An Insight into Docker for Mac and Docker for Windows

Ben Bonnefoy @FrenchBenMember of Technical Staff

Transforming the Development Landscape

3

4

DOCKER TOOLBOXAll the Linux tools collected in one installer:

• Bundle includes a full VirtualBox installation• Boot2Docker Virtual Machine• The Kitematic UI controlled these pieces.

A relatively loose collection of components:

• Installation and lack of integrated updates caused numerous user issues.

• Performance not ideal due to the layering, especially for file sharing.• Yet most Docker users use a Mac or Windows host as their

development environment.

Docker for MacAiming for a native OSX experience that works with existing developer workflows.

● Easy drag and drop installation, and auto-updates to get latest Docker.● Secure, sandboxed virtualisation architecture without elevated privileges.● Native networking support, with VPN and network sharing compatibility.● File sharing between container and host: uid mapping, inotify events, etc

What’s under the hood?

The core building blocks of Docker for Mac

● Virtualization● Networking● Filesystem

Virtualization● Use the new HyperKit framework, which is in turn based on

xHyve and FreeBSD’s bHyve● Sandbox friendly: processes largely run as non-root, with

privileges of the local user

Virtualization● Use the new HyperKit framework, which is in turn based on

xHyve and FreeBSD’s bHyve● Embeds Linux: embedded lightweight Alpine Linux

distribution optimised for fast boot and stateless operation for containers.

Virtualization● Use the new HyperKit framework, which is in turn based on

xHyve and FreeBSD’s bHyve● Drag 'n drop installation: Docker.app is self-contained,

installs symlinks from app bundle into /usr/local, and autoupdates - Docker from the terminal just works!

Virtualization Benefits● Performance: The CPU performance of a Linux container is largely

the same as when running the same compute on the Mac, since we use the hardware CPU virtualisation extensions.

● Battery life: Some battery life hit due to running containers instead of MacOS X native processes, but not adverse for normal use.

● Disk usage: The app manages disk usage via a qcow2 file in its data directory. This is a sparse file that is allocated on demand, up to a (current) maximum of 64GB of disk space. Can be excluded from Time Machine backups.

Notworking Networking● Want to hide the gory details of virtualisation from the user. The

Linux VM should be "invisible".● Not solving this leads to many user complaints:

• VPN software and corporate installations do not like bridged virtual machines or custom routing. Result: container traffic cannot connect to Internet.

• Services cannot be exposed on localhost or the external interface and are instead on the Linux VM IP address. Result: breaks common web oAuth workflows.

Notworking Networking● Challenge: Deal with custom VPN software on the host that makes

it difficult to bridge.● Solution: VPNKit, efficiently reconstructs container traffic into

separate TCP/IP flows and translates them into native OSX/Windows sockets.

Notworking Networking● Challenge: Deal with custom VPN software on the host that makes

it difficult to bridge.● Solution: VPNKit, efficiently reconstructs container traffic into

separate TCP/IP flows and translates them into native OSX/Windows sockets.

● Benefits: • All network traffic is generated from normal socket calls (e.g.

gethostbyaddr) on the Mac, so interacts well with firewalls, VPNs, and any local security policies.

Notworking Networking● Challenge: Services publishing ports should be exposed on localhost without needing VM info.

● Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface.

Notworking Networking● Challenge: Services publishing ports should be exposed on localhost without needing VM info.

● Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface.

● Benefits:• docker run -P on the Mac now works without requiring any

knowledge of the VM innards.• External oAuth workflows operate with web apps.

Filesystem Sharing● Challenge: Share arbitrary OSX directory tree into Linux container

without requiring extensive modification of either side.● Solution: DataKit; use a FUSE (Filesystem in Userspace)

forwarding layer and translate Linux filesystem calls to OSX equivalents.

Filesystem Sharing● Challenge: Need filesystem activation so events on the Mac

wake up container servers and vice-versa.● Solution: osxfs uses FSEvents API and injects inotify

activation events into container.

Filesystem Sharing● New osxfs engine that bind mounts OSX filesystem trees into Docker

containers.

● Daemon that listens bidirectionally on shared volumes and translates between OSX and Linux. Includes notifications, via FSEvents on Mac and inotify on Linux.

● Runs as user and so cannot access system files on OSX host. Planning to further restrict host access in future.

● All requesting processes are treated as owners and group members on all bind mounted resources. User/group changes are persisted but not discriminated on.

Bonus

Why yes, there is more

20

Multi-CPU architectures

$ docker run resin/armv7hf-debian uname -a

Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 armv7l GNU/Linux

$ docker run justincormack/ppc64le-debian uname -a

Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux

Summary of Open Source components● HyperKit ™: A lightweight virtualization toolkit on OSX

https://github.com/docker/hyperkit

● VPNKit ™: A library toolkit for embedding virtual networkinghttps://github.com/docker/vpnkit

● DataKit ™: A modern pipeline framework for distributed components

https://github.com/docker/datakit

Docker for Mac / Windows are GA and include Docker 1.12https://www.docker.com/products/docker

Support:https://github.com/docker/for-machttps://github.com/docker/for-win

@FrenchBen

THANK YOU