Perhaps "implements"?

+1

I assume we can replace "when" with "after" ? just to be clear about when it is called.

Can people assume they are called in the order in which they are registered?

I think packaging plugins as containers is great - it saves a lot of work from the plugin authors side.
However, The question I have is about how they are distributed. Today the Docker registry doesn't contain any metadata about a container and what permissions it requires. This metadata is important from a users standpoint (a parallel would be the Google Play Store for Android) so they can make a decision of whether or not to use a plugin.

As @progrium mentions below, most agents will require --privileged or perhaps a combination of --cap-add and --cap-drop.

Perhaps a plugin should be a container + a docker-compose.yml

I think this is something we can work towards... basically having the image declare the permissions it needs to be able to run and error out if those perms weren't granted (ie by docker plugin load --privileged).

But I don't see this as a hard requirement for plugins.

Agree. Caveat here is that if we bind-mount the docker socket, then any plugin can elevate its own privileges. This needs more thought but not yet for an extensions MVP.

We should definitely not bind-mount the docker socket into the plugins.
Once people start writing plugins which assume this, it will be impossible
to change the design without breaking them.

On Thu, Mar 12, 2015 at 4:20 AM, lukemarsden [email protected]
wrote:

In docs/sources/userguide/plugins.md
#3 (comment):

@@ -0,0 +1,157 @@
+Docker Plugins MVP
+==================
+
+Plugins provide a mechanism for hooking into the Docker engine to extend its behavior.
+
+HTTP over a local UNIX socket is used to communicate between Docker and its plugins.
+
+Plugins are distributed as containers.

Agree. Caveat here is that if we bind-mount the docker socket, then any
plugin can elevate its own privileges. This needs more thought but not yet
for an extensions MVP.

—
Reply to this email directly or view it on GitHub
https://github.com/cpuguy83/docker/pull/3/files#r26293764.

I agree with not automatically doing it for all plugins, it would be nice to request one (not using -v /var/run/docker.sock:/var/run/docker.sock) from the UI.

I agree with this @shykes. Bind-mounting (which is how we'd propose to expose the Docker API) is already arguably part of the docker permissions interface (let the container mess with this subtree on the host filesystem). Does that mean that the plugin loader interface should have -v?

To be clear, the choice is:

• generic -v support for plugin loader.
• some sort of specific --allow-docker-api flag to the plugin loader which special-cases bind-mounting in the docker sock.

I think @progrium preferred the latter. I'm cool with either. If you strongly prefer the former @shykes I'm fine with that.

One data point: the prototypical containerized flocker-zfs-agent I'm working on currently has 5 bind-mounts. BTW, I was imagining that the flocker extension would start the flocker-zfs-agent with its requisite bind-mounts via the docker api when it started... but we really do need the extensions to be able to "do stuff". I don't think we have time to define an interface with granular permissions. And in fact arguably the interface with granular permissions should be a later version of the Docker API!

As a point of protocol, I think @progrium is working on the loader spec this/next week. It may be more productive to let him finish that and then do a review pass over it than to pre-empt his proposed design, which I'm sure will handle the use cases we have in mind. ;)

+1 for having some way for a plugin to speak to the main docker server - it is vital for various reasons - I'm not overly concerned with how though (-v or --allow-docker-api)

My take on these:

• I'd rather not expose docker run arguments to docker plugin for two reasons
  • As soon as we start adding some of them, we'll end up adding all of them.
  • I like that we have a dedicated docker plugin top-level command that hides the fact that it's actually pulling an image and running a container: I believe that it makes perfect sense for an MVP (as we reuse many of the infrastructure in place), but I don't think we'd like to lock ourselves in that as the only possible execution model.
• Mounting the daemon socket should not be the default, although I agree it should be made possible through some command-line flag that makes it obvious you're doing something "privileged", such as --allow-full-daemon-access.

While I like the idea of a container for plugins on the daemon-side, I'm wondering about CLI plugins. I don't think they can use the same mechanism. I wonder if it makes sense to have cli-plugins be executables that use the same API defined in there? Meaning, via some cli-specific registration mechanism (perhaps they're listed in the cli config file), the cli can start the exe's and then talk to them via HTTP using the same protocol defined here. So while we can't get consistency around distribution, we can be consistent on the API/protocol.

After discussing general usefulness of hidden/system/agent containers and that they would pretty much all operate with the same semantics of plugins, maybe we can call this subcommand agent? To then decouple this (also so it can be a standalone PR) from plugins, we can make the plugin handshake protocol optional with a flag. Another flag would provide the Docker socket as discussed.

What is an agent?

On Friday, March 6, 2015, Jeff Lindsay [email protected] wrote:

In docs/sources/userguide/plugins.md
#3 (comment):

@@ -0,0 +1,157 @@
+Docker Plugins MVP
+==================
+
+Plugins provide a mechanism for hooking into the Docker engine to extend its behavior.
+
+HTTP over a local UNIX socket is used to communicate between Docker and its plugins.
+
+Plugins are distributed as containers.
+
+This is targeted at Docker 1.7.
+
+# Usage
+
+Plugins can be loaded using a special docker plugin load command, as follows:

After discussing general usefulness of hidden/system/agent containers and
that they would pretty much all operate with the same semantics of plugins,
maybe we can call this subcommand agent? To then decouple this (also so
it can be a standalone PR) from plugins, we can make the plugin handshake
protocol optional with a flag. Another flag would provide the Docker socket
as discussed.

