The Docker Project delivers a complete open source platform to “build, ship, and run” any application, anywhere, using containers. The Docker Engine and the other main components (Compose, Machine, and the SwarmKit orchestration system) are free; but Docker Inc. (the company who started the Docker Project) also has a complete commercial offering named “Docker EE” (for Enterprise Edition) that adds an extra set of features geared at larger organizations, as well as an extended support and release cycle. In this talk, I will explain (and show with demos) what you can do using exclusively Docker CE (community, free edition) and which features are added by Docker EE. This talk is for you if you are in the process of selecting a container platform; or if you’re just curious, and want to know exactly what you can do (and cannot do) with Docker CE and EE.

1. Use the Source
or join the Dark Side
The differences between
Docker Community Edition
and Docker Enterprise Edition

2. Outline
• Introductions
• High level differences
• Build, ship, and run
• Security model
• Traffic routing
• Getting started

3. Who am I ?
• Jérôme Petazzoni (@jpetazzo)
• Joined dotCloud in 2010
(to build and scale a container platform)
• In 2013, dotCloud launches Docker
(and changes its name)
• The same year, I submit my first container talk
(at the SCALE 11x conference in Los Angeles)
• Since then I’ve been living in conference hotels and airports 😰

4. ⚠ This is a vendor talk
• I work for Docker Inc.
• I will talk about Docker Inc. commercial products
• But I don’t like advertising
• I’ll explain:
• what you get for free (Docker CE, Community Edition)
• what you get for € € € (Docker EE, Enterprise Edition)
• Target audience: engineers
(and tech-savvy decision makers)

5. Why this talk?
• Dispelling a few myths
• MYTH #1: “Docker Inc. doesn’t have a business model!”
• Docker Inc. sells commercial products, support, SAAS offerings
• Docker Inc. generates significant revenue & has customers like Visa, PayPal…
• This has been going on for a few years now
• MYTH #2: “Docker is only for development, not production!”
• People have been using Docker in production since 2013
• Using any kind of software in production is challenging
• To help, Docker Inc. has commercial products, support, ... you get the idea
• Helping you to decide if Docker is good for your app

6. There will be demos
(It’s an old Docker tradition!)

7. Our demo application
• We will show an app built around a micro-services architecture
• DockerCoins
• used in my orchestration workshop:
https://github.com/jpetazzo/orchestration-workshop
• You can run this demo on any Docker machine
• … and it should take approximately 1 minute to build and run it!

8. Demo
Run DockerCoins in a play-with-docker sandbox

9. High level differences
between Docker CE and Docker EE
Docker CE
• for developers and
small organizations
• free
• stable version (every 3 months)
• edge version (every month),
with cutting edge features
Docker EE
• for business critical
production apps
• subscription model
• stable version (every 3 months)
• each version maintained
at least for one year
• additional enterprise features
(management, security…)

10. Release schedule

11. Supported platforms

12. Deploying our demo app on a cluster
• The Docker motto is “build, ship, and run any app, anywhere”
• This means:
• build container images for our app
• ship these images to a registry
• run the app on a Swarm cluster
• Docker Compose is a great tool for dev stacks …
• … and can be used to deploy them on clusters as well!

13. Demo
Use Compose and “docker stack deploy” to build, ship, and run DockerCoins

14. Inspecting our application
• We want to:
• list deployed services and their status
• view container logs
• get a shell in a container
• Docker CE: we will use Docker’s CLI and API
• Docker EE: we will use UCP (Universal Control Plane)
There are also 3rd-party interfaces like Portainer, using the Docker API:
https://github.com/portainer/portainer

15. Demo
docker ps, docker logs, docker service ls, docker service ps, docker exec

16. Demo
Show the same information with UCP

17. Operating our application
• We want to:
• view the port allocated to DockerCoins’ web UI
• display the web UI
• scale up and down the “worker” service
• view metrics
• Docker CE: we will use the Docker API
• Docker EE: we will use UCP

18. Demo
docker inspect, load page in browser, docker service update

19. Demo
metrics? That one is trickier! We could use this thing named “Prometheus”...

20. Demo
Do the same operations in UCP, show metrics

21. Security (CE & EE)
• Docker native clustering (“Swarm Mode”) uses the SwarmKit library
• SwarmKit has very strong security foundations:
• automatic TLS keying and signing
• full encryption of the control plane
• automatic cert and key rotation
• optional encryption of the data plane
(leveraging hardware crypto where available)
• least privilege architecture
(single-node compromise ≠ cluster compromise)
• on-disk encryption with optional passphrase

