My Three Favorite New Features in Docker Enterprise Edition

Aug 21 2017

I’ve been at Docker for just over two years now, and I’ve worked with every version of Docker Enterprise Edition (née Docker Datacenter) since before there even was a Docker Enterprise Edition (EE). I’m more excited about this new release than any previous release.

There are several new features that are going to ease the management of your applications (both traditional and cloud-native) wherever you need them to run: the cloud or the data center, virtual or physical, Linux or Windows – and now even IBM Z mainframes.

It would take too long to discuss all of the new features, so with that in mind, I’m going to talk about my three favorite features in Docker EE 17.06.

Hybrid-OS Clusters

Docker and Microsoft introduced support for Windows Server containers last fall. This was a major milestone that helped Docker move towards the goal of embracing apps across the entirety of the data center. With this latest release Docker extends hybrid OS operations even further: IT admins can now build and manage clusters comprised of Linux, Windows Server 2016, and IBM Z mainframes  – all from the same management plane. This means you can manage applications comprised of both Windows and Linux components from Docker Universal Control Plane. For instance, you can run your web front end on Linux and connect that to Microsoft SQL Server running on Windows.

Docker EE 17.06 is the first Containers-as-a-Service platform to offer production-level support for the integrated management and security of Windows Server Containers.

For more information on hybrid-OS clusters, check out this video.

Enhanced Role-based Access Control (RBAC)

Docker EE has always featured RBAC. With Docker EE 17.06 we’ve enhanced these capabilities to further extend the way administrators manage access to cluster resources.

To better understand how RBAC works in Docker EE 17.06 it’s probably best if I define four concepts:

  • Custom Roles: A role is essentially a set of permissions that define what operations someone can perform on cluster resources. As in previous releases, Docker EE 17.06 has a set of predefined roles (View Only, Full Control, etc). What’s new in this release is the ability for administrators to choose from dozens of individual capabilities to define custom roles.

For instance, an admin could define a ‘network-ops’ role that only grants the ability to perform a subset of tasks specifically related to network functionality.

 Note: This image only shows a small subset of all the various operation permissions available in Docker EE 17.06

In short roles are what someone can do when working with your Docker EE cluster.

  • Subject: Subjects define who can perform certain tasks. Subjects can be Docker EE users, teams or organizations.
  • Collections: Collections are a new concept in Docker EE. They provide a mechanism for administrators to group cluster resources (services, containers, volumes, networks, secrets, etc) together. An admin assigns a special Docker label (com.docker.ucp.access.label) to a particular resource to define what collection the resource belongs to.
    Collections can be nested into a directory-like hierarchy. For instance an admin user can create a prod collection, and then a webserver collection beneath that.

Nested collections will inherit permissions from their parent collections.
You can think of collections as where someone can perform tasks.


  • Grant: A grant defines who (subject) can do what (role) where (collection). For example, you can create a grant that specifies that the “Dev Team” gets “View Only” access against resources in the “/Production” collection.

In addition to these new capabilities, Docker EE Advanced 17.06 extends the concept of RBAC to nodes as well. So now administrators can subdivide cluster servers between teams, and ensure that those dedicated resources are only accessed by individuals who have been explicitly granted permission. These features give administrators nearly infinite flexibility with regards to how they want to secure their cluster resources.

For more information on RBAC in Docker EE 17.06 check out this video.

Automated Image Promotion and Immutable Repos

Ok, this is technically two features, but they’re both awesome: Automated Image Promotion and Immutable Repos. These two capabilities allow administrators to further ensure the integrity of Docker images.

Automated image promotion gives IT practitioners the ability to define criteria that, when met, will automatically promote an image from one Docker Trusted Registry (DTR) repository to another.

For instance, today you might create a new version of an application, run it through QA, and then – if it passes – manually promote it to the production repo. The QA process could include steps such as scanning for vulnerabilities or the usage of components with certain licenses.

With Docker EE 17.06, you can automate portions of this process. You can define criteria based on the the image tag, the number of vulnerabilities in the image, presence of certain packages, or the type of license found in the image. If those criteria are met, the image will automatically be promoted from one repo to the other.

Additionally, you can apply multiple policies to create sophisticated automated promotion scenarios.

Immutable repos work alongside image promotion (as well as the existing security scanning and image signing features) to help protect the integrity of your Docker images. As the name implies, immutable repos allow administrators to prevent image tags from being changed in a given repository.

This is aimed at stopping a scenario where someone pushes a version of an image with a given tag, and then someone else overwrites that image by pushing a different version using the same tag as the original user. With immutable repos you can be assured that your images will not be accidentally (or intentionally) overwritten.

For more information on image promotion and immutable repos, please see this video.

Secure and Manage More Applications

Ok – I know I said I was going to talk about my three favorite new features, but I have to add my other favorite new feature: Docker Security Scanning for Windows images. Docker Security Scanning, part of Docker EE Advanced, automatically scans images for common vulnerabilities and exploits as they are pushed to DTR. Previously this has only worked with Linux images, but with Docker EE Advanced 17.06 it now also works with Windows images!

So there you have it: my three (or four or five depending on how you counted) favorite new features in Docker EE 17.06.

Thanks for taking the time to learn what’s new in Docker EE 17.06. Like I said, there are plenty of other new features. Heck, I didn’t even talk about multi-stage builds or the new UI. I hope after reading this, that you’re as excited about Docker EE 17.06 as I am.

Continue your Docker journey with these helpful links:



0 thoughts on "My Three Favorite New Features in Docker Enterprise Edition"

DockerCon 2022

Registration is now open for DockerCon 2022! Join us for this free, immersive online experience complete with product demos, breakout learning tracks, panel discussions, hacks & tips, deep dive technical sessions, and much more.

Register Now