Diving Into Docker CE 17

We just released Docker CE 17.06 with new features, improvements, and bug fixes. Docker CE 17.06 is the first Docker version built entirely on the Moby Project, which we announced in April at DockerCon. You can see the complete list of changes in the changelog, but let’s take a look at some of the new features.

We also created a video version of this post here:

Multi-Stage Builds

The biggest feature in 17.06 CE is that multi-stage builds, announced in April at DockerCon, have come to the stable release. Multi-stage builds allow you to build cleaner, smaller Docker images using a single Dockerfile.

Multi-stage builds work by building intermediate images that produce an output. That way you can compile code in an intermediate image and use only the output in the final image. So for instance, Java developers commonly use Apache Maven to compile their apps, but Maven isn’t required to run their app. Multi-stage builds can result in a substantial image size savings:

REPOSITORY          TAG                 IMAGE ID                CREATED              SIZE

maven               latest              66091267e43d            2 weeks ago          620MB

java                8-jdk-alpine        3fd9dd82815c            3 months ago         145MB

Let’s take a look at our AtSea sample app which creates a sample storefront application.

AtSea uses a multi-stage build with two intermediate stages: a Node.js base image to build a ReactJS app, and a Maven base image to compile a Spring Boot app into a single image.

FROM node:latest AS storefront
WORKDIR /usr/src/atsea/app/react-app
COPY react-app/package.json .
RUN npm install
COPY . /usr/src/atsea/app
RUN npm run build

FROM maven:latest AS appserver
WORKDIR /usr/src/atsea
COPY pom.xml .
RUN mvn -B -f pom.xml -s /usr/share/maven/ref/settings-docker.xml dependency:resolve
COPY . .
RUN mvn -B -s /usr/share/maven/ref/settings-docker.xml package -DskipTests

FROM java:8-jdk-alpine
WORKDIR /static
COPY --from=storefront /usr/src/atsea/app/react-app/build/ .
WORKDIR /app
COPY --from=appserver /usr/src/atsea/target/AtSea-0.0.1-SNAPSHOT.jar .
ENTRYPOINT ["java", "-jar", "/app/AtSea-0.0.1-SNAPSHOT.jar"]
CMD ["--spring.profiles.active=postgres"]

The final image is only 209MB, and doesn’t have Maven or node.js.

There are other builder improvements as well, including allowing the use of build time arguments in the FROM instruction.

Logs and Metrics

Metrics

We currently support metrics through an API endpoint in the daemon. You can now expose docker’s /metrics endpoint to plugins.

$ docker plugin install --grant-all-permissions cpuguy83/docker-metrics-plugin-test:latest

$ curl http://127.0.0.1:19393/metrics

This plugin is for example only. It runs reverse proxy on the host’s network which forwards requests to the local metrics socket in the plugin. In real scenarios you would likely either push the collected metrics to an external service or make the metrics available for collection by a service such as Prometheus.

Note that while metrics plugins are available on non-experimental daemons, the metric labels are still considered experimental and may change in future versions of Docker.

Log Driver Plugins

We have added support for log driver plugins.

Service Logs

Docker service logs have moved out of the Edge release and into Stable, so you can easily get consolidated logs for an entire service running on a Swarm. We’ve added an endpoint for logs from individual tasks within a service as well.

Networking

Node-Local Network Support for Services

Docker supports a variety of networking options. With Docker 17.06 CE, you can now attach services to node-local networks. This includes networks like Host, Macvlan, IPVlan, Bridge, and local-scope plugins. So for instance for a Macvlan network you can create a node specific network configurations on the worker nodes and then create a network on a manager node that brings in those configurations:

[Wrk-node1]$ docker network create —config-only —subnet=10.1.0.0/16 local-config

[Wrk-node2]$ docker network create —config-only —subnet=10.2.0.0/16 local-config

[Mgr-node2]$ docker network create —scope=swarm —config-from=local-config -d macvlan 

mynet

[Mgr-node2]$ docker service create —network=mynet my_new_service

Swarm Mode

We have a number of new features in swarm mode. Here’s just a few of them:

Configuration Objects

We’ve created a new configuration object for swarm mode that allows you to securely pass along configuration information in the same way you pass along secrets.

$ echo "This is a config" | docker config create test_config -

$ docker service create --name=my-srv —config=test_config …

$ docker exec -it 37d7cfdff6d5 cat test_config

This is a config

Certificate Rotation Improvements

The swarm mode public key infrastructure (PKI) system built into Docker makes it simple to securely deploy a container orchestration system. The nodes in a swarm use mutual Transport Layer Security (TLS) to authenticate, authorize, and encrypt the communications between themselves and other nodes in the swarm. Since this relies on certificates, it’s important to rotate those frequently. Since swarm mode launched with Docker 1.12, you’ve been able to schedule certificate rotation as frequently as every hour. With Docker CE 17.06 we’ve added the ability to immediately force certificate rotation on a one-time basis.

docker swarm ca --rotate

Swarm Mode Events

You can use Docker events to get real-time event information from Docker. This is really useful when writing automation and monitoring applications that work with Docker. But until Docker CE 17.06 CE we didn’t have support for events for swarm mode. Now you docker events will return information on services, nodes, networks, and secrets.

Dedicated Datapath

The new –datapath-addr flag on docker swarm init allows you to isolate the swarm mode management tasks from the data passed around by the application. That helps save the cluster from IO greedy applications. For instance in you initiate your cluster:

docker swarm init —advertise-addr=eth0 —datapath-addr=eth1

Cluster management traffic (Raft, grpc, and gossip) will travel over eth0 and services will communicate with each other over eth1.

Desktop Editions

We’ve got three new features in Docker for Mac and Windows.

GUI Option To Reset Docker Data Without Losing All Settings

Now you can reset your data without resetting your settings

Add an Experimental DNS Name for the Host

If you’re running containers on Docker for Mac or Docker for Windows, and you want to access other containers you can use a new experimental host: docker.for.mac.localhost and docker.for.win.localhost to access open ports. For instance:

$ docker run -d -it -p 80:80 nginx
9a41b199e86cc4730f470aba1091530cfdc26d6f956964492b0d0b06a0ab9046
$ docker run -it curlubuntu
root@85664afff468:/# curl docker.for.mac.localhost:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@85664afff468:/# 

Login Certificates for Authenticating Registry Access

You can now add certificates to Docker for Mac and Docker for Windows that allow you to access registries, not just your username and password. This will make accessing Docker Trusted Registry, as well as the open source Registry and any other registry application fast and easy.

Cloud Editions

Our Cloudstor volume plugin is available both on Docker for AWS and Docker for Azure. In Docker for AWS, support for persistent volumes (both global EFS-based and attachable EBS-based) are now available in stable. And we support EBS volumes across Availability Zones.

For Docker for Azure, we now support deploying to Azure Gov. Support for persistent volumes through cloudstor backed by Azure File Storage is now available in Stable for both Azure Public and Azure Gov

Deprecated

In the dockerd commandline, we long ago deprecated the --api-enable-cors flag in favor of --api-cors-header. We’re not removing --api-enable-cors entirely.

Ubuntu 12.04 “precise pangolin” has been end-of-lifed, so it is now no longer a supported OS for Docker. Later versions of Ubuntu are still supported.

What’s Next

To find out more about these features and more:

• Download the latest version of Docker CE
• Check out the Docker Documentation
• Play with these features on Play with Docker
• Ask questions in our forums and in the Docker Community Slack
• RSVP for the CE 17.06 Online Meetup on June 28th