| Docker Engine Roadmap |
| ===================== |
| |
| ### How should I use this document? |
| |
| This document provides description of items that the project decided to prioritize. This should |
| serve as a reference point for Docker contributors to understand where the project is going, and |
| help determine if a contribution could be conflicting with some longer terms plans. |
| |
| The fact that a feature isn't listed here doesn't mean that a patch for it will automatically be |
| refused (except for those mentioned as "frozen features" below)! We are always happy to receive |
| patches for new cool features we haven't thought about, or didn't judge priority. Please however |
| understand that such patches might take longer for us to review. |
| |
| ### How can I help? |
| |
| Short term objectives are listed in the [wiki](https://github.com/docker/docker/wiki) and described |
| in [Issues](https://github.com/docker/docker/issues?q=is%3Aopen+is%3Aissue+label%3Aroadmap). Our |
| goal is to split down the workload in such way that anybody can jump in and help. Please comment on |
| issues if you want to take it to avoid duplicating effort! Similarly, if a maintainer is already |
| assigned on an issue you'd like to participate in, pinging him on IRC or GitHub to offer your help is |
| the best way to go. |
| |
| ### How can I add something to the roadmap? |
| |
| The roadmap process is new to the Docker Engine: we are only beginning to structure and document the |
| project objectives. Our immediate goal is to be more transparent, and work with our community to |
| focus our efforts on fewer prioritized topics. |
| |
| We hope to offer in the near future a process allowing anyone to propose a topic to the roadmap, but |
| we are not quite there yet. For the time being, the BDFL remains the keeper of the roadmap, and we |
| won't be accepting pull requests adding or removing items from this file. |
| |
| # 1. Features and refactoring |
| |
| ## 1.1 Security |
| |
| Security is a top objective for the Docker Engine. The most notable items we intend to provide in |
| the near future are: |
| |
| - Trusted distribution of images: the effort is driven by the [distribution](https://github.com/docker/distribution) |
| group but will have significant impact on the Engine |
| - [User namespaces](https://github.com/docker/docker/pull/12648) |
| - [Seccomp support](https://github.com/docker/libcontainer/pull/613) |
| |
| ## 1.2 Plumbing project |
| |
| We define a plumbing tool as a standalone piece of software usable and meaningful on its own. In |
| the current state of the Docker Engine, most subsystems provide independent functionalities (such |
| the builder, pushing and pulling images, running applications in a containerized environment, etc) |
| but all are coupled in a single binary. We want to offer the users to flexibility to use only the |
| pieces they need, and we will also gain in maintainability by splitting the project among multiple |
| repositories. |
| |
| As it currently stands, the rough design outlines is to have: |
| - Low level plumbing tools, each dealing with one responsibility (e.g., [runC](https://runc.io)) |
| - Docker subsystems services, each exposing an elementary concept over an API, and relying on one or |
| multiple lower level plumbing tools for their implementation (e.g., network management) |
| - Docker Engine to expose higher level actions (e.g., create a container with volume `V` and network |
| `N`), while still providing pass-through access to the individual subsystems. |
| |
| The architectural details are still being worked on, but one thing we know for sure is that we need |
| to technically decouple the pieces. |
| |
| ### 1.2.1 Runtime |
| |
| A Runtime tool already exists today in the form of [runC](https://github.com/opencontainers/runc). |
| We intend to modify the Engine to directly call out to a binary implementing the Open Containers |
| Specification such as runC rather than relying on libcontainer to set the container runtime up. |
| |
| This plan will deprecate the existing [`execdriver`](https://github.com/docker/docker/tree/master/daemon/execdriver) |
| as different runtime backends will be implemented as separated binaries instead of being compiled |
| into the Engine. |
| |
| ### 1.2.2 Builder |
| |
| The Builder (i.e., the ability to build an image from a Dockerfile) is already nicely decoupled, |
| but would benefit from being entirely separated from the Engine, and rely on the standard Engine |
| API for its operations. |
| |
| ### 1.2.3 Distribution |
| |
| Distribution already has a [dedicated repository](https://github.com/docker/distribution) which |
| holds the implementation for Registry v2 and client libraries. We could imagine going further by |
| having the Engine call out to a binary providing image distribution related functionalities. |
| |
| There are two short term goals related to image distribution. The first is stabilize and simplify |
