 From the noise, it's theCUBE. Covering VMworld 2015. Brought to you by VMworld and its ecosystem sponsors. Now your host, Stu Miniman and Brian Gracely. Patrick, Shanna's on, from member of the technical staff for Doctor. Patrick, I saw you at the end of our spring tour and now you're here at the, you know, picking up the fall tour. So thank you for joining us again. Hey, thanks for having me. All right, so I mean, last year, you know, containers with VMware, I mean, was a big discussion. We kind of all had that. You've got some background with Microsoft, right? And VMware. Yeah, and VMware. So, you know, there was kind of the joke of, you know, oh, the old Microsoft, you know, extended brace and we'll see how we go from there. But, you know, it's been a year later. So can you give us a little bit of the update of kind of, you know, how Docker and VMware, how do you guys see each other? Actually, VMware is a great partner. You saw the announcement this morning. VMware embraced containers. So I'm super excited to be here. Some of the announcements that were made this morning is now this year is a control plane for containers. There's this notion of native containers in this year. One of the things that excites me the most is their project, Bonneville, that they talked about this morning. It's actually been made by one of my friends and ex-colleagues, Ben Corey. And what they're doing in there is that they're re-implemented the backend for the Docker engine in terms of these fear primitives. So when you're creating images, it creates a set of VMDK layers. And when you're creating, when you want to create a container, the isolation primitives are the ones of VMs as opposed to Linux containers. So that's a very good way of running containers. So Patrick, last time we were in theCUBE, you did a great job of helping us, you know, kind of walk the stack. I don't know if you saw, we actually did a research piece kind of layering the whole stack. So here, the announcement you mentioned this morning is the vSphere integrated containers. And they've got Photon and they've got Bonneville. And let me ask you, am I looking at this right that we're VMware, I mean, VMware is very much down at the infrastructure level. So when they build that Photon layer, you know, whether they call it just enough virtualization, as Kit Colbert said this morning when I heard him speak, but Docker sits on top of that. Am I getting that right? Yeah, it's exactly right. And actually, one of my reasons for joining VMware, I think four years ago, was for them to go up stack. And at that time it was with Cloud Foundry. And I would argue that maybe with Cloud Foundry, we were a little bit too much up stack compared to what VMware is at the bottom. When I present the whole stack, usually I talk about like the new hardware. The new hardware today is your cloud provider. It's Amazon, Microsoft, Google, and then the virtualization with VMware. So that's the new hardware, and that's where VMware is very strong. So they manage networking, storage, and compute. On top of that, you have the OS layer. And what really got me interested in moving to Docker is that the whole landscape just changed when containers appeared two years ago, and the whole industry is reorganizing around that. So what happened at the OS layer is that all the OS providers, starting with CoreOS initially, who started that trend, started doing minimal release of their OS that are just designed to run containers. So CoreOS started that trend, but then very quickly Red Hat followed with Project Atomic, and then Ubuntu with Ubuntu Core. The most interesting to me is Rancher OS, where they run Docker for everything. So they have two Docker, System Docker, and Userland Docker. And then VMware came out with Photon, I think it was last June or something like that. And today, I think they have a preview two of that coming out. On top of that, you have Docker. So the Docker engine running. And on top of the Docker engine, you have orchestration platforms. And these are the ones that are replacing what used to be PAS platform as a service. And when I was at Google, I was doing Google App Engine. At VMware, I was doing Cloud Foundry. Now you see Cloud Foundry reinventing itself as a control plane for containers. And so one of the announcements that excited me most in the keynote this morning is that now Cloud Foundry is running with Photon. They have an integrated distribution. So finally, VMware is going up stack with its own stack like vSphere at the bottom. Then on top of that, you have Photon. And then on top of that, you have Cloud Foundry. So really exciting times. Yeah, I think for me, one of the things that I always hear that feels like it's confusing or off the mark is a lot of people want to kind of get into this containers replaces VMs or VMs versus container debate. And as if they're both sort of infrastructure layer, which if you think about them as something that holds, then I could see you make the mistake. But Docker is something the developers love. They love to package their applications. They love this idea of right on my laptop, push it somewhere. Do you find that confusion a lot in the marketplace? I mean. Oh yeah, I find that a lot. And I think it's tied to the rise of DevOps. Really in the past five years, this new movement