 Okay, welcome back to theCUBE's coverage of DockerCon 2021. I'm John Furrier, host of theCUBE. We are at Justin Cormack, CTO of Docker. I was also involved in the CNCF, technical oversight and variety of other technical activities. Justin, great to see you. Thanks for coming on theCUBE virtual this year. Again, twice in a row, and maybe next year we'll be in person, but certainly hybrid, great to see you. Yeah, great to see you too, yeah. In person would be nice one of these days, yes. Well, we get real life back. It's almost there, you can feel it, but it was so much activity. You know, one of the things that we've been talking about is certainly on theCUBE, and you even hear at DockerCon, same story. The pandemic really hasn't truly impacted the developer community because most of the people have been working remotely and virtually for many, many decades. And if you think about just in the past 10 years, all the innovation in cloud has come from virtual teams, open source software has always had good kind of governance and democratization of kind of how the code's built. So not a beat's been skipped during the pandemic. In fact, anything supply chain of software development has increased, so. Yeah, I mean, I think that it's definitely true that open source was really the place that pioneered remote working. It was, you know, and a lot of the work methods that people worked out to do open source, you know, async communication and things like that were things that people have adopted. It's a slightly different community. I mean, I think that, you know, some of the, I'd say open source projects like meetings less than some other organizations, but definitely that it was definitely that pioneering thing. And a lot of the companies that started off remote first were in open source software and they started off for those reasons as well, because developers were already working like that and they could just hire them and they could continue to work like that. You know, one of the upsides of all this is that people won't tolerate even Zoom or in-person meetings that just go on. You know, 15, 30 minutes, good call. Why even have a meeting? Why it's the purpose? Async totally the way to go. Let's get into the developer community. One of the things I love about DockerCon this year, 2021 is the envelope is being pushed again. Almost to another level is almost a new level. This next level of containers is bringing more innovation to the table and productivity and simplicity. Some of the same messages last year, but now more than ever, stuff's going on. What are you hearing directly from the community? You talked to a lot of the developers out there. You have millions of developers in the Docker ecosystem. What are they saying now in 2021? What's going on in their mind? Yeah, I mean, I think it's an area, I mean, more and more people are using Docker and they're using it every day. And that's, you know, it's a change that's been going on obviously for a while, but, you know, it begins to sort of, you know, as it spreads, the kind of developers using Docker so different from when I, you know, when I started Docker coming up for six years ago, it was a very, you know, bleeding edge type thing for early adopters. Now it's everywhere. You know, millions and millions of ordinary developers are using Docker every day. And the kind of things they're telling us is, well, some of this stuff that we thought, well, you know, five years ago was an amazing breakthrough in simplicity. Now that's on its own still too hard. One of the things I mentioned in my keynote was that, you know, talking to developers who just primarily have been working Windows all their life, but more and more applications being shipped on Linux and they're using Linux containers, but they find Docker files really hard because they're really, you know, Linux shell scripts and not a Windows developer doesn't know how to use a Linux shell script. And it's bringing it down to that next level of ease of use where, you know, you can adopt these things more easily. They're pitched at the, you know, the kind of level of developer who is just thinking about, you know, their language, their APIs and they don't want to have to learn kind of lots of new things to do Docker. They'll learn some, but they'll, they really want it to kind of integrate better into the environments they work in and, you know, help them more. And, you know, really, really, you know, you know, we've been working on a lot of detailed instructions about like how to use Docker better with JavaScript and Python, you know, because people have told us, you know, be specific about these things. Tell us exactly how I do that make things work well with the way I'm doing things now. What is the big upside for containers, for the folks watching? And, I mean, last year, one of the most popular sessions was the 101 Peter McKay did, which was fascinating, packed with people and the adoption of containers is going everywhere and enabling a lot of growth. What's the main message to these new developers that are coming on board the ecosystem? I think what's happening is that people are gradually, are very slowly starting to think about containers in a different way. When we started, the question everyone kept asking was about containers and VMs, what's the difference? That question kind of really didn't really, kind of really address what the big chain, fundamental changes that containers made to how people work was. I like to think about it in terms of the, you know, physical shipping containers, like people are concerned about like, can you escape from the box? You know, can I get out of a container? These kinds of questions, isn't this not really the important question about containers is can you escape from the box? The question is, what does it enable you to build? You know, the shipping container let us build these supply chains that let people, you know, build products and factories and things that would never have been possible without that ability to actually just ship things in a routine and predictable and reliable and secure way, you know, getting that content. And there's the things that come in the container in order to let you actually work more effectively. And, you know, I think that now we're talking about like, what's the effect of containers on the industry as a whole? What are the things that we can learn about repeatability and, you know, documentation and metadata and reliability that we kind of talked about a little bit before, but these are becoming the important use cases for containers. Containers are really about, you know, they're not about that kind of security and