| the push/pull code. Following that is the conversion to the more secure Registry V2 protocol. |
| |
| ### 1.2.4 Networking |
| |
| Most of networking related code was already decoupled today in [libnetwork](https://github.com/docker/libnetwork). |
| As with other ingredients, we might want to take it a step further and make it a meaningful utility |
| that the Engine would call out to instead of a library. |
| |
| ## 1.3 Plugins |
| |
| An initiative around plugins started with Docker 1.7.0, with the goal of allowing for out of |
| process extensibility of some Docker functionalities, starting with volumes and networking. The |
| approach is to provide specific extension points rather than generic hooking facilities. We also |
| deliberately keep the extensions API the simplest possible, expanding as we discover valid use |
| cases that cannot be implemented. |
| |
| At the time of writing: |
| |
| - Plugin support is merged as an experimental feature: real world use cases and user feedback will |
| help us refine the UX to make the feature more user friendly. |
| - There are no immediate plans to expand on the number of pluggable subsystems. |
| - Golang 1.5 might add language support for [plugins](https://docs.google.com/document/d/1nr-TQHw_er6GOQRsF6T43GGhFDelrAP0NqSS_00RgZQ) |
| which we consider supporting as an alternative to JSON/HTTP. |
| |
| ## 1.4 Volume management |
| |
| Volumes are not a first class citizen in the Engine today: we would like better volume management, |
| similar to the way network are managed in the new [CNM](https://github.com/docker/docker/issues/9983). |
| |
| ## 1.5 Better API implementation |
| |
| The current Engine API is insufficiently typed, versioned, and ultimately hard to maintain. We |
| also suffer from the lack of a common implementation with [Swarm](https://github.com/docker/swarm). |
| |
| ## 1.6 Checkpoint/restore |
| |
| Support for checkpoint/restore was [merged](https://github.com/docker/libcontainer/pull/479) in |
| [libcontainer](https://github.com/docker/libcontainer) and made available through [runC](https://runc.io): |
| we intend to take advantage of it in the Engine. |
| |
| # 2 Frozen features |
| |
| ## 2.1 Docker exec |
| |
| We won't accept patches expanding the surface of `docker exec`, which we intend to keep as a |
| *debugging* feature, as well as being strongly dependent on the Runtime ingredient effort. |
| |
| ## 2.2 Dockerfile syntax |
| |
| The Dockerfile syntax as we know it is simple, and has proven successful in supporting all our |
| [official images](https://github.com/docker-library/official-images). Although this is *not* a |
| definitive move, we temporarily won't accept more patches to the Dockerfile syntax for several |
| reasons: |
| |
| - Long term impact of syntax changes is a sensitive matter that require an amount of attention |
| the volume of Engine codebase and activity today doesn't allow us to provide. |
| - Allowing the Builder to be implemented as a separate utility consuming the Engine's API will |
| open the door for many possibilities, such as offering alternate syntaxes or DSL for existing |
| languages without cluttering the Engine's codebase. |
| - A standalone Builder will also offer the opportunity for a better dedicated group of maintainers |
| to own the Dockerfile syntax and decide collectively on the direction to give it. |
| - Our experience with official images tend to show that no new instruction or syntax expansion is |
| *strictly* necessary for the majority of use cases, and although we are aware many things are still |
| lacking for many, we cannot make it a priority yet for the above reasons. |
| |
| Again, this is not about saying that the Dockerfile syntax is done, it's about making choices about |
| what we want to do first! |
| |
| ## 2.3 Remote Registry Operations |
| |
| A large amount of work is ongoing in the area of image distribution and |
| provenance. This includes moving to the V2 Registry API and heavily |
| refactoring the code that powers these features. The desired result is more |
| secure, reliable and easier to use image distribution. |
| |
| Part of the problem with this part of the code base is the lack of a stable |
| and flexible interface. If new features are added that access the registry |
| without solidifying these interfaces, achieving feature parity will continue |
| to be elusive. While we get a handle on this situation, we are imposing a |
| moratorium on new code that accesses the Registry API in commands that don't |
| already make remote calls. |
| |
| Currently, only the following commands cause interaction with a remote |
| registry: |
| |
| - push |
| - pull |
| - run |
| - build |
| - search |
| - login |
| |
| In the interest of stabilizing the registry access model during this ongoing |
| work, we are not accepting additions to other commands that will cause remote |
| interaction with the Registry API. This moratorium will lift when the goals of |
| the distribution project have been met. |
