In the recent Docker Virtual Event, Unveiling Docker Enterprise Edition 2.0, we demonstrated some of the key new capabilities of the Docker Enterprise Edition – the enterprise-ready container platform that enables IT leaders to choose how to cost-effectively build and manage their entire application portfolio at their own pace, without fear of architecture and infrastructure lock-in. Designed to address enterprise customers’ needs, these net-new features extend across both Swarm and Kubernetes (Part 1 of this blog) and across Windows and Linux applications (Part 2 of this blog).
In this blog post, we’ll go over some of the most common questions about these new features as well as some of the common questions that were asked about how Docker Enterprise Edition is packaged and deployed.
If you missed the live event, don’t worry! You can still catch the recording on-demand here.
Docker Enterprise Edition 2.0 Features
Q: Can I connect my corporate directory to permissions inside Docker Enterprise Edition?
A: Yes! You can integrate your corporate LDAP or Active Directory to Docker Enterprise Edition. Permissions can be mapped to one of the 5 built-in roles or administrators can create very granular and flexible controls that map down to the API-level. For example, you can create a Network Administrator role that only provides access to networking APIs. These permissions also allow the creation of secure application zones where certain users and teams can be limited to accessing only certain physical and logical resources.
Q: Node separation sounds great, but is it enterprise-grade separation? We typically prefer to physically/hard isolate test from production.
A: We have enterprise customers who run completely separate Test and Production clusters and those who leverage secure application zones for separation within the same cluster. It just depends on the preferences of the organization. One of the benefits of the Docker Enterprise Edition node separation model is that user access can be completely isolated. A user logging into Docker Enterprise Edition that has only been granted access to certain nodes will not be able to see the other nodes. This can also be good for isolating sensitive data to certain physical hosts that have additional tooling or monitoring installed. Node separation is also useful for organizations that want to have more operational scale where a single operations team can dynamically allocate and balance the application zones as needs change.
Q: What is the networking stack for Kubernetes inside Docker Enterprise Edition?
A: Docker Enterprise Edition comes pre-installed with Project Calico for the CNI plugin, but it is swappable for your preferred solution. To learn more about our integration, please check out this blog.
Q: Does Enterprise Edition support external/3rd party image signing?
A: Yes! A common use case is to integrate the private registry solution that is included in Docker Enterprise Edition with CI tools like Jenkins or Gitlab. In setting up these integrations, your CI system is set up as a User Account in Docker Enterprise Edition and leverages a client bundle to sign images as they are built and pushed to the registry. Learn more in our Secure Supply Chain Reference Architecture.
Q: With image vulnerability scanning, what happens if there’s a new issue or CVE that is added to the database?
A: Image scanning takes inventory on all of the layers and components inside an image and compares it to the CVE database at a binary-level. During the scan, it indexes the SHA of each component and when the CVE database is updated, the scanning service reviews the indexed components for any that match newly discovered vulnerabilities. These new vulnerabilities will be indicated in your Docker Enterprise Edition UI.
Q: When using image mirroring to push images between private registries, should we re-scan those images?
A: Yes, as part of a security best practice, it is recommended to re-scan images in each location prior to deployment.
Q: Do we need an extra license for mirroring the registry?
A: Yes, image mirroring is for moving images between two independent and licensed deployments of Docker Enterprise Edition. Each node in the Enterprise Edition environment will need to be licensed appropriately.
Deploying Docker Enterprise Edition
Q: Can we develop apps/servers on Docker CE then push them to Docker Enterprise Edition?
A: Yes, many organizations leverage Docker for Mac and Docker for Windows (which includes Docker CE) on their developers’ laptops to build applications. These images are then checked into Docker Enterprise Edition’s private registry solution and deployed, managed and secured by IT Operations teams. Docker Enterprise Edition provides the additional security and governance capabilities for managing applications at scale and in production.
Q: What’s the difference between running Docker Enterprise Edition in the cloud versus using something like Azure Container Service (AKS) or Google Kubernetes Engine (GKE)?
A: When you deploy Docker Enterprise Edition in a cloud, you get access to the Docker Enterprise Edition control plane, dashboard and private registry solution which operates exactly the same way as if you deployed it in your own data center. This includes simplified workflows, built-in security tools and enterprise-ready access controls that can be consistently deployed across different platforms, helping you to operationalize at scale. You still have access to native Kubernetes APIs and CLIs, but Docker Enterprise Edition also makes this easier to manage. With cloud-based Kubernetes services, you are generally getting access to hosted Kubernetes from which you are responsible for configuring and managing.
Q: Is there a way to try Docker Enterprise Edition for free?
A: Yes! We have a free hosted trial that gives you access to a full Docker Enterprise Edition stack without having to download or install anything. Within minutes, you can get access to an environment and follow the guided tutorial or explore on your own. You can access the free hosted trial at https://trial.docker.com.
Q: How can I upgrade to Docker Enterprise Edition 2.0?
A: You can upgrade to the latest release of Docker Enterprise Edition if you are currently running a supported version of Docker Enterprise Edition (UCP 2.2+ and DTR 2.4+). If you are currently running Community Edition (CE) though, you would need to start with a fresh installation.
Q: How is Docker Enterprise Edition licensed?
A: Docker Enterprise Edition is licensed as an annual subscription on a per-node basis, up to 2 sockets. A node can be a physical server, a virtual machine, or a cloud instance and nodes can be managers or workers. For more information, visit https://www.docker.com/pricing or contact sales: https://goto.docker.com/contact-us.html
To learn more about Docker Enterprise Edition 2.0, check out the following resources:
- Access a free Hosted Trial
- Learn more about Docker Enterprise Edition and download the What’s New brochure
- See how enterprise organizations are saving money with Docker Enterprise Edition by downloading this Customer eBook