 Okay, welcome back everyone, live coverage here. KubeCon, CloudNativeCon, here in Detroit, Michigan. I'm John Furrier, host of theCUBE for a special one-on-one conversation with Scott Johnston, who's the CEO of Docker, CUBE alumni, I've been around the industry, multiple cycles of innovation, leading one of the most important companies in today's industry inflection point as Docker, what they've done since their, I would say restart from the old Docker to the new Docker now modern, part of the center of the conversation with containers, driving the growth of Kubernetes. Scott, great to see you, thanks for coming on theCUBE. John, thanks for the invite, glad to be here. You guys have had great success this year with extensions. Docker as a business model has grown, congratulations. You guys are monetizing well, pushing up over 50 million, I hear over, you know, pushing 100 million maybe, who knows what the year to the ground will tell me. But it's good sign, plus you've got the community and nurturing of the ecosystem continuing to power away and open source is not stopping, it's thundering away, it grows, younger generation coming in, developer tool chain that you have has become consistent, almost de facto standard, others are coming in the market, a lot of competition emerging. You've got a lot going on right now, what's going on? Well, no, it's fantastic, fantastic time in our industry, right? Like all companies are becoming software companies, that means they need to build new applications, that means they need developers to be productive and to be safely productive. And we and this wonderful CNCF ecosystem are right in the middle of that trend, so it's fantastic. So you have millions of developers using Docker. Tens of millions. Tens of millions of Docker. And as the market's changing, I was commenting before we came on camera, and I'd love to get your reaction and comment on it. You guys represent the modernization of containers, open source, you haven't really changed how open source works, but you've kind of modernized it. You're starting to see developers at the front lines more and more power going to the developers. They want self-service, they vote with their code. They vote with their actions. And if you take digital transformation to its conclusion, it's not IT serves the business or it's a department, the company is IT. The company is the application, which means developers are running everything. Yes, yes, I mean one of the jokes, not jokes in the valley is that Tesla is in a car company. Tesla is a computer company that happens to have wheels on the computer, right? And I think that's a, we can smile at that, but like there's so many businesses, particularly during COVID, that realize that, right? What happened during COVID? If you're going to the movies, nope, you're now going to Netflix. If you're going to the gym, now you're doing Peloton. So this realization that like, I have to have a digital game, not just on the side, but it has to be the front, forefront of my business and drive my business. That realization is now any industry, any company across the board. We've been reporting aggressively for past three years now, even now we're calling some things super cloud. This, if companies, if they don't realize that IT's not a department, they will probably be out of business. That's 100%. It's going to transform into full-on invisible infrastructure, infrastructure as code, wherever you want to call that going, configuration, operations, developers will set the pace. This has a lot to do with some of your success. You're at the beginning of it, this is just the beginning. What can you talk about that in your mind is attributing to the success of Docker? I know you're going to say team and everything, I get that, but like what specifically in the industry is driving Docker's success right now? Well, it did, we did have a fantastic team. We do have a fantastic team and that is, that is one of the reasons, primary reasons for our success, but what is also happening, John, is because there's a demand for applications, they just throw it out there, 750 million new applications are coming to the market in the next two years. That is more applications that have been developed in the entire 40 years history of IT. So just think about the productivity demands that are coming at developers. And then you also see the need to do so safely, meaning ship quickly, but ship safely. And yet 90 some percent of every application consists of open source components that are now on attack surface for criminals. And so, typically our industry has had to say one or the other, okay, you can ship quickly, but not safely, or you can ship safely, but it's not going to go fast, right? And one of the reasons I think Docker is where it is today is that we're able to offer both. We're able to unlock that, you can ship quickly, safely using Docker, using the Docker tool chain, using the integrations we have with all the wonderful partners here at CNCF, that is unique. And that's a big reason why we're seeing the success we're seeing. And you're probably pleased with extensions this year. The performance of extensions that you