Insights from DockerCon 2015: Architecture, Plugins, Networking, and Security

田琪, a senior architect at JD.com with a decade of internet experience, attended DockerCon 2015 in San Francisco and shared his observations, which are compiled in this article.

The conference opened with Docker CEO Ben Golub presenting impressive growth metrics: contributor count up 183%, Docker projects on GitHub up 515%, job openings up 1720%, applications built with Docker up 934%, and container downloads up 18082%.

Solomon Hykes, Docker CTO, outlined the next five‑year vision to build a software layer that makes the internet programmable and to reinvent the developer toolbox, focusing on runtime, packaging & distribution, service composition, machine management, clustering, networking, extensibility, and standards.

Key technical topics included:

Runtime – ensuring repeatable code execution across machines.

Packaging & distribution – Docker Distribution tools ( https://github.com/docker/distribution).

Service composition – Docker Compose project.

Machine management – Docker Machine project.

Clustering – Docker Swarm project.

Networking – Docker libnetwork abstractions (endpoint, network, sandbox) and vendor solutions, emphasizing application‑layer networking without altering existing infrastructure.

Extensibility – Docker Plugin system covering network, volume, scheduler, service discovery, etc.

Infrastructure components – namespaces, cgroups, device mapper, storage, OS containers, and projects like Notary ( https://github.com/docker/notary) and RunC ( https://runc.io).

Open standards – formal specification, independent governance, neutral reference implementation, broad coalition support, and openness to new ideas.

Demonstrations largely failed, but the focus remained on networking and plugin ecosystems.

Vendor booths showcased Docker‑based cloud services, storage solutions (e.g., Flocker for stateful containers), and discussions about Docker registry drivers (e.g., the author’s open‑source project https://github.com/jcloudpub/speedy) and the eventual deprecation of registry v1.

Afternoon sessions highlighted Docker Plugins, with emphasis on network and storage plugins, process‑based plugin architecture using domain sockets and JSON/HTTP protocols, and a live‑migration demo using Flocker and Weave.

Docker libnetwork was explained, defining endpoints as service links, networks as collections of endpoints, and sandboxes as groups of interconnected containers, with service discovery currently DNS‑based and future extensibility planned.

The second day featured more commercial talks, including Docker Hub’s growth, Docker Trusted Registry, and Microsoft’s container integration.

Shopify presented its routing and discovery approach, using a Toxiproxy project ( http://github.com/shopify/toxiproxy) to simulate network conditions, and emphasized principles such as no single point of failure and prioritizing reads.

A security session introduced the "least‑privilege microservices" principle, profiling resource needs per service type, using strace -c -t -p <PID> to audit syscalls, and leveraging Docker security mechanisms like cgroups, namespaces, Linux Security Modules, capabilities, ulimits, and user namespaces.

The talk advocated stripping unnecessary packages from base images and defining security profiles to standardize container hardening.

Overall, Docker’s primary focus areas were identified as libnetwork development and the plugin system, with the Open Container Project (OCP) emerging as a compromise to standardize runtimes amid competition with CoreOS.

Additional discussions involved other experts and a Q&A session, with further details to be published later.