what’s new in docker 1.13
TRANSCRIPT
What’s new in Docker 1.13A lot of good stuff
Will Kinard | Docker DC | 2/16/2017
Restructured CLI Commandsdocker images → docker image list
docker create → docker container create
. . .
docker build and docker run unchanged
--------------------------------
Fully backward compatible! Legacy commands still show under help.
* Use DOCKER_HIDE_LEGACY_COMMANDS=1 to hide legacy commands from help.
New “system” CLI Command$docker system --help
Usage: docker system COMMAND
Manage Docker
Options:
--help Print usage
Commands:
df Show docker disk usage
events Get real time events from the server
info Display system-wide information
prune Remove unused data
docker {container, image, volume,
network} prune (!)
This will remove:
- all stopped containers
- all volumes not used by at least one container
- all networks not used by at least one container
- all dangling images
Experimental now a part of dockerd“Experimental” is no longer a separate build
--experimental flag added to dockerd
-----------------------------------------
New in experimental:
● Image layer squash
● Docker service logs
● Checkpoint / restore
CLI Backwards Compatibility
Secrets Management“Just throw it in as an environment variable”
“Bake it into the image”
“I think that’s what compose is for”
Use Swarm Secrets!
● Blob of data encrypted at rest
● Encrypted in transit to container
● Mounted unencrypted - /run/secrets/<secret>
Secrets Management$ openssl rand -base64 20 | docker secret create mysql_password -
$ openssl rand -base64 20 | docker secret create mysql_root_password -
$ docker service create \
--name mysql \
--replicas 1 \
--mount type=volume,source=mydata,destination=/var/lib/mysql \
--secret source=mysql_root_password,target=mysql_root_password \
--secret source=mysql_password,target=mysql_password \
-e MYSQL_ROOT_PASSWORD_FILE="/run/secrets/mysql_root_password" \
-e MYSQL_PASSWORD_FILE="/run/secrets/mysql_password" \
-e MYSQL_USER="wordpress" \
-e MYSQL_DATABASE="wordpress" \
mysql:latest
Compose to SwarmNew V3 Compose format:
● Removed non-portable options (build, volume-from, etc.)
● Added swarm specific options (replicas, mode, deploy, etc.)
--------------------------------------
docker stack deploy --compose-file=foo MYSTACK
Plugins out of Experimental$ docker plugin create vieux/sshfs /path/to/rootfs
$ docker plugin enable vieux/sshfs
or
$ docker plugin install vieux/sshfs
$ docker volume create -d vieux/sshfs -o sshcmd=<user@host:path>
-o password=<password> [-o port=<port>] sshvolume
sshvolume
Docker now has a built-in init!New binary docker-init is now shipped with docker to kill zombie processes.
It uses Tini, but can be replaced by your own using --init and --init-path on dockerd.
----------------------
Using Tini has several benefits:
● It protects you from software that accidentally creates zombie processes, which can (over time!) starve
your entire system for PIDs (and make it unusable).
● It ensures that the default signal handlers work for the software you run in your Docker image. For
example, with Tini, SIGTERM properly terminates your process even if you didn't explicitly install a
signal handler for it.
● It does so completely transparently! Docker images that work without Tini will work with Tini without
any changes. (https://github.com/krallin/tini)
Some networking stuff● Globally scoped network plugins in swarm mode
○ MACVLAN (local scoped) still not getting the love (IPAM is hard)
● Attachable network support
○ “external” containers can now connect to a Swarm Mode Overlay network!
○ Where was this before?...
● Host port publish mode
○ Publish service ports to the underlying host, instead of just the ingress network
● Windows Server 2016 Overlay network driver support
○ Check it out...really.
Notes & Miscellaneous● Docker build with --network
● Docker volume create without --name
● Docker run --rm is now processed on the server, docker run -d –rm is now
possible
● Swarm Mode encryption at rest
* Overlay2 is now RedHat/CentOS default (over devicemapper)