launched at DockerCon, 22. Yes, well extensions are part of that story, right? And that developers have multiple tools. They want choice, developers like choice to be productive. And Docker is part of that, but it's not the only solution. And so Docker extensions allow the monitoring providers and the observability. And if you want a separate Kubernetes stack, like all of that flexibility, extensions allows, and again offers the power and the innovation of this ecosystem to be used in a Docker development and context. Well I want to get into some of the details of some of your products and how they're evolving. But first I want to get your thoughts on the trend line here that we reported at the opening segment. The hot story is WebAssembly, Wasm, we've really got a lot of traction, or interest, people are enthused about it. Interest, yeah, interest. A lot of enthusiasm and confidence. We'll see how that evolves, but a lot of enthusiasm for sure. I've never seen something this hyped up since Envoy in my opinion. So a lot of interest from developers. That's right. What is Wasm or WebAssembly is actually what it is, and Wasm is the code word or the name. What is Wasm? Sure, so in brief, WebAssembly is a new application type, full stop. And it's just enough of the components that you need, and it's just a binary format that is very, very secure. And so it's lightweight, it's fast and secure. And so it opens up a lot of interesting use cases for a developer, particularly on the edge. Another use case for Wasm is in the browser. Again, lightweight, fast, secure, also. Sounds like an app server to me. Right? And so we think it's a very, very interesting trend. And you ask, okay, what's Docker's role in that? Well, Docker has been around eight years now, eight plus years. Tens of millions of developers using it. They've already made investments in skills, talent, automation, tool chains, pipelines, right? And Docker started with Linux containers, as we know. Then brought that same experience to Windows containers. Then brought it to serverless functions. About 25% of Amazon lambdas are OCI image containers. And so we were seeing that trend. We were also seeing the community, actually, without any prompting from us, start to fork and play with Docker and apply it to Wasm. And we're like, huh, that's interesting. What if we helped kind of get behind that trend, such that you changed just one line of a Docker file, now you're able to produce Wasm objects instead of Linux containers? And just bring that same ease of use. So that's not a competition to Docker? Not a competition at all. In fact, very complimentary. We showed off on Monday at the Wasm day, how in the same Docker compose application, multi-service application, one service is delivered via a Linux container, another service is delivered via Wasm. And Wasm is what, multiple languages? Because what is it? Yes, so the binary can be compiled from multiple languages. So Russ, JavaScript, on and on and on. At the end of the day, it's a smaller binary that provides a function, typically a single function, that you can stand up and deploy on an edge. You can stand up and deploy on the server side or stand up and deploy on the browser. So from a container standpoint, from your customer standpoint, what a Linux container is, it's a similar thing to what a Wasm container is. They could implement the same function, that's right. Now, a Linux container can have more capabilities that a function might not have. But that's a workflow standpoint. That's right. And that's more of a use case by use case standpoint. What we serve is we serve developers. And we started out serving developers with Linux containers, then Windows containers, then lambdas, now Wasm, whatever other use case, what other application type comes along, we want to be there to serve developers. So one of the things I want to get your thoughts on, because this has come up in a couple of CUBE interviews before, and we were talking before we came on camera, is developers want ease of use and simplicity. They don't want more steps to do things. They don't want things harder. That's right. So the classic innovation is, reduce the time it takes to do something, reduce the steps, make it easier. That's a form of a success. That's right. When you start adding more tool change into the mix, you get tool sprawl. So that's not really that thing to developers. So the argument is, okay, do I have to use a new tool chain to Wasm? Is that a fact or no? That's exactly right. That was what we were seeing. And we thought, well, how can Docker help with this situation? And Docker can help by bringing the same existing tool chain that developers are already familiar with, the same automation, the same pipelines. And just by changing a line of Docker file, changing a single line of compose file, now they get the power of Wasm unlocked in the very same tools they were using before. So your position is, hey, don't adopt some tool chain for Wasm. We can just do it in line with Docker. No need to, no need to. We're providing it right there out of the box, ready for them. That's an extent, brace and extend as they would say, build Microsoft