escape piece. They're about the content, the supply chain and your actual process of working. What do you, first of all, great feedback on, I mean, great call out on the security piece. I want to get that in a second. I think that's a killer one. You mentioned supply chain. Can you define software supply chain? And is that where the automation value comes in? Because a lot of people are talking about automation as improving the developer experience. So can you clarify quickly, what is, what do you mean by the software supply chain? And is that where automation comes in? Am I getting that right? Yeah. So the software supply chain is really that process by which, you know, you get components of software to build your applications. Around 99% of companies are using open source software to build applications. And the vast majority of the pieces of any modern application consist mainly of open source software and some cloud source software and some software that people are writing themselves. But you've got to get these components in. You've got to make sure that they're updated and scanned and they're reliable. And that's the software supply chain is that process for bringing in components that you're using to build your applications. And so, you know, the way automation comes in is just because there's so much of the software, dealing with it manually is just difficult. And it's an ongoing process of build and test and CI and all those scanning and all those processes. And I think as software developers, we fundamentally know that the most valuable things are the things that we automate. You know, they're the things that we do all the time and they're important. And a lot of building a software is about building repeatable processes rather than just doing things one by one because we know that we have to keep updating software. We have to keep fixing bugs. We have to keep improving software. And so you've got to be able to keep doing these things. And automation is what helps us do that. You know, I was talking to Dana Lawson who's the SVP of engineering at GitHub and she and I were chatting about this one topic. I want to get your thoughts on it because she was definitely on the camp of automation helps with productivity. No doubt, check, double check there. Question I have for you is how do you see the impact on say the developer experience and innovation specifically? Because, okay, I can see the productivity, okay, something happens a bunch of times, automated. You start thinking about supply chain, then you talk about developer experience. And ultimately with Kubernetes around the corner with the relationship with containers, you can see the cloud native benefits with from an innovation standpoint. Can you share your thoughts on the automation impact to experience for the developer and the innovation strategies they need? I think that one of the ways we're trying to think about everything we do at Docker is that we should be helping build processes rather than helping you do something once. Because, you know, you say, if you do something three times, you want to automate it. But what if the first time you did it, that could also build that automated process. If it was, why isn't it as easy to make something automated as it is to do it once? There's no real reason why it shouldn't be. And I think it's, you know, I think that, you know, that kind of, I was having a conversation with someone the other day about how they were, that they had kind of reversed their thinking and they found that often it was easier to start with automation and harder to do things manually. And that's a, you know, that's a long, that's a kind of real reversal of that kind of role between automation and doing stuff once. And it's not how we think of it. But I think it's really interesting to think about that kind of thing and how could we make automation, you know, really, really simple. Well, I mean, that's a great example when you have that kind of environment. Surely the psychology is better to have automation. But if everyone's saying it's hard to do manual, that means they're at some sort of scale, right? So scale matters, right? So as you start getting the, you know, the SRE vibes going and you start getting cloud scale and cloud native apps, that's going to be cool. Now, the question that I want to ask you because what the other thing that's happening is more people are coming into open source than ever before, not just young developers, but also end users, not like the hardcore end users. We're talking like, you know, classic enterprises are coming in. So as more developers come in and increase over the year, what does that mean for the experience of developers? Now you have, does that change? How do you view that? Because as more developers come in, you have institutional knowledge, you have scale, you have learnings, what's your thoughts on the impact as the population of developers increase? What is Docker? How does Docker view that? Yeah, no, I think it's a really interesting trend. I mean, it's been very visible and since the air for the last few years, we've been seeing a lot more active end user companies doing open source. I mean, Spotify has been one of the examples with their backstage project they brought in to CNCF and other areas where they work. And I think it's, you know, I think it's part of this growing trend that's really important to Docker. You know, Docker is a bottom up technology adoption company. Developers are using Docker because it works for them and they love it. And developers are doing open source in their companies because open source works for them and they love it. And, you know, it works for their business as well. And whereas historically, like the model was you would buy kind of, you know, large enterprise products, you know, with big procurement deals that were often not what the developers wanted. But now you're getting developers saying what we want to do is adopt these open source projects. We want to, because we know how they work, we already understand them, we know how to integrate them better into our processes. And I think it's that developer led demand that's really important. And it's the kind of integration that developers want to do, the kind of products that they want to work with because they understand them and love them and they are targeted at developers. And that's incredibly important. And I think, you know, that's very much where Docker's focused. And we really want to, you know, open sources are the core of everything we've always done. We've built with the open source community and we've kind of come from that kind of environment and we've built things