Docker Shows Maturity in Latest Release with IPv6 Support, Read-Only Containers
Docker version 1.5 was released this week, highlighted by the upgrade of new features and bug fixes that focus on security, IPv6 and improved stats logging. The new features were announced on the Docker blog following four rounds of iterative progression with regular input from the Docker community via GitHub and the Google Users Group.
In all, the feature upgrades are getting a general thumbs up from the community. And if nothing else, the upgrades show Docker’s general acceptance and why it is becoming clear that Docker will be the standard for packaging apps over the next several years to come.
Key new features include:
Enterprise customers are either evolving towards IPv6 or are already running purely with it, said Product Manager Ben Firshman, who founded Orchard and sold it to Docker. At Orchard he and his team created Fig, the networking technology Docker adopted. According to the Docker blog post, a customer may now allocate an IPv6 address to each container with the new ‘–IPv6’ flag. IPv6 addresses can be resolved from within a container. It can also be used to communicate across multiple hosts. Want more on this? As noted on Hacker News, read the documentation here and follow this discussion on GitHub.
One of the chief security criticisms of Docker to date has been that containers could include malicious code that enables the container that is running the application or microservice to change the shell or root script outside the container. With the release of Docker 1.5, users can set containers as read-only, adding another way to prevent this risk.
“The Docker community continues to focus on adding new capabilities around security and we make incremental progress in every release,” said Firshman. “Read-only allows you to specify exactly which parts of the running container can be modified, substantially reducing your attack surface.”
There’s a decent conversation on Hacker News with Solomon Hykes addressing issues brought up in the thread.
Improved Stats Logging from Inside Containers
Docker has introduced new API endpoints which allow for more in-depth logging of application performance and user experience from within each container. While users can access the API to create their own dashboards, application logging service Logentries has already built a new Docker Logentries Container product based on the Docker Stats API which includes standard templates for creating common dashboards. Cofounder and Chief Scientist Trevor Parsons says Logentries will “make logging easier in a production environment and will listen and directly communicate with all your containers and send that information in real time.”
Ability to Specify the Dockerfile to Use in Builds
Firshman explains that being able to specify the Dockerfile to use in builds “provides more flexibility when building images by allowing you to use the same code to produce several different images. For example, you might want to have an image that compiles your code, then a different image to run your compiled code. This makes that process much easier.”
Adrian Mouat, who is Chief Scientist at Container Solutions, agrees. “If you wanted to build more than one image, you had to use shell scripts, so this automates those multiple images from a single build context,” said Mouat.
Using the Host PID Namespace
One of the lesser discussed new features is the new run command capacity to use the —pid=host flag to use the host PID namespace. Mouat is excited by the potential that this opens up, after having written about wrapping desktop apps in Docker last year.
“I see the PID feature as enabling more tools/apps to be wrapped in containers. Docker specifically mentions this feature is intended to allow containers with debuggers to inspect processes on the host. I think the idea is that you can download and run a container that has been specifically set up to debug the class of program you’re running, solve your problem and throw away the container again. This could potentially save a lot of time installing and configuring specialist debug tools.”
The update looks impressive to James Turnbull, former Docker VP and author of The Docker Book.
“For me the most important aspect of Docker 1.5.0 is the huge advance in stability and performance. I’m really happy to see so many bugs fixed and performance problems addressed. The groundwork has also been set for more open development around networking and images.”
Image via Flickr Creative Commons.