The second weekly development report. Feel free to send PRs if you want to add to these reports (or correct them).
We aim to provide a set of open spaces for collaboration to help move projects towards production, under the projects/ directory.
Projects should usually provide a README of how to get started using the project with Moby, and a roadmap document explaining what
the aims are and how to contribute. Most projects will probably provide a way to run the project in a custom Moby build
in its current state, which ideally will be integrated in the Moby CI so there are checks that it builds and runs. Over
time we hope that many projects will graduate into the recommended production defaults, but other projects may remain as
ongoing projects, such as kernel hardening.
If you want to create a project, please submit a pull request to create a new directory.
Current projects do not yet all have a section but should be added soon:
- Kernel Self Protection Project
- Mirage SDK: privilege separation for userspace services
- Wireguard: cryptographic enforced container network separation
- Clear Linux integration (Intel)
- VMWare support (VMWare)
- ARM port and secure boot integration (ARM)
- OKernel integration (HPE)
Anil Madhavapeddy @avsm from Docker added initial support for packet.net, a bare metal cloud provider, our first non virtualised platform. Several projects need bare metal support for running VMs, and we also need physical platforms for various test suites we plan to run (LTP, Hyper-V), and we plan to expand support.
We have invited several more people to participate this week:
- The Intel Clear Linux team, who are going to work on integrating Clear Linux support into Moby @amshinde @amyleeland @chavafg @dborquez @devimc @dlespiau @gorozco1 @grahamwhaley @jcvenegas @jodh-intel @jtkukunas @mcastelino @sameo @sboeuf
- Jason Donenfeld @zx2c4 who is working on Wireguard
- Nigel Edwards @edwards-n from HPE, working on OKernel integration
- Daniel Finneran @thebsdbox from HPE and Docker Captain
Welcome everyone, looking forward to your contrinutions and working with you. Please open issues on github if you need help, or ask on #moby in the community slack.
We are working towards a simpler and better documented basic flow. Early next week the moby tool will be changed to have moby build and moby run subcommands. At least initially the moby run flow will only be targeted at running locally (hyperkit and kvm, qemu). We may add a third cluster run option later, using infrakit. @rneugeba has been working on Go hyperkit bindings to make this easier in #1327.
There is a --name option to the moby tool to allow configuring of the image names that are built see #1318 rather than just using the yaml file name.
The end to end flow for Google Cloud has been much improved by @justincormack as a model for other providers, see #1323. There is a metadata container that reads the platform metadata, and passes ssh keys to the generic sshd container. This makes the workflow much simpler: build moby with a gcp target, use gcloud compute instances create to run an instance, then ssh in to it, see https://github.com/docker/moby/blob/master/docs/gcp.md for details. We will expand this to other providers, in particular porting the metadata providers for other Docker Edition platforms.
As mentioned above @avsm has worked on initial support for the packet.net instances, both the smaller Intel Atom Xeon machines, and the larger machines with dual 10GbE. #1309 #1325
The kernel container build has been improved, with human readable names eg mobylinux/kernel:4.9.x and will soon be built again in CI #1295. We upgraded the standard kernel to 4.9.15 #1305. We will add 4.10.x builds shortly.
@riyazdf has done some more work on making Moby run with a read only rootfs #1298 as well as more containers run read only #1290 #1301. There is also work on splitting out DHCP into a seperate service container so that it can be removed if other networking configuration is being used or if other clients are used #1316.
- integrated
moby run - helping our new contributors get started
- restoring missing parts from editions (
ssh, userdata, docker, disk formatting), currently in progress - documentation for config file, tutorials, overall roadmap
- preparing Dockercon priorities
- there will be a talk by @justincormack on Moby (currently billed as containerd...)
- there will be a Docker Security talk with @riyazdf (
Secure Substrate: Least Privilege Container Deployment) that will highlight Moby - there will be a session and lots of time to talk at the Thursday summit - get in touch if you need an invite.