managing Docker hosts, creating clusters of Docker hosts, and inter-Docker container networking. The two companies plan to work with infrastructure tools for multi-container applications like Kubernetes, Mesos, and Helios to provide a uniform Docker interface that provides developers with multi-platform orchestration capabilities making use of Dockerized content from both Linux and Windows. One thing that’s not clear is the effect this will have on Microsoft Drawbridge, a research project that Microsoft has been working on to provide virtualization for application sandboxing. Meanwhile, Docker Engine 1.3 has digital signature verification of repos, the ability to spawn a new process inside your Docker container, tuning of container lifecyles, and new security options. The Digital Signature Verification means the Docker Engine will automatically verify all official repos using digital signatures. Official repos are Docker images that are curated and optimized by the Docker community, and provide the best building blocks for assembling distributed applications. The addition of a digital signature makes it safer to use an image as you’ll have proof it hasn’t been tampered with. The blog post about the new Docker version says this is: “the first of several features we’ll be shipping in the coming months for both publishers and consumers of repos, features that will support publisher authentication, image integrity and authorization, PKI management, and more.” The initial version of the digital signature verification only warns you if an official image is corrupted or tampered with, but you can still run it. Non-official images will not be verified, but the plan is that this will change in future versions. In the meantime, the advice is not to rely on the verification for serious security. The second improvement to the new version of the engine is the ability to inject new processes. If you need to look at an app while it’s running, there’s a new tool called docker exec that lets you spawn a process inside your Docker container via the Docker API and CLI. This is designed to offer a simpler, more integrated alternative to tools such as nsinit and nsenter. The security improvements to the new release let you set custom SELinux and AppArmor labels and profiles so you can specify the access and rights for a container process. By limiting the host access and rights, you can reduce the surface area of potential threats. A final improvement is to using boot2docker on Mac OS X. The problems when sharing directories between the operating system and containers have been addressed, and if you’re using Docker 1.3 with the corresponding version of boot2docker, host-mounted volumes should now work the way you expect them to.
More InformationRelated Articles
Comments
or email your comment to: comments@i-programmer.info |
|||
Last Updated ( Tuesday, 28 October 2014 ) |