22. Secrets (CE & EE)
• Secrets are arbitrary blobs of data
(passphrases, private keys, or even textpads…)
• First-class citizen with the Docker API
• Never stored in clear on disk
(persisted in encrypted form by manager nodes)
• Exposed to services
(presented as a file on an in-memory filesystem)

23. Demo
docker secret create; add the secret to a service; see the secret in the service

24. Privilege separation
• By default, if I have API access, I can do anything
• Including creating a malicious service to leak secrets! ⚠
• How do we fix this? 🤔

25. Authentication and authorization
• Docker EE has the notion of users, groups, and permissions
• Permissions are implemented with permissions labels:
“If an object has the permissions label X, your user needs to have
permission X to be able to see or interact with that object.”
• Normal label (com.docker.ucp.access.label)
• Every object can have one (service, container, volume, secret…)
• Visible with the CLI, API, etc.
• Protected and enforced by UCP

26. Demo
Create a UCP user “jerome” with basic privilege
Login with “jerome”
Deploy a “jeromecoins” stack;
See it running in the “admin” console

27. Under the hood
• Docker (CE and EE) has authorization plugins
• All API requests are examined by all enabled plugins
• Each plugin has the opportunity to accept or deny the request
• UCP is an authorization plugin
• You can write your own plugins
• Multiple plugins can co-exist
• UCP lets you export a key/cert bundle for a user
(to use the CLI while respecting the permissions system)

28. HTTP routing mesh
• Docker (CE and EE) has a TCP routing mesh
• provides load-balancing for internal and inbound traffic
• leverages IPVS, a high-performance in-kernel load balancer)
But: only one app at a time can “sit” on port 80 on your cluster
• Docker (EE) has a HTTP routing mesh
• provides HTTP Host header parsing and virtual host routing
• optional TLS termination
• implemented using labels

29. Demo
Show labels in the deployed app
Do requests to the different virtualhosts

30. Hosting container images
• Docker CE: we can use the open source registry
• as simple as “docker run registry:2”
• this is the registry that we used for all these demos
• Docker EE: we can use Docker Trusted Registry (DTR)
• has user and groups, integrating with the ones in UCP
• also: webhooks and workflows implementing CI/CD
• Also many third party options: ECR, quay…

31. Big scary security question
Is it safe to run this program that I just downloaded from the Internet?
• Make sure that it is from a trusted, reputable source
• Check that it wasn’t compromised in transit
• Run it through an antivirus scanner

32. Next big scary security question
Is it safe to run this container image that I just downloaded?
• Make sure that it is from a trusted, reputable source
• Check that it wasn’t compromised in transit
• Run it through a security scanner

33. Docker security features
• Trusted, reputable sources
• Docker Store
• official images
• Docker Content Trust
• Integrity checking
• content-addressed layers
• manifest signatures
• cryptographic hashes
• Arbitrary image scanning
• Docker Security Scanning (only in EE)
• other 3rd party scanners are available

34. Getting started with Docker CE,
using play-with-docker
Let’s deploy DockerCoins:
• on a Swarm cluster
• without installing anything on our local machine
• in less than 5 minutes
• and scale it!

35. Demo
Create a Swarm cluster in PWD
Setup a self-hosted registry
Build, ship, run DockerCoins
Scale it!

36. There is more …
• Run Docker anywhere
• on virtual or physical machines
• on embedded or energy-efficient platforms like ARM
• Run Windows applications
• Docker can run Linux and Windows containers
• Swarm can manage mixed clusters
• Run monolithic/legacy applications
• image2docker helps to “dockerize” existing apps
(similar to P2V programs)
• look for Docker’s “MTA” (modernize traditional apps) program!

37. Conclusions
• With Docker, you can build, ship, and run any app, anywhere
• Docker Community Edition is great for developers and small teams
• Docker Enterprise Edition is optimized for business critical apps
• long term software maintenance
• dependable support team
• fine-grained access control
• container image lifecycle management
• additional security features
• All these extra features are provided through open integration points
(no “magic backdoor” or vendor lock-in)

38. Thank you!
Questions?
@jpetazzo
@docker