DC/OS 1.8: Stepping up container security and orchestration
Sep 16, 2016
5 min read
We are happy to announce the general availability of DC/OS 1.8, our most feature-packed and enterprise-ready release to date. New features include improvements to authorization and security, as well as new capabilities for managing big data and container networking.
DC/OS 1.8 also brings some big changes to the Marathon experience by integrating it into the user interface via a new feature called Services. Additionally, there's a new batch-scheduling feature called Jobs that provides many capabilities previously addressed by the Chronos service. The net result is that managing containers and services, and scheduling batch jobs, will no longer require accessing separate Marathon and Chronos services. Instead, these tasks can be managed more seamlessly right from the DC/OS dashboard.
Read on to learn more about these new features and everything else we think makes DC/OS 1.8 such an exciting release. (NOTE: Some of these features, as well as other new features, are still in an experimental phase and not recommended for production use. Please consult the relevant documentation for the most current status of each feature.)
Marathon is now built-in as "DC/OS Services"
Marathon is responsible for managing most DC/OS workloads, including Docker container orchestration and other long-running services (e.g., Java applications). As noted above, DC/OS 1.8 bakes Marathon into the platform as a new feature called Services. The result is that users can access service management and container orchestration (powered by Marathon at the backend) directly from the main DC/OS dashboard—via the same DC/OS UI they know and love.
Built-in DC/OS Scheduled Jobs
Scheduling batch jobs is also a more integrated experience with 1.8, via a new feature called Jobs. However, instead of baking in the previous Chronos service (which is still available as an option) for managing batch jobs, we have built Jobs around a new codebase (called Metronome) that is better able to take advantage of current and future DC/OS innovation. In 1.8, Jobs provides users with a consistent UI and access from the main DC/OS dashboard, and also allows users to apply security protocol (access control and permissions, for example) that were not possible with Chronos.
Advanced container security infrastructure in Enterprise DC/OS
Mesosphere Enterprise DC/OS 1.8 includes a long list of important security and authentication capabilities not available as part of the open source release. These include:
Fine-grained access control and container-level authorization across services (including containers and long-running apps), jobs and packages deployed from DC/OS Universe.
SSL-encrypted communication across all cluster communication, via built-in public key infrastructure (PKI).
Secrets management to store and retrieve secrets, which are encrypted at rest and at communication. Enterprise DC/OS users can set authentication, authorization and usage/visibility rights on secrets at the user and group levels.
Service accounts for programmatic authentication of to DC/OS services; useful when integrating with CI/CD systems and automation software.
Multiple authentication providers, via integration with SAML 2.0 and OpenID Connect in addition to existing LDAP.
Enhanced LDAP Integration via group import, which simplifies the operation and management of large enterprises with multiple teams.
Security event logging to meet compliance requirements and improve incident investigation.
IP-per-container with VXLAN-powered virtual networks (CNI specification)
DC/OS now enables every container to have its own unique IP address. In addition to dynamic port allocation, this removes the need for re-architecting legacy application that require full port range or that statically bind to a specific port, and it enables the platform to run more applications inside containers. IP-per-container also allows easier integration with networking and security tools by providing specific IP and port for specific application. DC/OS virtual networks leverage the Container Network Interface (CNI) Standard, enabling DC/OS networking to be pluggable via third-party CNI plugins in the future.
More options for big data and application development on DC/OS
Along with DC/OS 1.8 comes support for the Hadoop Distributed File System (HDFS) via the DC/OS Universe. HDFS is installable with a single click via the DC/OS Universe GUI or a single command via the DC/OS command line. Running HDFS on DC/OS provides the same operational benefits as running other big data systems on DC/OS, including simplified management, easy scalability and high availability.
Additionally, the DC/OS Cassandra service now supports cross-datacenter replication. This feature, developed in conjunction with engineers at Uber, is critical for applications that need to ensure availability in the case of an outage, or that need to minimize latency for users in different geographic locations.
DC/OS 1.8 also brings support for some important partner technologies—including previously announced integrations with Confluent Platform (for Kafka), DataStax Enterprise (for Cassandra) and JFrog Artifactory— that can be installed with a single click using the DC/OS Universe marketplace. Furthermore, DC/OS 1.8 lets users take advantage of our work with GitLab to integrate its enterprise-class source-control system with DC/OS.
DC/OS universal container runtime
The DC/OS universal container runtime—an extension of the unified containerizer that shipped with the Apache Mesos 1.0 release in July—gives DC/OS users the option of deploying Docker containers on DC/OS without relying on the Docker daemon. Instead, users have the option to deploy Docker containers on DC/OS and utilize the native container runtime capabilities of Mesos, which include high availability and which has been proven to run reliably inside some of the world's largest computing environments. Utilizing the universal container runtime also lets users take advantage of continuing innovation inside both the Mesos and DC/OS technologies, including features such as IP per container, CNI support, GPU-based scheduling, strict container isolation and more.