strategy there. That's nice. Okay, so let's get back into like the secure trusted, because that was another theme at Docker. That's right. We covered that deeply, you know, software supply chain. I was commenting on my intro with Savannah and Lisa, that at some point open source was going to be so plentiful, you might not have to write code. You got to glue it together. So as code proliferates, there's a question, what's in there? This is what they call the software supply chain. You've been all over this. Where are we with this? Is it harder now? Is it easier? Was there progress? Take us through what's the state of the art. I think we're early on this one, John, in the industry, because I think the realization of like how much open source is inside a given app is just now hitting consciousness. And so the data we have, is that for any given application, anywhere from 75 to 85% is actually not unique to the developer or the organization. It's open source components that they have put together. And it's really down to that last 15, 25%, which is their own unique code that they're adding on top of all this open source code. So right there, it's like, aha, that's a pretty interesting profile or distribution of value, which means those open source components, where are they finding them? How are they integrating them? How do they know those open source components are going to be supported and trusted and secured? And that's the challenge for us as an industry right now is to make it just obvious where to get the components, how safe they are, who's standing behind them, and how easy it is to assemble them into a working application. All right, so the question that I had specifically on security, because this had come up before, all good on the trusted, I think that message is evergreen. It's a North Star. That's a North Star for you. Yes. How are you making images more secure? How are you enabling organizations to identify and security issues in containers? Can you share your strategy and thoughts on that particular? Yes, so there's a range of things in the secure software supply chain. And it starts with, are you starting with trusted open source components that you know have support, that you know are secure? So we have, in Docker Hub today, we have 14 million applications, but a subset of that, we've worked with the upstream providers to basically designate as trusted open source content. So this is the Docker official images, Docker verified publisher images, Docker sponsored open source. And those different categories have levels of certification assurance that they must go through. Generate an S-bomb, so you know what's inside that container. It has to be scanned by a scanning tool, and those scanning results have to be made available. Are you guys scanning that? So we provide a scanner, they can use another scanner, as long as they publish the results of that scan. And then the whole thing is signed. Are you publishing the results on your site too? We are, we publish our results through an open database that's accessible to all. Free. Free, 100% free. You come in and you can see every image on Hub. So I'm a user for free. I can see security vulnerabilities that are out there that have been identified. By version, by layer, all the way through. And you can see, tracking all the way back to the package that's upstream. So you know how to remediate, and we provide recommendations on how to remediate that with the latest version. And we don't charge for that. We don't charge for that. You do not charge for that. And so that's the trusted upstream components. So organizations can look at the scan, they can look at the scan data, and hopefully, is there, what happens if they're not scanned? So we provide scanning tools, both for the local environments, for Docker desktop as well as for Hub. So if you want to do your own scan. So for example, when you're that developer adding the 15, 25%, you got to scan your stuff as well, right? Not just leave it up to the already scanned components. And so we provide tools there. We also provide tools to track the packages that that developer might be including in their custom code, all the way back upstream to whatever MPM repo or what have you that they picked up. And then if there's a CVE 30 days later, we also track that as well. We say, hey, that package was safe 29 days ago, but today CVE just came out better upgrade to the latest version and get that out of there, right? So basically, if you get down to it, it's like start with trusted components and then have observability, not just on the moment. And scan all the time. Scanning, scan all the time. And scanning gives you that observability and importantly, not just at that moment, but through the life cycle of the application, through the life cycle of the artifact. So end to end 24 seven observability of like the state of your supply chain. That's what's key done. That's the best practice. That's the key. That's the key. Awesome, I agree. That's great. Well, I'm glad we dug into that. It's super important. Absurder organizations can get that scanning and see the vulnerabilities and can take action. That's going to be a big focus