Docker Enterprise Edition (EE) is the only Containers as a Service (CaaS) Platform for IT that manages and secures diverse applications across disparate infrastructure, both on-premises and in the cloud.
There’s a little mentioned big feature in Docker Enterprise Edition (EE) that seems to always bring smiles to the room once it’s displayed. Before I tell you about it, let me first describe the use case. You’re a sysadmin managing a Docker cluster and you have the following requirements:
- Different individuals in your LDAP/AD need various levels of access to the containers/services in your cluster
- Some users need to be able to go inside the running containers.
- Some users just need to be able to see the logs
- You do NOT want to give SSH access to each host in your cluster.
Now, how do you achieve this? The answer, or feature rather, is a client bundle. When you do a docker version command you will see two entries. The client portion of the engine is able to connect to a local server AND a remote once a client bundle is invoked.
What is a client bundle?
A client bundle is a group of certificates downloadable directly from the Docker Universal Control Plane (UCP) user interface within the admin section for “My Profile”. This allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process. You can now execute docker swarm commands from your remote machine that take effect on the remote cluster.
I have a user named ‘bkauf’ in my UCP. I download and extract a client bundle for this user.
I open a terminal session with my docker for mac and issue a docker version command. You will see the server version matches the client. I can do a docker ps and verify nothing is running.
Now, I navigate to the extracted bundle directory and run the env.sh script (env.ps1 for windows)
Notice the server now lists my version as ucp/2.2.2. This is the version of my UCP manager; I’m remotely connected from my laptop to my remote cluster assuming the bkauf user’s access levels. I can now do various things such as create a service, view its tasks(containers) and even log into this REMOTE container from my laptop all through the API, no SSH access needed. I need not worry about what host the container is on! This is made possible by the role/permission set up for the use with the granular Role Based Access Control available with Docker EE.
What about a Windows container on a Windows node in a UCP cluster you ask? Linux OR Windows nodes, remote access through your client bundle all works the same!
Docker Enterprise Edition (EE) is the only Containers as a Service (CaaS) Platform for IT that manages and secures diverse applications across disparate infrastructure, both on-premises and in the cloud. Docker EE embraces both traditional applications and microservices, built on Linux and Windows, and intended for x86 servers, mainframes, and public clouds. Docker EE unites all of these applications into single platform, complete with customizable and flexible access control, support for a broad range of applications and infrastructure, and a highly automated software supply chain.