https://www.meetup.com/zJAVA-w-Objectivity/events/260273781/

1. Docker for Developers
ANDRZEJ SYDOR

2. Agenda
 Docker introduction
 Containers: run, start, stop, rm, ps
 Images: pull, push, import, export, save, load
 Networking
 Volumes
 UI tools
 Dockerfile
 Docker Compose
 Best practices

3. Docker
 Docker is the leading software container platform
 Founded in 2013 as Linux developer tool
 Fundamentally solves the „works on my machine” problem
 Container industry inventor, leader and innovative
 Transform app and infrastructure security, portability, agility and efficiency

4. One Application on One
Physical Server
 Limitations
 Slow development times
 Huge costs
 Wasted resources
 Difficult to scale
 Difficult to migrate
 Vendor lock in

5. Hypervisior – Based
Virtualization
 Benefit:
 Better resource pooling
 One physical machine divided into multiple virtual machines
 Easier to scale
 VMs in the cloud
 Rapid elasticity
 Pay as you go model
 Limitations:
 Each VM stills requires:
 CPU limitations
 Storage
 RAM
 An entire guest operating system
 Full guest OS means wasted resources
 Application portability not guaranteed

6. Docker
 Standarized packaging for software and
dependencies
 Isolate apps from each other
 Share the same OS kernel
 Works with all major Linux and Windows
Server

8. Key Benefits of Docker Containers
 Speed
 No OS to boot – applications online in seconds
 Portability
 Less dependencies between proces layers = ability to move between infrastructure
 Efficiency
 Less OS overhead
 Improved resource efficiency

9. WORA / PODA / CaaS
 WORA = Write Once Run Anywhere {J,W,E}AR
 PODA = Package Once Deploy Anywhere
 CaaS = Container as a Service

10. Docker
 Image
 The basis of a Docker container
 Container
 The image when it is ‚running’
 Registry
 Stores, distributes and manages Docker images
 Dockerfile
 Commands to assemble an image
 Docker Compose
 Define and share multi-container definitions

11. Docker
 Docker Engine
 The client-server application contains Docker daemon, REST API, CLI
 Docker Machine
 A tool to launch Docker hosts on multiple platforms
 Docker Client
 Command-line interface to interact with Docker daemons
 Docker Hub
 Repository for Docker Images
 Docker Store
 A storefront for official Docker images and plugins as well as licensed products

12. Docker Engine

13. Docker Architecture

14. docker run
 docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
 -d -> detached
 -t -> allocate a pseudo-tty
 -i -> keep STDIN open even if not attached
 --name -> container name
 --rm -> delete container when it exists
 -P [--publish-all] -> publish exposed ports to random ports
 -p [-publish] -> publish a container’s ports to the host

16. Docker Images Layers
 Layers are read only
 An image is a collection of files and some
meta data
 Images are comprised of multiple layers
 A layer is also contains software you want to
run
 Each image contains a base layer
 Docker uses a copy on write systems

17. Docker layers
docker image history <container-id>

18. Docker Sharing Layers
 Images can share layers in order to speed up transfer times and optimize disk and
memory usage
 Parent images that already exists on the host do not have to be downloaded

19. Docker pull / push
 docker pull [OPTIONS] NAME[:TAG]
 Pull an image or a repository from a registry (e.g. Docker Hub)
 docker push [OPTIONS] NAME[:TAG]
 Push an image or a repository from a registry (e.g. Docker Hub)

20. save / load / export / import
 docker save [OPTIONS] IMAGE [IMAGE]
 Save one or more images to a tar archive registry (e.g. Docker Hub)
 docker load [OPTIONS] NAME[:TAG]
 Load an image from a tar archive or STDIN
 docker export [OPTIONS] CONTAINER
 Export a container’s filesystem as a tar archive
 docker import [OPTIONS]
 Import the contents from a tarball to create a filesystem image

21. Docker commit
 docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
 -m Commit message
 -p Pause container during commit
 -c Apply Dockerfile instruction to the created image
 docker commit -m `message` <container-id> <container-name>:<version>

23. Docker flatten
docker export <container> | docker import - <image>
- Experiental flag
--squash

24. Docker flatten

25. Docker
Volumes

26. Volumes
 docker volume ls
 docker run –v
 -v [--volume]
 -m [--mount]

28. Networking
 IPAM (IP address management)
 Planning, tracking and managing IP addressess within the network
 IPAM has DNS and DHCP services
docker inspect -f='{{json .Containers}}’ <network>
docker inspect --format='{{.NetworkSettings.IPAddress}}’ <network>

