Docker 1.11 et plus: Engine is now built on runC and containerd

tiffany jernigan
May 17, 2016 · 7 min read

Docker recently released new versions for their entire platform: Engine was bumped to 1.11, Swarm is now 1.2, and Compose and Machine are respectively 1.7 and 0.7. There is also an associated release for Docker Mac/Windows, Beta 10. This is a “tip-of-the-iceberg” kind of release, in the sense that while the user-facing changes are modest, the Engine underwent a massive rehaul, to make it the first Open Container Initiative (OCI) compliant runtime. More specifically, Engine is now built upon runC and containerd.

Image for post
Image for post

OCI, runC, containerd… What’s the deal?

What is the Open Container Initiative?

What is runC?

What is containerd?

How it all ties together

Image for post
Image for post

Docker Engine still does image management and then it hands over an image to containerd to run. containerd then uses runC to run the container.

containerd only deals with containers — it takes the role of starting, stopping, pausing, and destroying containers. Since the container runtime is isolated from the engine, Engine ultimately will be able to be restarted or upgraded without having to restart the containers. Some other benefits are that linux-specific code was removed and this change facilitates the use of other container runtimes while keeping the same Docker UI commands (so on the surface everything appears the same).

Since there are now four components, instead of the standalone `docker` binary, there are respectively four binaries: `docker`, `docker-containerd`, `docker-containerd-shim`, and `docker-runc`. If you are on the host machine, you can grep for docker processes using `ps ax | grep docker` and you can see these running. Below, the Docker 3rd birthday example voting app is running and if you grep for all docker processes from the host machine, you can see the aforementioned binaries.

Image for post
Image for post
Image for post
Image for post

If you’re using Docker for Mac/Windows you can run `docker run -it — pid host -v /:/hostfs — net host alpine chroot /hostfs` and run `ps ax | grep docker` in this container to get the running processes. — pid host makes it so the container uses host’s PID namespace and similarly, — net host uses the host’s UTS namespace. For more information on run, look at the Engine reference.

If you look inside of /var/run/docker/libcontainerd you can see all of the containers you have running and the docker-containerd sock file.

Image for post
Image for post

Other changes

Networking

Image for post
Image for post

Additionally, networks (and volumes) can now have labels like with images.

Compose 1.7

Next, with `docker-compose up` it’s parallel where possible and dependency order is still respected. For instance if you look at a Docker compose file with redis and you know that you can start the database, front end, and worker once redis is started, then they are started at the same time.

Also there were a few changes or additions to the commands for `docker-compose`. Two new commands were added: `docker-compose up — build` and `docker-compose exec`. People were often running `docker-compose build` and then `docker-compose up` when editing Dockerfiles so to solve this issue a ` — build` flag was added to `up`. The other command, `exec`, has the same functionality as it does in Docker Engine. Additionally, `docker-compose logs` now mimics `docker logs`: instead of displaying the entire logs of the container and then stream them, it will only display them. You will have to use `docker-compose logs -f` to stream logs, like with `docker logs`. `docker-compose logs` is now able to detect when you add new containers to your applications, and will automatically add their logs to the stream when using `docker-compose logs -f`.

Swarm 1.2

`docker run -d -e reschedule:on-node-failure <image>``docker run -d -l ‘com.docker.swarm.reschedule-policy=[“on-node-failure”]’ <image>`

The Swarm Manager, which keeps track of the nodes, continuously checks for a heartbeat from each node and if it comes back as unresponsive it will go and try restarting it. If that node was running any container with a rescheduling policy, then the container is rescheduled somewhere else. The status can be checked via logs for the Swarm Manager and there can be many managers.

Registry

Docker for Mac and Windows

There have been a few new features since the Docker 1.11 release. In Docker for Mac, as of Beta 9, localhost is used for port forwarding instead of docker.local which gives it more of the intended native linux feel. Beta 10 made it so token validation is now done over an actual SSL tunnel (HTTPS). And Beta 11 upgraded the kernel and Compose. See the release notes for all of the new features, changes, and well known issues for both Mac and Windows.

More about Docker 1.11:

tiffanyfay

tiffany jernigan’s blog

tiffany jernigan

Written by

senior developer advocate @vmware. electrical eng @georgiatech. ex @amazon @intel &@docker. co-org docker seattle. instagram:tiffanyfayj. opinions:mine

tiffanyfay

tiffany jernigan’s blog

tiffany jernigan

Written by

senior developer advocate @vmware. electrical eng @georgiatech. ex @amazon @intel &@docker. co-org docker seattle. instagram:tiffanyfayj. opinions:mine

tiffanyfay

tiffany jernigan’s blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store