here for you. So curious, not going to stop, is it? It's never going to stop because criminals are incended to keep attacking, right? And so it's the gift that keeps on giving, if you will. Okay, so let's get into some of the products. Docker desktop seems to be doing well. Docker hub has always been a staple of it. And how's that going? Yeah, Docker hub has 18 million monthly actives hitting it. And that's growing by double digits year over year. And what they're finding, going back to our previous thread, John, is that they're coming there for the trusted content. In fact, those three categories that I referenced earlier are about 2000 applications of the 14 million. And yet they represent 56% of the 15 billion downloads a month from Docker hub. Meaning developers are identifying that, hey, I want trusted source. We raise those in the search results and we have a visual cue. And so that's the big driver of Hub's growth right now is I want trusted content. Where do I go? I go to Hub, download that trusted open source and I'm ready to go. I have been seeing some chatter on the internet and some people sharing that they're looking at other places besides Hub to kind of do some things. What's your message to folks out there around Docker hub? Why Docker hub? Desktop together? Because you mentioned the tool chain before, but those two areas, I know they've been around for a while. You continue to work on them. What's the message to the folks out there about, you know, stay with the hub? Sure. I mean, the beauty of our ecosystem is that it's interoperable, right? The standards for build, share, and run, we're all using them here at CNCF. So you can, so yes, there's other registries. What we would say is we have the 18 million monthly actives that are pulling. We have the worldwide distribution that is 24 seven, five nines reliability. And frankly, we're there to provide choice. And so yes, we have our trusted content, but for example, the Tanzu apps, they also distribute through us. Red Hat applications also distribute through us because we have the reach and the distribution and offer developers choice of Dockers content, choice of Red Hats content, choice of VMware's, choice of Bitnami, so on and so forth. So come to the hub for the distribution of the reach and that the requirements we have for security that we put in place for our publishers give users and publishers an extra degree of assurance. So the Docker hub is an important part of the system. Yes, very much so. And desktop, what's new with desktop? So desktop of course is the other end of the spectrum, right? So if trusted components start up on Docker hub, developers are pulling them down to the desktop to start assembling their application. And so the desktop gives that developer all the tools he or she needs to build that modern application. So you can have your build tooling, your debug tooling, your IDE sitting alongside there, your Docker run, your Docker compose up. And so the loop that we see happening is the devil have a database they download from hub, a front end, they'll add their code to it and they'll just rapidly iterate. They'll make a change, stand it up, do a unit test. And when they're satisfied, do a git commit, all that goes into production. And your goal is, your goal obviously is to have developers stay with Docker for their tool chain, their experience, make it their home base. And their trusted content, that's right. And the trusted content and the extensions are part of that, because the extensions provide complimentary tooling for that local experience. You guys have done an amazing job. I want to give you personal props. I've been following Docker in the beginning when they had the pivot, they sold the enterprise to Mirantis, went back to the roots, modernized riding the wave. You guys are having a good time. I got to ask the question, because people always want to know, because you know, open source is about transparency. How are you guys making your money? Business is good. How's that working? What was the lucky, not lucky strike, but what was the aha moment? What was the trigger that just made you just kick in this new monetization growth wave? So the monetization is per seat, per developer's seat. And that changed in November, 2019. We were pricing on the server side before and as you said, we sold that off. And what changed is some of the trends we were talking about, that the realization by all organizations that they had to become software companies. And that Docker provided the productivity in an engineered desktop product and the trusted content. It provided the productivity safely to developers. And frankly, then we priced it at a rate that is very reasonable from an economic standpoint. If you look at developer productivity, developers are paid anywhere from 150 to 300 to 400, 500,000, even higher, right? But when you're paying your developers that much, then productivity is a premium. And what we were asking for from companies from a licensed standpoint was really a modest relative to making those developers productive. It's not like Oracle. I mean, talk about extracting the value out of the customer. But your point