

Google Launches Managed Service for Running Docker Apps on Its Platform - ferrantim
http://googlecloudplatform.blogspot.com/2014/11/google-cloud-platform-live-introducing-container-engine-cloud-networking-and-much-more.html

======
jbeda
More info/docs here: [https://cloud.google.com/container-
engine/](https://cloud.google.com/container-engine/)

I'm on the Kubernetes/GKE team and happy to answer any questions you all might
have.

We also all hang out on IRC at #google-containers on freenode.

~~~
philip1209
Some google-managed base images would be helpful. The last time I checked,
some of the major public docker images were still shellshock-vulnerable. Pre-
installed GCE tools would be helpful. Perhaps automated environment variables
about region, etc.

~~~
shykes
If you have found an official Docker image that is still shellshock
vulnerable, the library maintainers [1] would love to hear from you as they
take that stuff quite seriously. As far as I know the entire library is fully
patched.

[1] [https://github.com/docker-library/official-
images](https://github.com/docker-library/official-images)

~~~
tianon
As one of the maintainers in question, I'd absolutely mirror this whole
statement: if any of the image upstreams have an important update available
that isn't applied, we're very interested in rectifying that.

------
roberthbailey
Tech Crunch incorrectly mentions that the service requires being added to a
whitelist to use. It is available for anyone to try out immediately.

~~~
philip1209
Oh interesting - you appear to be correct. You need to enable it through the
APIs page then you have access.

~~~
mh-
confirmed I was able to do this (simply enable the API) on an existing project
in the API Console

~~~
andrewmunsell
Oddly, I get a "only available for new customers" message, even after I enable
the API.

~~~
crb
That's because the link from the GKE page is for the free Google Cloud
Platform trial ($300 credit), which is only available for new customers.

~~~
andrewmunsell
Ah, that would make sense.

------
deweller
Does this mean that Google feels confident in running untrusted code inside
containers? Or is each container actually running in an isolated VM?

It is my understanding that Docker containers are "generally" secure
([https://docs.docker.com/articles/security/](https://docs.docker.com/articles/security/)).
But that statement isn't enough for me to use them to power a multi-user
production hosting environment.

~~~
jbeda
We aren't doing multi-tenant in a VM. Instead, each user/account/project has
their own set of VMs implementing the cluster.

My view is that the surface area for cgroups/kernel namespaces is just too
large and isn't appropriate for hostile untrusted workloads right now.

More nuanced statement on this here:
[http://googlecloudplatform.blogspot.com/2014/08/containers-v...](http://googlecloudplatform.blogspot.com/2014/08/containers-
vms-kubernetes-and-vmware.html)

------
TheMagicHorsey
Can someone explain the difference between Apache Mesos, Apache Spark, and
Kubernetes. As someone reading just announcements, and having never
experimented with any of these tools, they sound like they promise the same
capabilities.

Is it just that they are different open source projects aiming for the same
goal ... or are their goals different?

~~~
vertex-four
Apache Mesos is based on Twitter's expertise in deploying their cluster,
Kubernetes on Google's. They do things in different ways. Spark seems to be in
the same area as Hadoop, so not relevant to the conversation.

~~~
23david
Yep, but there's an important difference I think...

Mesos (some customizations, but largely the same as open-source Apache Mesos)
IS what Twitter uses to deploy and manage their clusters. Battle-hardened at
scale running diverse production workloads.

With Kubernetes, we're told that it is built using architectural and
philosophical principles proven to work at scale on Google's production
systems. But it's a fairly clean-room built-from-scratch implementation and
although developing quickly, is still immature and untested.

------
krschultz
Docker has pulled off some really impressive biz dev. I can't think of too
many other things that Azure, Google Cloud, and AWS all support.

~~~
RenegadeofFunk
Strongly agree with this. I've been interviewing for DevOps jobs and it seems
like everyone thinks they need to be using Docker for some reason or another.
Studying up on it has improved my interview feedback substantially.

~~~
jchonphoenix
If you're interested, I run a team at Docker and would love to chat :P

------
gfodor
Pretty sure we're gonna see a similar offering from AWS in a week.

~~~
jread
AWS released PaaS docker support 7 months ago:
[http://aws.amazon.com/blogs/aws/aws-elastic-beanstalk-for-
do...](http://aws.amazon.com/blogs/aws/aws-elastic-beanstalk-for-docker/)

~~~
ceejayoz
Something more is coming soon, though:
[https://twitter.com/jeffbarr/status/529493907839533056](https://twitter.com/jeffbarr/status/529493907839533056)

------
lxcp
Hi Joe, I guess you folks are not running containers from customers side-by-
side in the same host. So if I scale up my cluster size while I have
containers deployed, do you folks rebalance the load on the host machines on
the fly (by stopping/relocating some containers) or do you rebalance the new
containers?

~~~
jbeda
Correct -- we don't do multi-tenant on the same VM. The security just isn't
there in our minds.

We don't do rebalancing/rescheduling/repacking yet. Those are the types of
things that we will be working on moving forward.

------
yim
this is great news, esp. with the $100K google is giving to qualified
startups!

------
omouse
I hope this have the ripple effect of allowing enterprises to feel comfortable
using things like Firebase and Docker. I floated the idea of using Docker but
the idea was turned down because we have no idea how it affects performance in
a production environment.

------
tomcart
Anyone know if there are plans for auto-resizing of replicas or clusters based
on alarms, along the lines of AWS autoscaling?

------
chx
Can we ban techcrunch please?
[http://googlecloudplatform.blogspot.com/2014/11/google-
cloud...](http://googlecloudplatform.blogspot.com/2014/11/google-cloud-
platform-live-introducing-container-engine-cloud-networking-and-much-
more.html)

~~~
anon1385
pg has mentioned in the past that he would like to ban techcrunch, but
couldn't do so because they provide so much coverage of his startups.

Submissions from bullshit SV news sites is the price you pay for using a site
that primarily exists as a marketing exercise.

Note that 'lower quality' sites about other sections of the tech industry have
been banned for years (appleinsider, winsupersite etc).