called DevOps really took off. And DevOps is a lot about people and processes, a little bit about products as well. And I think when Docker appeared, it was the right level of abstraction for DevOps to happen. Like the right packaging construct where developers can put all their dependencies in a container, and then ops have all the right knobs to tweak for putting that in production. But it's the same thing that you put in production that you have on your developer machine. So to me, a lot of the confusion associated to Docker is tied to that because it's a technology that is used both by developers and by ops. I think VMware is doing a really good job of giving ops the kind of control they need to put Docker in production. So we're here at VMworld. A lot of talk about VMware in containers. You guys doing a ton of stuff with Microsoft. Like talk a little bit about, because for a long time, people like to say, well, containers have been around for a long time, Linux containers, but Windows and Microsoft adopting this, like what's going on there? Yeah, so the partnership with Microsoft is super exciting. So after VMware, I actually moved to Microsoft. And at Microsoft, my role was to help all the Docker partners to get onto Azure. And since I joined, I've seen all the work that happened with Microsoft. Recently, we've done tons of stuff. We announced many, many different integration points. To me, the most important one is, finally, we have native Windows containers that ship with a Windows Server, TP3, like literally, I think, two weeks ago. So that's something that was pre-announced at DockerCon and Mark Khrushchevich came on stage with a Docker t-shirt to do a demo. Now you can run it on Azure yourself. What's exciting there is that the concepts that are at the heart of Docker are based on using C groups and namespaces, which are Linux kernel features for isolation of your workloads. The thing is these isolation primitives, similar ones, existed in Windows Server and especially the version of Windows Server that was running within Microsoft Data Center for two-power Bing and things like that to have dancer workloads in the data center. What the Microsoft team has done is that they re-implemented the Docker backend in terms of Windows containers primitives. And so now you can create a Windows.NET application running on Windows Server in Windows native containers. The beauty of it, if you're a developer, especially an enterprise developer, in the enterprise, basically, you have half and half Java and .NET. Very often developers go from one to the other, or they are developers who do Java, others doing .NET. They have completely different tool chains. Now with Docker, they have a single tool chain that they can use to build a multi-container application that use different technologies behind the scene. So finally, developers can use the best tools for the job. So Patrick, one of the things we look at every year here at VMworld is, how are we doing it kind of fixing the things that broke when virtualization went into both storage and networking? And it was a big discussion point at DockerCon this year. You put out the beta of Docker networking. Storage, I'd say, is even a little bit further behind there. So what's the latest on how you guys think of that? Where are we along that maturity curve of storage and networking for containers? So I'm really glad you asked that because when I joined Docker in March, that was my first project to kickstart a project to do Docker extensibility. And the two extension points that we created based on ecosystem and customer demands were about storage and networking. And so at DockerCon in June, we announced two extension points for Docker, a plugin system, one for networking and one for volumes. And what I really love about what happened at VMworld today this morning in the keynote is that VMware implemented a networking plugin based on NSX as well as a volume plugin in collaboration with Cluster HQ who had built Flacker and helped us create that extension point for volumes. So finally, one of the big issues with containers is that when you were deploying it in a multi-host setup, especially with Swarm and Compose, when you're starting to do orchestration, before June, there was no way to move one container, one stateful container with data to another machine with a volume plugin. Now you can do that. And with the networking aspect, now you can refer to containers by instead of like doing links and there were some complicated ways to do that. Now you can use either the native networking driver that comes with Docker, but as usual, we use the philosophy of batteries included but replaceable. And so you can plug networking plugin coming from NSX if you're using vSphere under the hood. Yeah, so Stu, we're going to be doing a panel tomorrow on containers. One of the things I want to dig into, we're going to have Intel on the show. Intel's doing some neat things where they're calling it clear containers, but in essence, it's kind of the equivalent for the VMware crowd of VT technology, right? Hardware isolation of processes. Talk about just what's the potential of that for containers, the ability to better leverage hardware to make containers run faster. Yeah, so that aspect of Intel research is super exciting and it corroborates some of