29. Network drivers
 bridge
 Standalone containers that need to communicate
 none
 Disable all networking
 host
 Use the host’s networking directly (swarm services)
 overlay
 distributed network among multiple Docker daemon hosts
 Links
 Legacy container links

31. Portainer
 Docker UI
 „The easiest way to manage docker”
 https://www.portainer.io/

32. Portainer
 https://portainer.io/overview.html
 Detailed overview
 Containers (List, Details, Stats, Logs, Console, Creation)
 Images (List, Details)
 Network (List)
 Volumes (List)
 Container Templates
 Cluster overview
 Services Management
 Endpoint Management
 User Management and User Access Control

33. Portainer

34. Portainer
docker volume create portainer_data
docker run –name=portainer
-d -p 9000:9000
-v /var/run/docker.sock:/var/run/docker.sock
-v /opt/portainer:/data
portainer/portainer

35. Kitematic
 Visual Docker Container Management on Mac & Windows
 Run containers through a simple, yet powerful graphical user interface.
 https://kitematic.com/

36. Kitematic
 Fast and Easy Setup
 Docker Hub Integration
 Seamless Experience Between CLI and GUI
 Advantaged Features
 Automatically map ports
 Configuring volumes
 Change environment variables
 Streamline logs
 CLI access to containers

37. Kitematic

38. Docker Desktop for Windows
 Docker Desktop for Windows is the best way to get started with Docker on
Windows
 https://docs.docker.com/docker-for-windows/
 Auto update capability
 No additional software required, e.g. Virtualbox
 Windows: Hyper-V VM
 Better networking and filesystem mounting/notification
 Requires Windows 10 64-bit (Yosemite 10.10+)
 Legacy desktop solution boundled with Docker Toolbox.

39. Docker for AWS/Azure
 Amazon Web Services
 Amazon CloudFormation templates
 Integrated with Autoscaling, ELB, EBS
 Azure
 Integrated with VM Scale Sets for autoscaling, Azure Load Balancer, Azure Storage

40. Dockerfile
 FROM – Docker base
 FROM alpine:latest
 LABEL – extra information
 LABEL maintainer = ‘”Andrzej Sydor”
 COPY/ADD
 COPY build/app.jar /etc/app.jar
 ADD http://resource/files/html.tar.gz /usr/share/nginx/
 RUN – commands to install software and run scripts
 RUN mkdir –p /tmp/myapp/
 EXPOSE – the port and the protocol exposed in runtime
 EXPOSE 80/tcp
 ENTRYPOINT/CMD
 USER / WORKDIR / ENV

41. Dockerfile
FROM ubuntu:18.04
COPY . /app
RUN make /app
CMD python /app/app.py

42. Docker Build
 docker image build –file <Dockerfile> --tag <REPO>:<TAG>
 <REPO> - typically username on Docker Hub
 <TAG> - unique container value
 docker image build --tag local:dockerfile-example .
 .(dot) – current folder

43. Docker – Environmental variables
 ARG <key>[=<default value>]
 Build time arguments ( --build-arg <key>=<value> )
 ENV <key> <value>
 ENV <key>=<value>
 Environmental variables

44. Dockerfile
FROM alpine
ARG var="Default Hello World!"
ENV ENV1=$var
RUN echo "Build value: $ENV1"
ENTRYPOINT echo "Runtime value: $ENV1"

45. Docker env
docker build -t env-image .
docker run -d --name env-app env-image
docker logs env-app
docker run -d --name env-app2 -e ENV1=‘cmd env' env-image
docker logs env-app2

47. Multi-stage Dockerfile
# first stage
FROM node:10 AS builder
WORKDIR /app
RUN npm install -g @angular/cli
RUN ng new my-app --routing=true --style=css --skipGit=true --minimal=true
WORKDIR /app/my-app
RUN ng build --prod
# second stage
FROM nginx
COPY --from=builder /app/my-app/dist/my-app/ /usr/share/nginx/html

49. Docker Compose
 Tool for defining and running multi-container Docker applications
 YAML configuration (docker-compose.yml)
 Features:
 Multiple isolated environments on a single host
 Preserve volume data when containers are created
 Only recreate containers that have changed
 Variables and moving a composition between environments

