Docker
- "Docker is the world's leading software containerization platform"
- "Containers aren't designed to run full blown operating systems. They're designed to run as long as the command within it requires. After this it exits."
Basics
- Every image is built upon a "base docker image" (such as node slim)
- Docker can build images automatically by reading the instructions from a Dockerfile
- Note that to expose multiple ports you can simply use mutiple
-ptags
Terminology
- Container: "a container is simply another process on your machine that has been isolated from all other processes on the host machine"
- Container Image: "When running a container, it uses an isolated filesystem. This custom filesystem is provided by a container image. Since the image contains the container's filesystem, it must contain everything needed to run an application - all dependencies, configuration, scripts, binaries, etc. The image also contains other configuration for the container, such as environment variables, a default command to run, and other metadata."
- Volumes: "Volumes provide the ability to connect specific filesystem paths of the container back to the host machine. If a directory in the container is mounted, changes in that directory are also seen on the host machine. If we mount that same directory across container restarts, we'd see the same files."
Principles
- "Each container should do one thing and do it well"
Docker info
A great place to start....
docker info
Pull
Images can be pulled locally via the following...
docker pull --quiet python:3.8
docker pull --quiet python:3.8.3
docker pull --quiet python:3.8.3-slim
docker pull --quiet python:3.8.3-alpine
You can then see all your locally available images via docker images.
Core Commands
docker ps -a- list all available containers on any given systemdocker ps- list all running containersdocker start <id>- start a containerdocker images- list all imagesdocker stop <id>- stop a running container (equivalent of gracefully powering it down)docker kill <id>- kill a particular running container (equivalent of truning off the power)docker rm <id>- remove a particular containerdocker rmi <id>- remove a particular imagedocker logs <name>- show the logs for a given containerdocker tag <imageid>- kevinbluer/docker-whale:latest
Docker clean up
docker system prune
Note the optional -af to "a=Remove all unused images not just dangling ones, f=Do not prompt for confirmation".
Building Images
- Buildkit - "The standard Docker build command performs builds on Dockerfiles serially, which means it reads and builds each line or layer of the Dockerfile one layer at a time. When BuildKit is enabled, it allows for parallel build processing resulting in better performance and faster build times." https://brianchristner.io/what-is-docker-buildkit/
Docker Restart
docker restart [OPTIONS] CONTAINER [CONTAINER...]
Docker PS
Seeing the full command...
docker ps --no-trunc
Examples
- https://github.com/sanmak/dockerfile-samples
Spin up MK Docs interactively
docker run --rm -it -p 8000:8000 -v ${PWD}:/docs squidfunk/mkdocs-material
Interactively run Bash (assuming its installed) on a running container
docker exec teams-ui -it bash
docker run --name rocketchat -p 80:3000 --env ROOT_URL=http://localhost --link mongo -d rocket.chatdocker run -d --hostname my-rabbit --name some-rabbit -p 8080:15672 -p 5672:5672 rabbitmq:3-managementdocker run -v /home/user/hubot_scripts:/opt/scripts --link some-redis:redis -p 8081:8080 mkaag/hubotdocker logs c6019c4dac20
Logs
Follow (--follow, -f) the logs within a given container via the following...
docker logs -f <container-id>
Volumes
- "Volumes provide the ability to connect specific filesystem paths of the container back to the host machine. If a directory in the container is mounted, changes in that directory are also seen on the host machine. If we mount that same directory across container restarts, we'd see the same files."
- By creating a volume and attaching (often called "mounting") it to the directory the data is stored in, we can persist the data.
- Think of a named volume as simply a bucket of data.
- Docker maintains the physical location on the disk and you only need to remember the name of the volume.
docker volume create todo-db
docker run -dp 3000:3000 -v todo-db:/etc/todos getting-started
Inspecting a Volumes
docker volume inspect todo-db
"The Mountpoint is the actual location on the disk where the data is stored"
Named Volumes
- "Think of a named volume as simply a bucket of data. Docker maintains the physical location on the disk and you only need to remember the name of the volume. Every time you use the volume, Docker will make sure the correct data is provided."
Bind Mounts
- "With bind mounts, we control the exact mountpoint on the host."
- "When working on an application, we can use a bind mount to mount our source code into the container to let it see code changes, respond, and let us see the changes right away.""
Additional Volume Drivers
Additional volume drivers are available to support other uses cases...
- SFTP
- Ceph
- NetApp
- S3
Networking
"If two containers are on the same network, they can talk to each other. If they aren't, they can't."
Listing all the networks...
docker network ls
Imperatively creating a network and inspecting it...
docker network create todo-app
docker network inspect todo-app
docker network ls
Noteworthy images
Base
Applications
Other
Docker Swarm
"Docker Swarm is the native orchestration engine used by Docker Datacenter to operate and manage Docker apps at scale"
Integration
Restarting the Service
On Unix / Linux...
sudo service docker restart
Logging
You can check a containers logs via docker logs <container-id>.
Logging is also highly configurable.
Via /etc/docker/daemon.json
{
"log-driver": "syslog",
"log-opts": {
"syslog-address": "udp://logs.papertrailapp.com:44803"
}
}
Docker Stats
"Display a live stream of container(s) resource usage statistics"
docker stats
Docker Scan
Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them.
docker scan