4. 4
DOCKER TOOLBOX
All the Linux tools collected in one installer:
• Bundle includes a full VirtualBox installation
• Boot2Docker Virtual Machine
• The Kitematic UI controlled these pieces.
A relatively loose collection of components:
• Installation and lack of integrated updates caused numerous user
issues.
• Performance not ideal due to the layering, especially for file sharing.
• Yet most Docker users use a Mac or Windows host as their
development environment.
5. Docker for Mac
Aiming for a native OSX experience that works with existing developer workflows.
● Easy drag and drop installation, and auto-updates to get latest Docker.
● Secure, sandboxed virtualisation architecture without elevated privileges.
● Native networking support, with VPN and network sharing compatibility.
● File sharing between container and host: uid mapping, inotify events, etc
6. What’s under the hood?
The core building blocks of Docker for Mac
● Virtualization
● Networking
● Filesystem
7. Virtualization
● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve
● Sandbox friendly: processes largely run as non-root, with
privileges of the local user
8. Virtualization
● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve
● Embeds Linux: embedded lightweight Alpine Linux
distribution optimised for fast boot and stateless operation
for containers.
9. Virtualization
● Use the new HyperKit framework, which is in turn based on
xHyve and FreeBSD’s bHyve
● Drag 'n drop installation: Docker.app is self-contained,
installs symlinks from app bundle into /usr/local, and
autoupdates - Docker from the terminal just works!
10. Virtualization Benefits
● Performance: The CPU performance of a Linux container is largely
the same as when running the same compute on the Mac, since
we use the hardware CPU virtualisation extensions.
● Battery life: Some battery life hit due to running containers instead
of MacOS X native processes, but not adverse for normal use.
● Disk usage: The app manages disk usage via a qcow2 file in its
data directory. This is a sparse file that is allocated on demand, up
to a (current) maximum of 64GB of disk space. Can be excluded
from Time Machine backups.
11. Notworking Networking
● Want to hide the gory details of virtualisation from the user. The
Linux VM should be "invisible".
● Not solving this leads to many user complaints:
• VPN software and corporate installations do not like bridged
virtual machines or custom routing. Result: container traffic
cannot connect to Internet.
• Services cannot be exposed on localhost or the external
interface and are instead on the Linux VM IP address.
Result: breaks common web oAuth workflows.
12. Notworking Networking
● Challenge: Deal with custom VPN software on the host that makes
it difficult to bridge.
● Solution: VPNKit, efficiently reconstructs container traffic into
separate TCP/IP flows and translates them into native
OSX/Windows sockets.
13. Notworking Networking
● Challenge: Deal with custom VPN software on the host that makes
it difficult to bridge.
● Solution: VPNKit, efficiently reconstructs container traffic into
separate TCP/IP flows and translates them into native
OSX/Windows sockets.
● Benefits:
• All network traffic is generated from normal socket calls (e.g.
gethostbyaddr) on the Mac, so interacts well with firewalls,
VPNs, and any local security policies.
14. Notworking Networking
● Challenge: Services publishing ports should be exposed on
localhost without needing VM info.
● Solution: VPNKit forwards container port requests to a OSX
service which binds them natively on its external interface.
15. Notworking Networking
● Challenge: Services publishing ports should be exposed on
localhost without needing VM info.
● Solution: VPNKit forwards container port requests to a OSX
service which binds them natively on its external interface.
● Benefits:
• docker run -P on the Mac now works without requiring any
knowledge of the VM innards.
• External oAuth workflows operate with web apps.
16. Filesystem Sharing
● Challenge: Share arbitrary OSX directory tree into Linux container
without requiring extensive modification of either side.
● Solution: DataKit; use a FUSE (Filesystem in Userspace)
forwarding layer and translate Linux filesystem calls to OSX
equivalents.
17. Filesystem Sharing
● Challenge: Need filesystem activation so events on the Mac
wake up container servers and vice-versa.
● Solution: osxfs uses FSEvents API and injects inotify
activation events into container.
18. Filesystem Sharing
● New osxfs engine that bind mounts OSX filesystem trees into Docker
containers.
● Daemon that listens bidirectionally on shared volumes and translates
between OSX and Linux. Includes notifications, via FSEvents on Mac and
inotify on Linux.
● Runs as user and so cannot access system files on OSX host. Planning to
further restrict host access in future.
● All requesting processes are treated as owners and group members on all
bind mounted resources. User/group changes are persisted but not
discriminated on.
20. 20
Multi-CPU architectures
$ docker run resin/armv7hf-debian uname -a
Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 armv7l GNU/Linux
$ docker run justincormack/ppc64le-debian uname -a
Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux
21. Summary of Open Source components
● HyperKit ™: A lightweight virtualization toolkit on OSX
https://github.com/docker/hyperkit
● VPNKit ™: A library toolkit for embedding virtual
networking
https://github.com/docker/vpnkit
● DataKit ™: A modern pipeline framework for distributed
components
https://github.com/docker/datakit
22. Docker for Mac / Windows are GA
and include Docker 1.12
https://www.docker.com/products/docker
Support:
https://github.com/docker/for-mac
https://github.com/docker/for-win
@FrenchBen