that, you know, we love as developers and that other developers love. Talk about your thoughts on security, obviously it's always a build in from the beginning, shift left is the ethos, day two operations, AI ops, whatever people want to call that post deployment mode. Security has to be at the center of this. Containers can be a great solution and give some great flexibility for developers. Can you talk about your view and Docker view on the security posture and situation? Yeah, I mean, I think shift left is incredibly important because just doing things, doing things late is just everyone knows is the wrong thing from the point of view of productivity. But I think shift left can just mean ask the developers to do everything, which is really a bit too much. I think that, you know, sometimes things need to be, you know, shifted even further left than people have actually thought. So like why are, you know, why are you expecting developers to scan components to see if they're allowed to, if they should be using them or they should be updated, why hasn't that happened before the developer even gets those? You know, I think there's a, I sort of like, you know, I talk about this whole piece about trusted content and it's really important that, you know, we really shift that even further left. So it's long before it gets to the developer that those things are happening. Security, security is a, I mean, it's a huge area, of course, but it's very much, we need to help developers because security is non-obvious. You know, I think that, you know, the more you understand about security, the more you understand that it's not really, it's not, it doesn't come naturally to people and they need to be helped with it. And they need to learn a lot about things and a way to, I mean, I found myself that, you know, learning how to think like an attacker is a really important way of thinking about how to secure software. It's like, what would they do rather than just thinking about the normal kind of, oh, this works in the happy path. It's what happens if things go wrong, but you have to think about it as well. So there's a lot of work to do to educate and help and build tools that help developers there. And it's been really good working with Sneak because they're a very developer focused security company. That's why we chose to work with them. Whereas historically, security companies have been very oriented towards, you know, kind of the operator side of it, not the developer side, not the developer experience. And the other piece is really around supply chain security. That's just kind of a new security area and it's very important from the container point of view because one of the things containers let you do is really control the components that you're using to build applications and manage them better. And so we can really build tooling that helps you, helps you manage that, helps you understand what's in a container, helps you understand where it came from, how it was built and automate those processes and, you know, sign and authenticate them as well. And that, you know, we've been working on with SenseiF on Nosary V2, which is for signing, revamp of the container signing process because people really want to know who originated this container, where did it come from, what did they say is in it. There's a lot of work about bill of materials and compositional analysis and all those things that you need to know about what's in a container. Everyone wants to know what's in a container. I mean, if you've got a Kubernetes cluster, for instance, that's highly secure and in comes a container, how do you know what the, you know, there's no perimeter, right? So again, as you said, thinking like an attack vector there, you got to understand that. This is where the action is, right? This is where a lot of work's being done on this idea of always on security. You don't know what the container's coming in. That's be vetted during the run stage. You're running a business now. It's not just build and share. It's your running infrastructure. Absolutely. I mean, you really want full control about everything that goes into it. And you want to know where everything that you're running in production came from. And you really tie this as an end. You know, that's your end to end supply chain of everything from developer inputs to through the build process and right to production and in production, you know, understanding whether it needs to be updated and whether there's newly discovered vulnerabilities and whether it's being attacked and how that relates back to what came into it in the first place. A lot more intelligence, a lot more monitoring. You guys are enabling all that. I know it's cool. Great stuff. Hey, I want to get your thoughts on just what I got you here on the calendar looking at the DockerCon 21 event and that we're having a fun time here with. We're on the cube track. Got the keynote track. But if you look at the sessions that's going on, you got, we'll get your comment on this because it's really interesting how it's cleverly laid out this is. You got the classic run share build and then you got a track called Accelerate. Interesting metadata around these labels. Take us through because this basically shows the maturation of containers. I mean, we already talked about the relationship. You know, somewhat with Kubernetes, everyone had kind of seized that direction clearly, but you got Acceleration, which is a key new track, but run, share, build. What's your reaction to that? What's your observation of what the layout on those names and what it means to an enterprise and people building? Yeah, I mean, build share run has been Docker's kind of motto for a long time. It kind of encapsulates that kind of process of like the developer building application, the collaborative piece that's really important about sharing content in containers and then obviously putting it into production because that's the aim. But Accelerate is incredibly important too. I mean, developers are just being asked to do a lot. Everything is software. There's a lot of software and a lot of software has to be created and we've got to make it easier to do this and really that that kind of getting quickly from idea to business outcomes and results is really what modern software teams are really driving at. And I think we've really been focused this last year on what the team needs to succeed and especially small focus teams delivering business value. It's how we're structured internally as well and it's how our customers to a large extent are structured and it's that kind of focus on accelerating those business outcomes and the feedback