is, your positioning is, always stay core to the open source. But for companies that adopt the structural change to be developer first, a software company, there's a premium to pay because you've got value there. And you need the tooling to roll it out at scale. So the companies are paying us, they're rolling it out to tens of thousands of developers, John. So they need management, they need visibility, they need guardrails that are all around the desktop. So, but just to put a stat on it, so to your point about open source and the freemium wheel working, of our 13 million Docker accounts, 12 are free, about a million are paid for accounts, right? And that's by design because the open source- You're not gouging developers per se, it's just not gouging anyone, you're not taking money out of their hands, it's the company. It's the company is paying for their productivity so that they can build safely. More goodness, more for the developer. That's right, gouging would be more like the Oracle strategy. You don't need to comment, I can say that. But it's not like you're taxing, it's not a heavy. No, $5 a month, $9 a month, $24 a month, depending on level. But I think the big a-ha to me, and in my opinion, is that you nailed the structural change culturally for a company. If they adopt the software ecosystem approach for transforming their business, they got to pay for it. So like a workflow, it's a developer. It's another tool. I mean, do they pay for their spreadsheet software? Do they pay for their back office ERP software? They do, to make those people popular, or sorry, make those people successful, those employees successful. This is a developer tool to make developers successful. It's a great, great business model. Congratulations. What's next for you guys? What are you looking for? You got your, they just had your community events. You got DockerCon coming up next year. What's on the horizon for you? Yeah, well, I'll put a plug in for the company. What are you looking for, hiring? Yeah, so we're growing like gangbusters. We grew from 60 with the reset. We're now above 300. And we're continuing to grow. Despite this economic climate, like our customers are very much investing in software capabilities. So that means they're investing in Docker. So we're looking for roles across the board. Software engineers, product managers, designers, marketing sales, customer success. So if you're interested, please, please reach out. The next year is going to be really interesting because we're bringing to market products that are doubling down on these areas, doubling down on developer productivity, doubling down on safety, to make it even more just automatic that developers just build, so they don't have to think about it, right? They don't need a new tool just to be safer. We hinted a bit about automating S-bomb creation. You can see more of that pull through. And in particular, developers want to make the right decision. Everyone, everyone comes to work wanting to make the right decision. But what they often lack is context. They often lack like, well, is this bit of code safe or not? Or is this package that I just downloaded over here safe or not? And so you're going to see us roll out additional capabilities that give them very explicit contextual guidance of like, should you use this or not? Or here's a better version over here, a safer version over there. So stay tuned for some exciting stuff. It's going to be a massive developer growth wave coming, even bigger we've ever seen. Final question, just while I got you here, just where do you see WebAssembly wasm going? If you had to kind of throw a dart at the board out a couple of years, what does it turn into? Yeah, so I think it's super exciting. Super exciting, John. And there's three use cases today. There's browser, there's edge, and there's server side in the data center of the cloud. We see kind of the edge taking off in the next couple of years. It's just such a straight line through from what they're doing today and the value that standing up a single service on the edge go. The server side needs some work on the Wasm runtime. The Wasm runtime is not multi-threaded today. And so there's some kind of deep, deep technical work that's going on, the community's doing a fantastic job. That'll take a while to play through. Browser's also making good progress. There's a component model that Wasm's working on that'll really ignite the industry. That is going to take another couple of years as well. So I'd say, let's start with the edge use case, let's get everyone excited about that value proposition, and these other two use cases will come along. It'll all work itself out in the wash. Yes. Open source always does. Dot Johnson, the chief executive officer at Docker, okay, took over with the reset, kicking butt and taking names, congratulations. You guys are doing great. Continue to power the developer movement. Thanks for coming on. John, thanks so much. Pleasure to be here. Okay, we're bringing you all the action here, extracting the signal from the noise. I'm John Furrier, day one of three days of wall-to-wall live coverage. Be back after our next guest after this short break.