New Docker Network Promises Protocol for Linking Containers
As part of what promises to be a large wave of announcements from Monday’s DockerCon 2015 in San Francisco, Docker Inc. CTO Solomon Hykes introduced to a packed conference hall a new component of Docker containerization called “Docker Network,” to be previewed to developers through a new non-production distribution channel.
Hykes characterized Docker Network as the sixth increment in an evolutionary path of problem solving, which he portrayed as nothing less than the move toward a completely programmable Internet through a common language.
The idea is to endow Docker containers with a standardized networking protocol for the purpose of linking containers with one another. In interviews with The New Stack, VMware told us it has contributed expertise and guidance to this project as well, including a concept it described to us as “micro-segmentation.” (Over time, we’ll probably get rid of the hyphen there.)
Although this concept has yet to be described on stage this morning, micro-segmentation is the clustering of related containers into a localized subnet, the entirety of which is maintained by a stateful service (that is not a typo, we do mean “stateful,” not “stateless”) that acts both as a firewall and a layer of abstraction.
Hykes referred to a degree of adherence to standards and recognition of existing protocols in Docker Networking. As VMware CTSO Guido Appenzeller communicated with The New Stack, VMware has helped lay the foundation for those standards, with the goal of enabling a management service that provides security, availability, and visibility.
Put another way, in the not-too-distant-future, imagine a world where a container management system on the order of vSphere enables administrators to visualize the relationships between active containers, and provide necessary security functions. Appenzeller said that VMware customers are wary of containerization because they do not see where or if security has been baked into the system. (You’ll see more of our interview with VMware’s Appenzeller later in The New Stack.)
This is not yet a VMware story just yet, as its name has only been mentioned on-stage parenthetically, and not even with relation to Docker Network.
Embedded as part of Docker Network will be a DNS-driven discoverability interface, using the existing Internet-based protocol to let containers discover and identify other containers within the same topology.
If this concept becomes successful among developers, then “pods” as clusters of containers, as Kubernetes defines them, may find themselves competing with “microsegments” as VMware defines them, as a way of clustering containers that collectively provide services to an application. Yet to be explained is how micro-segments, in this new configuration, would be “tagged” to identify themselves to a scheduling or orchestration system. Conceivably, the “stateful” part of the microsegment could provide tags and related metadata.
Further forestalling any notion that Docker Inc. may be locking developers into a single way of networking was Hykes’ subsequent announcement of Docker Plug-ins, an extension of its extensibility framework for containers. The intellectual expertise it gained from the acquisition of SocketPlane, coupled with the contribution of WeaveWorks, ClusterHQ, Glider Labs, and Mesosphere, were explicitly mentioned as critical to the formation of a pluggability framework. Through this framework, distributed systems may continue to be defined outside the framework of micro-segments. So today’s announcement does not guarantee the existence of micro-segmentation, especially as it has been explained to us outside of this morning’s keynote.
Stay tuned to The New Stack for more from DockerCon 2015 in San Francisco.