—
Reply to this email directly or view it on GitHub
https://github.com/cpuguy83/docker/pull/3/files#r25986848.

I guess this is missing context. There is a very common pattern in deployments of "system" containers or "agents", whether custom or from a third party that do various things for the system, but are not part of the main compute payload of a host. This happens in every deployment we've worked on.

Many examples are candidates for "plugins" but not all of them necessarily need to hook into Docker extension points. They just need to 1) always run on Docker boot, 2) likely have a default restart policy, 3) not show in main docker ps. Their management semantics match plugins but are not always plugins. For example, Docker Swarm is an agent.

Another example of this pattern shows up in RancherOS, how they've separated system containers from user containers. Our terminology is "agent" as almost all examples of this are already described as agents.

Other common properties of agents are their use of --privileged and/or the Docker socket, hence this being a reasonable place to make that easy.

why should this have -e $ARGS and $@? I suppose these are placeholders for the launch configuration... The line is a little confusing, I think if it just said docker plugin load clusterhq/flocker-plugin, it'd totally fine. You can hint about configuration though, which if you want can be through arguments. Although, keeping configuration out of the scope for now would be good, you could suggest that configuration would be part of the image if you like.

The -e $ARGS was for environment variables to pass to the plugin, and $@ just to say that you can pass some arguments. Should we just pick one of these? Or have neither?

Having config as part of the plugin image doesn't make sense because what we care about here is config provided by the cluster admin (the person typing docker plugin load not the plugin author).

Should we just pick one of these? Or have neither?

I think having args at the end will be fine for the purpose of this document.

Having config as part of the plugin image doesn't make sense...

Well, the idea was to reduce the scope of this proposal, there is all sorts of things one can dream up about config, but it's the kind of thing that is always easy to over-engineer. For example, this can easily get everyone into bikeshedding a distributed config store or syntax format, and that's best to avoid if progress is to be made on introducing the primitives, into which this is already getting deep enough.

Can we get some text around what the values in the response mean? It would seem to imply that the plugin can change the hostpath and container id - but that's doesn't seem right. Also, above I was assuming this is called after the volume is mounted, but this response (if these values are modifiable by the plug-in) would seem to imply its called before its mounted. For each plug-point we need to be clear about the "before" vs "after" nature of each.

We may want to consider responses that stop the current action. For example, does the mount stop if the plug-in fails? Do we allow the plug-in to stop the action at all? What happens if it fails? Do we roll things back?
My initial guess is that a failed plug-in should stop the flow - otherwise users could get unexpected results - or worse, very bad results if one of the plug-ins is an auth-type check. And therefore, if possible, I think things should rollback.

Why is the ContainerID here -- can the plugin change it? What would that mean?

It's there so that the plugin can look up (or record) the container info if it needs to.

I mean in the reply

If an extension has access to the docker socket - it can listen to the event stream to know if a container has stopped. Is it better to leave this up to the extension? The same issue would be true of networking extensions that want to release an IP.

Yes I think that's OK for the plugin to implement in its own way.

This should match the --env/--volume semantics:

--metadata size=50G --metadata tier=ssd --metadata replication=global

Or more really the forthcoming label API

Is greatnet the name of the plugin, or the name of the network?

The name of the network, I guess. This is where my view of what @shykes has in mind for the networking UX gets pretty hazy.

i'm wondering whether it would be useful for a plugin to register a custom uri scheme.
So you could chain plugins like so...

docker run --net=weave://network1 --net=other://network12 -v flocker://volume-foo:/usr/foo -v other://volume-bar:/usr/bar

+1 for the URI scheme in a later revision.

I've been toying with /flocker/volume-foo, //volume-foo, flocker://volume-foo and I like flocker://volume-foo the best. The reason I hadn't proposed that yet though is that it would require a change to the parsing logic because colons already have a meaning in volume specs. /flocker/volume-foo certainly isn't final, but it will get us over the hurdle of getting an extensions MVP out.

So we've talked about this in the past and it the response was basically this was overloading the -v... that said I think it totally makes sense.

This line also introduces the --ip argument, which rises another question - how would user know that this argument is handled by the extension? One way of solving this problem is to add extend --net="..." syntax, but that is gonna get hairy soon. Perhaps plugins could introduce a namespaced argument, e.g. --awesome-ip= in this specific case would work a bit better.

I do like the URI approach in ways, but extending syntax of --net is not a great idea, I would rather deprecate that flag and introduce something like this:

docker run --weave-net=network1 --other-net=network12 --other-param=foo

Similarly with volumes, I am thinking that adding --flocker-volume would appear much clearer to the user.

@progrium suggest that this behaviour should depend on the extension point.

Post hooks are important - IMHO they should certainly be included somehow in the workflow. I think about it as pre-hook=setup and post-hook=react where the react step is "do something now that container is running"

This is part of the API extension discussion then. When we get to that bit, we can start with what we learned from powerstrip, write down the desired formal semantics and iterate on that.

Won't this prevent plugins from doing any work through the Docker API? For instance, when a weave plugin was loaded, we'd want it to start a weave router container, maybe a weaveDNS container, and so on.

This is a good point - a plugin might itself need to start other containers. Perhaps we can say "While waiting for the plugin to initialize, Docker should not allow any API requests that are not from plugins to succeed". This is also another good use-case for plugins in general being able to talk to the docker deamon

Is this an example of the more generic "agent" pattern discussed by @progrium above?

Yes, I think we agreed to go ahead and start with this (it's up to @progrium how he implements the loader 😄).