loops from your ideas to what the feedback that your customers give you and helping you understand that is really important. Talk about final question for you in terms of the topic here. Cloud, hybrid cloud, multi-cloud. This is the put multi-cloud aside, it's more hype. You know, everyone has multiple clouds but it speaks to the general distributed computing architecture. When you talk about public cloud and on-premises, cloud operations. So modern developers looking at that as, okay, distributed environment, edge, whatever you want to call it. What's your view of Docker as it goes forward for the folks watching who have experience with Docker, love the vibe, love the open source, but now got to start thinking about putting the containers everywhere. What's the Docker pitch, so to speak, or the tech story that they should walk away with from you, what's the story? What's the pitch? Yeah, so, I mean, containers everywhere has been a sort of emerging trend for a while. The last year or so, the whole Kubernetes at the edge thing has really exploded with people experimenting with lots and lots of different architectures for different kinds of environments at the edge. What's totally clear is that people want to be able to update software really easily at the edge the way you can in the cloud. We can't have this, there's no point in shipping a modern piece of equipment, manufacturing equipment that you can't update the software on because the software is how it works. More and more equipment is becoming very general purpose. People making general purpose robots, general purpose factories, general purpose, everything which need to be specialized into the application they're going to run that week. And also, people are getting more and more feedback and data and feedback from the data. So if you're building something that runs on a farm, you're getting permanent feedback about how well it's doing and whether it's how well the crops are growing, what's coming back. And so, everywhere you've got this, we need to update and everywhere you need to update, you want containers because containers are the simple reliable way to update software. I know you talked about the CNCF and your role there, also the CTO of Docker. I have to ask, because we were just covered KubeCon and CloudNativeCon just last month and this month. And it's clear that Kubernetes is becoming boringly good in a way that's good to be boring, right? It means it's working. And it's becoming more CloudNativeCon than KubeCon. That was been kind of our editorial observation, which speaks to what we feel is a trend towards more CloudNative discussions, less about Kubernetes. So, I mean, there's still Kubernetes stuff going on. I'm not gonna get me wrong. Just saying it's not as controversial in the sense of people kind of clearly understand why that's important. And all the discussions now are on, seem to be on CloudNative modern developer workflows. What's your reaction to that? Do you agree? If not, what's your take? Yeah, I think that's definitely true. Kubernetes is definitely much more boring. Everyone is using it. They're using it in production now, vastly more than they were a few years ago, when it was just experiment, experiment, experiment. Now it's production scale out. There's a lot of, I mean, the ecosystem in CNCF is kind of huge. I mean, there's so many little bits that have to be filled in storage and networking and all that. So there's actually a lot of pieces that are around Kubernetes, but there's definitely more of a focus coming on the developer experience there. I mean, compared to DockerCon, the audience at KubeCon and CloudNativeCon is still much more operator focused rather than developer focused. And it's very nice coming to DockerCon, just to feel amongst that developer community, KubeCon still has a way to get to have more of a real developer audience. But the project is starting to appear with a more developer focused kind of aim of things like backstage from Spotify is a really interesting one where it's about operations, but it's a developer portal focused thing. So I think it's happening and there's a lot more talk about that there's a whole bunch of infrastructure, there's a lot more security projects in CNCF than they were before. And we're doing a lot of work on supply chain security in CNCF, just released a white paper on that a few days ago. So there's a lot of work there that touches on developer needs. I still think that the audience for KubeCon is still that much different from DockerCon, which is, I think, 80% developers and maybe 10% infrastructure rather than the other way around. It's a different field. If you're going to get operates, it can be SRE slash platform leads. I mean, the platform leads are definitely inside DockerCon now than they've ever been before from my observation. But that speaks to the sign of the times. Most development teams have an SRE in the team, not an SRE team. They just start to see much more integration amongst the kind of a threaded or threaded teams or whatnot. Yeah. I mean, build and operate your apps is the model. And I think that's going to lead to more and more crossover between these communities. I mean, that's what DevOps was supposed to be about. Somehow got divergent to building DevOps teams instead of working together, but we'll get there. It's clear from my standpoint, at least we'll be reporting here, is that from the DockerCon community and at large cloud and cloud native community, having end-to-end workload visibility on developer, test run, everything seems to be the consensus without a doubt. And then having multiple teams and then having some platform and have some, have some flexing people moving between teams for the most part, but built-in security, built-in SRE, built-in DevOps, DevSecOps all the way for end-to-end. Absolutely. We know that that's what does work best. It's where most organizations are heading at different speeds because it's very different from the traditional architecture and it takes time to get there, but that's the model that's come out of microservices that really containers enabled and allowed that model to happen. It's the team architecture of containers. Hey, monolithic applications have monolithic organizations, microservices have microservices deans. Justin, great to have you on theCUBE for this conversation. Folks watching this interview, check out Justin's keynote, came from the main stage, great stuff. Justin, thanks for coming on theCUBE. Really appreciate your time and insight. Thank you, good to see you again. Okay, this is theCUBE's coverage of DockerCon 2021 virtual. I'm John Furrier, your host. Thanks for watching.