50. Docker Compose
version: ‘3'
services:
web:
build: .
ports:
- "5000:5000"
volumes:
- .:/code
redis:
image: redis

51. Docker Compose
docker-compose up –d --build
docker-compose stop
docker-compose rm -f

52. Demo
version: '3'
services:
web1:
...
web2:
...
networks:
- net1
curl:
...
networks:
- net1
networks:
net1:
curl
web1
web2

53. Storing images
 Docker Registry
Docker Hub
Docker Store

54. Docker Registry
 Service that storing your Docker images
 Open source – Apache license
 Tightly control where your images are being stored
 Fully own your images distribution pipeline
 Integrate image storage and distribution tightly into your in-house development
Filesystem
/var/lib/registry

55. Docker Registry
docker run -d -p 5000:5000 --name registry registry:2
docker image tag alpine localhost:5000/myfirstimage
docker push localhost:5000/myfirstimage
docker pull localhost:5000/myfirstimage
docker container stop registry &&
docker container rm -v registry

56. Docker Hub
 Docker Hub
 Free for public images
 Organizations
 Repository
 Automated build (GitHub, BitBucket)

57. Docker HUB
 docker login
 docker build --tag username/my-container:latest
.
 docker image push username/my-container:latest

58. Docker Store
 Docker Store
 Docker images and plugins
 Docker Certified

59. Third-party registries
 Red Hat Container Catalog
 OpenShift
 Jfrog
 Quay.io
 Amazon EC2 Container Registry
 Others: Microbadger e.g. inspect image

60. Java Maven / Gradle plugins
 Maven plugin
 https://dmp.fabric8.io/
 https://github.com/spotify/docker-maven-plugin
 Gradle plugin
 https://bmuschko.github.io/gradle-docker-plugin/

61. Docker – CPU/Memory
 By default, a container can consume all available resources on the host machine if it
requires it
 Limit CPU usage
 -c / --cpu-shares=1024
 --cpu-period=25000 (microseconds)
 --cpu-quota=25000 (microseconds)
 Limit memory usage
 --memory 1024M
 --memory-swap 1024M
 By default, when you set --memory, docker will set the --memory-swap size twice
 --kernel-swap 1024M
Java 10

62. Docker – CPU/Memory - examples
docker container inspect <container> | grep -i memory
docker container run -d --name <container> --cpu-shares 512 --memory 128M <image>
docker container update --cpu-shares 512 --memory 256M <image>
docker container update --cpu-shares 512 --memory 128M --memory-swap 256M <image>

63. Docker - best practices
 One application per container
 Only install what you need
 Review who has access to your Docker hosts
 Use the latest version
 Use the resources
 Awesome docker
 https://awesome-docker.netlify.com/
 https://github.com/veggiemonk/awesome-docker

64. Look for minimal images !?
Image Size
openjdk:8 625MB
openjdk:8-jre 470MB
openjdk:8-jre-slim 204MB
openjdk:8-jre-alpine 85MB

65. Use Caching Effectively
FROM ubuntu
COPY . /app
RUN apt-get update
RUN apt-get -y install openjdk-8-jdk
COPY . /app
CMD [‘java’, ‘-jar’, ‘/app/target/app.jar’]

66. Single / Multi line variables
FROM alpine
ENV var1=abc
ENV var2=def
FROM alpine
ENV var1=abc
var2=def

67. Single / Multi line variables
FROM ubuntu
RUN wget tomcat.zip
RUN unzip tomcat.zip
RUN rm tomcat.zip
FROM alpine
RUN wget tomcat.zip
unzip tomat.zip
rm tomcat.zip
32 MB 21 MB

68. Tools
 cAdvisor https://github.com/google/cadvisor/
 Analyzes resource usage and performance characteristics of running containers
 Node-exporter https://github.com/prometheus/node_exporter/
 Exporter for machine metrics http://prometheus.io/
 Prometheus https://prometheus.io/
 Power your metrics and alerting with a leading open-source monitoring solution
 Grafana https://grafana.com/
 The open platform for beautiful analytics and monitoring

69. To Be Continued …
- Docker internals
 cgroups
 Limiting the resources that can be used by a processes
 namespaces
 Isolating filesystem resources
 unionFS
 Resource Management / Implicite sharing

70. To Be Continued …
- Docker Security
 The Docker Bench Security is a script that checks for dozens of common best-
practices around deploying Docker containers in production
 Docker Security Scanning

71. Q/A