the things I see happening in the marketplace right now, especially on the research side where you have both, like Linux containers became super successful in the past two years. Now that we're going in production, there will be lots of different type of isolation technologies applied to containers. And so one of the first one I heard about was Project Bonneville, where it's implemented in terms of vSphere primitives. Another one is the Clear Container by Intel. And another one that I heard about that came through the OCI project that we'll talk about, that new standard that we announced at DockerCon is called, I think it's called Run V. And it's based on the HyperSH container technology based on virtualization. So I see more and more people using virtualization as an implementation for isolation in containers. Yeah, talk about what's going on with Run C. So six months ago it was we had this, are we going to have diverging container standards? You guys stood up with CoroS and 20 other companies and said, we know we're going to have one standard. What's going on with OCI and Run C and that thing? That's been super exciting. So that was my second project at Docker. We announced it at DockerCon EU that we had 20 of the biggest companies in the industry joining to create a standard container, especially CoroS joining as well as Google and Amazon and everybody. And what blew my mind is that we're three months later, less than three months later. The team right now is preparing a first draft of the spec for September. They've been working actively all throughout the summer. We started working on the spec just after DockerCon. We had the Docker contributor summit. And the working group for OCI was the largest. We had like 15 people from different companies starting to iterate on the spec. They continued throughout the summer and now we have something that's close to a first draft of the spec with a reference implementation that's Run C. One of the most interesting development that happens there and that really speaks to the power of open source and open standards is that once the spec started to mature, we started to have already a second reference, a second implementation of a spec that's called Run V that's been built by the HyperSH project based on virtualization. And then Huawei contributed a test suite for compliance of the spec. So that spec is advancing really fast. So I was having a conversation with Jim Zemlin who runs the Linux Foundation week or so ago at LinuxCon. And we asked him, we said, you know, it's hard because you love them all. Like your kids, do you have a favorite project? He said, yeah, no question. OCI is my favorite project right now just because of the promise of portability that's sort of right once run anywhere. So you're working on it. It's an important project. The Linux domain is really looking at you guys to make this work and drive that portability. Yeah, and the Linux Foundation has done a really great job at coordinating the work of all the maintainers in there. It's really a neutral ground where we can advance so that all of us can innovate on top of it. Now a lot of the competition is happening at the upper layer of the stack. Like OCI, I think we all agree on the semantics of what a container runtime should be. Now at the higher level, there are lots of discussions about how the orchestration should be done. And there you have 15 different projects. You have Swarm from Docker. There's Mezos. There's Kubernetes, which is very opinionated. And one of the other developments this summer is that Google and many others, including us, Docker, we're part of that, announced another foundation called the CNCF, the Cloud Native Computing Foundation, where the goal there is to create reference stacks for orchestration that can interoperate together. Pretty much along the same line of the work that Docker did with Mezosphere for having a Swarm plugin for Mezos. So Patrick, boy, there's been so much movement in this space. We talked multiple foundations, a lot going on. One of the things we came out of DockerCon that we were just, I guess, a little concerned about is how many people actually run it in production? And we know, I mean, live through the VMware, live through the Linux adoption phases. So is it fair to kind of gauge that piece of it? What do you see when you're talking to the practitioners and the big users out there as to, how should we be measuring that success? The maturity of Docker in production. So I would say it's maturing a lot. We see more and more users putting Docker in production. There are lots of holes still in the offering that needs to be filled. And that's why I'm pretty excited to see VMware stepping in and saying, hey, for production use, we have a lot of technology that you can use to put that in production. Some of the things that we've seen is like networking and volumes, so that was really needed. Now that there are lots of plugins, I hope that people will have an easier time putting that into production. The agreement on what orchestration should be, so people are still asking a lot of question about which orchestrator should I use for my containers in production. And so I've seen, so people using Mesos, others using Kubernetes, some are trying Swarm. There's still lots of questions out there about what the right