Date post: | 15-Jan-2017 |
Category: |
Technology |
Upload: | docker |
View: | 4,711 times |
Download: | 0 times |
An Insight into Docker for Mac and Docker for Windows
Ben Bonnefoy @FrenchBenMember of Technical Staff
Transforming the Development Landscape
3
4
DOCKER TOOLBOXAll the Linux tools collected in one installer:
• Bundle includes a full VirtualBox installation• Boot2Docker Virtual Machine• The Kitematic UI controlled these pieces.
A relatively loose collection of components:
• Installation and lack of integrated updates caused numerous user issues.
• Performance not ideal due to the layering, especially for file sharing.• Yet most Docker users use a Mac or Windows host as their
development environment.
Docker for MacAiming for a native OSX experience that works with existing developer workflows.
● Easy drag and drop installation, and auto-updates to get latest Docker.● Secure, sandboxed virtualisation architecture without elevated privileges.● Native networking support, with VPN and network sharing compatibility.● File sharing between container and host: uid mapping, inotify events, etc
What’s under the hood?
The core building blocks of Docker for Mac
● Virtualization● Networking● Filesystem
Virtualization● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve● Sandbox friendly: processes largely run as non-root, with
privileges of the local user
Virtualization● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve● Embeds Linux: embedded lightweight Alpine Linux
distribution optimised for fast boot and stateless operation for containers.
Virtualization● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve● Drag 'n drop installation: Docker.app is self-contained,
installs symlinks from app bundle into /usr/local, and autoupdates - Docker from the terminal just works!
Virtualization Benefits● Performance: The CPU performance of a Linux container is largely
the same as when running the same compute on the Mac, since we use the hardware CPU virtualisation extensions.
● Battery life: Some battery life hit due to running containers instead of MacOS X native processes, but not adverse for normal use.
● Disk usage: The app manages disk usage via a qcow2 file in its data directory. This is a sparse file that is allocated on demand, up to a (current) maximum of 64GB of disk space. Can be excluded from Time Machine backups.
Notworking Networking● Want to hide the gory details of virtualisation from the user. The
Linux VM should be "invisible".● Not solving this leads to many user complaints:
• VPN software and corporate installations do not like bridged virtual machines or custom routing. Result: container traffic cannot connect to Internet.
• Services cannot be exposed on localhost or the external interface and are instead on the Linux VM IP address. Result: breaks common web oAuth workflows.
Notworking Networking● Challenge: Deal with custom VPN software on the host that makes
it difficult to bridge.● Solution: VPNKit, efficiently reconstructs container traffic into
separate TCP/IP flows and translates them into native OSX/Windows sockets.
Notworking Networking● Challenge: Deal with custom VPN software on the host that makes
it difficult to bridge.● Solution: VPNKit, efficiently reconstructs container traffic into
separate TCP/IP flows and translates them into native OSX/Windows sockets.
● Benefits: • All network traffic is generated from normal socket calls (e.g.
gethostbyaddr) on the Mac, so interacts well with firewalls, VPNs, and any local security policies.
Notworking Networking● Challenge: Services publishing ports should be exposed on localhost without needing VM info.
● Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface.
Notworking Networking● Challenge: Services publishing ports should be exposed on localhost without needing VM info.
● Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface.
● Benefits:• docker run -P on the Mac now works without requiring any
knowledge of the VM innards.• External oAuth workflows operate with web apps.
Filesystem Sharing● Challenge: Share arbitrary OSX directory tree into Linux container
without requiring extensive modification of either side.● Solution: DataKit; use a FUSE (Filesystem in Userspace)
forwarding layer and translate Linux filesystem calls to OSX equivalents.
Filesystem Sharing● Challenge: Need filesystem activation so events on the Mac
wake up container servers and vice-versa.● Solution: osxfs uses FSEvents API and injects inotify
activation events into container.
Filesystem Sharing● New osxfs engine that bind mounts OSX filesystem trees into Docker
containers.
● Daemon that listens bidirectionally on shared volumes and translates between OSX and Linux. Includes notifications, via FSEvents on Mac and inotify on Linux.
● Runs as user and so cannot access system files on OSX host. Planning to further restrict host access in future.
● All requesting processes are treated as owners and group members on all bind mounted resources. User/group changes are persisted but not discriminated on.
Bonus
Why yes, there is more
20
Multi-CPU architectures
$ docker run resin/armv7hf-debian uname -a
Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 armv7l GNU/Linux
$ docker run justincormack/ppc64le-debian uname -a
Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux
Summary of Open Source components● HyperKit ™: A lightweight virtualization toolkit on OSX
https://github.com/docker/hyperkit
● VPNKit ™: A library toolkit for embedding virtual networkinghttps://github.com/docker/vpnkit
● DataKit ™: A modern pipeline framework for distributed components
https://github.com/docker/datakit
Docker for Mac / Windows are GA and include Docker 1.12https://www.docker.com/products/docker
Support:https://github.com/docker/for-machttps://github.com/docker/for-win
@FrenchBen
THANK YOU