stack should look like. And I would say as usual in software project, it kind of depends on what you're running. Well, the one thing that concerns me and it's always, there's so many good things going on around Docker. I've been doing some research over the last couple of months looking at all the different platforms. So everything from Docker native to what HashiCorp is doing to what OpenShift is doing. And we were talking to Adrian Cockroft. He said, you know, Docker's reached sort of plaid in terms of speed. It moves so fast. You guys are releasing stuff every two months. How do you deal with that? Because you deal with the ecosystem. How do they deal with the fact that you're now part of their core platform but you're releasing new stuff every two months? I mean, are we going to get into something where it's like, well, it's 1.6 and 2.1 and how do you deal with that? Yeah, so Docker itself as a company is maturing. At DockerCon.eu, one of the big things that we announced is Docker Trusted Registry and Docker CS. So we have a version of Docker that is supported where we're going to do backwards porting of patches. So for people who really want to run it in production, we have an offering that's supported for them so that they're not obliged to run on the tape every time. Some of the startups that I've seen out there like large startups with more in the consumer space who have large data center and a pretty mature ops team, some of them are running on tape or on the latest version of Docker. But in the enterprise, you can assume that the adoption of new versions will be slower. And so we have that support offering for older versions of Docker. Now, the Docker open source project is continuing to fire, like to create lots of things. And there are lots of pull requests. The project is more successful than ever. I think in the last, like recently, the most prolific contributor was Microsoft in the project. But there are lots of pull requests coming. Red Hat's a huge contributor now. Red Hat's Google as well is sending lots of pull requests. So there are not lots of new features coming with each new release. But at the same time, we're really working on a platform that everybody's going to use and that needs to mature. That's why you have that really fast space of innovation in that space. Yeah, so I mean, Patrick, you're in the weeds of some of this. The other one that comes up quite a bit, of course, is security. So even just this last week, there was a big back and forth on Twitter and a couple of blog posts talking about it. What's your thought as to how we should talk about kind of the maturity and where we're going with the container security discussion? Yeah, so as you guessed, container security is one of our big focus at Docker because that's one of the things that people are expecting from a platform, especially to run in production. My colleague, Diogo Monika, did lots of blog posts recently about how to improve your security in production. Security is not only a factor of the software itself, but under all the processes that you put in place around it. And basically around Docker, you have to put in place the same kind of processes you have for operating systems, like getting the latest release of the official images. I don't know if you saw that there's been a blog post like talking where they looked randomly at all the images in Docker Hub and evaluating them for security issues. One of the things that they didn't look at is that the latest releases of operating systems that we have in there in Docker images are just tracking the upstream releases and people who have sound security practices internally are just pulling these latest releases. All right, last question I have for you, Patrick. It's easy for people to come in here and be like, oh well, biggest threat to VMware is Docker. What I love talking to you is, this is a real small community. Over the last year, a lot of former VMware people now working over at Docker and not that they're unhappy with VMware. And Microsoft is in the mix. So this whole community is pulling together and doing a lot of work, a lot of contribution. So what do you see out there from the technology community to help mature this whole space? Yeah, I'd say both VMware and Microsoft at the operating system and infrastructure level, as well as Google, at the orchestration layer, VMware, Red Hat at the operating system layer, like everybody's trying to make Docker a sound platform to run in production. What I see in all corners is just Docker getting solidified and getting part of most people's production infrastructure with all these efforts on the security and stability and processes, as well as the development processes. There are lots of innovation in the terms of CICD integration with Docker. I don't know if you saw all the work that CloudBeats has been doing for integrating Jenkins with Docker. So Docker is both a platform for apps and for devs. And in that qualification, the ecosystem is very broad, both on the dev tool side, as well as on the ops and platform side. All right, well, Patrick, unfortunately, we're out of time. It's always great chatting with you. Thank you so much for joining us. We'll be back with lots more coverage here from VMware World 2015, and thank you for watching. Thanks, see you in six months.