3. Docker
Docker is the leading software container platform
Founded in 2013 as Linux developer tool
Fundamentally solves the „works on my machine” problem
Container industry inventor, leader and innovative
Transform app and infrastructure security, portability, agility and efficiency
4. One Application on One
Physical Server
Limitations
Slow development times
Huge costs
Wasted resources
Difficult to scale
Difficult to migrate
Vendor lock in
5. Hypervisior – Based
Virtualization
Benefit:
Better resource pooling
One physical machine divided into multiple virtual machines
Easier to scale
VMs in the cloud
Rapid elasticity
Pay as you go model
Limitations:
Each VM stills requires:
CPU limitations
Storage
RAM
An entire guest operating system
Full guest OS means wasted resources
Application portability not guaranteed
6. Docker
Standarized packaging for software and
dependencies
Isolate apps from each other
Share the same OS kernel
Works with all major Linux and Windows
Server
7.
8. Key Benefits of Docker Containers
Speed
No OS to boot – applications online in seconds
Portability
Less dependencies between proces layers = ability to move between infrastructure
Efficiency
Less OS overhead
Improved resource efficiency
9. WORA / PODA / CaaS
WORA = Write Once Run Anywhere {J,W,E}AR
PODA = Package Once Deploy Anywhere
CaaS = Container as a Service
10. Docker
Image
The basis of a Docker container
Container
The image when it is ‚running’
Registry
Stores, distributes and manages Docker images
Dockerfile
Commands to assemble an image
Docker Compose
Define and share multi-container definitions
11. Docker
Docker Engine
The client-server application contains Docker daemon, REST API, CLI
Docker Machine
A tool to launch Docker hosts on multiple platforms
Docker Client
Command-line interface to interact with Docker daemons
Docker Hub
Repository for Docker Images
Docker Store
A storefront for official Docker images and plugins as well as licensed products
14. docker run
docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
-d -> detached
-t -> allocate a pseudo-tty
-i -> keep STDIN open even if not attached
--name -> container name
--rm -> delete container when it exists
-P [--publish-all] -> publish exposed ports to random ports
-p [-publish] -> publish a container’s ports to the host
15.
16. Docker Images Layers
Layers are read only
An image is a collection of files and some
meta data
Images are comprised of multiple layers
A layer is also contains software you want to
run
Each image contains a base layer
Docker uses a copy on write systems
18. Docker Sharing Layers
Images can share layers in order to speed up transfer times and optimize disk and
memory usage
Parent images that already exists on the host do not have to be downloaded
19. Docker pull / push
docker pull [OPTIONS] NAME[:TAG]
Pull an image or a repository from a registry (e.g. Docker Hub)
docker push [OPTIONS] NAME[:TAG]
Push an image or a repository from a registry (e.g. Docker Hub)
20. save / load / export / import
docker save [OPTIONS] IMAGE [IMAGE]
Save one or more images to a tar archive registry (e.g. Docker Hub)
docker load [OPTIONS] NAME[:TAG]
Load an image from a tar archive or STDIN
docker export [OPTIONS] CONTAINER
Export a container’s filesystem as a tar archive
docker import [OPTIONS]
Import the contents from a tarball to create a filesystem image
21. Docker commit
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
-m Commit message
-p Pause container during commit
-c Apply Dockerfile instruction to the created image
docker commit -m `message` <container-id> <container-name>:<version>
28. Networking
IPAM (IP address management)
Planning, tracking and managing IP addressess within the network
IPAM has DNS and DHCP services
docker inspect -f='{{json .Containers}}’ <network>
docker inspect --format='{{.NetworkSettings.IPAddress}}’ <network>
29. Network drivers
bridge
Standalone containers that need to communicate
none
Disable all networking
host
Use the host’s networking directly (swarm services)
overlay
distributed network among multiple Docker daemon hosts
Links
Legacy container links
35. Kitematic
Visual Docker Container Management on Mac & Windows
Run containers through a simple, yet powerful graphical user interface.
https://kitematic.com/
36. Kitematic
Fast and Easy Setup
Docker Hub Integration
Seamless Experience Between CLI and GUI
Advantaged Features
Automatically map ports
Configuring volumes
Change environment variables
Streamline logs
CLI access to containers
38. Docker Desktop for Windows
Docker Desktop for Windows is the best way to get started with Docker on
Windows
https://docs.docker.com/docker-for-windows/
Auto update capability
No additional software required, e.g. Virtualbox
Windows: Hyper-V VM
Better networking and filesystem mounting/notification
Requires Windows 10 64-bit (Yosemite 10.10+)
Legacy desktop solution boundled with Docker Toolbox.
39. Docker for AWS/Azure
Amazon Web Services
Amazon CloudFormation templates
Integrated with Autoscaling, ELB, EBS
Azure
Integrated with VM Scale Sets for autoscaling, Azure Load Balancer, Azure Storage
40. Dockerfile
FROM – Docker base
FROM alpine:latest
LABEL – extra information
LABEL maintainer = ‘”Andrzej Sydor”
COPY/ADD
COPY build/app.jar /etc/app.jar
ADD http://resource/files/html.tar.gz /usr/share/nginx/
RUN – commands to install software and run scripts
RUN mkdir –p /tmp/myapp/
EXPOSE – the port and the protocol exposed in runtime
EXPOSE 80/tcp
ENTRYPOINT/CMD
USER / WORKDIR / ENV
47. Multi-stage Dockerfile
# first stage
FROM node:10 AS builder
WORKDIR /app
RUN npm install -g @angular/cli
RUN ng new my-app --routing=true --style=css --skipGit=true --minimal=true
WORKDIR /app/my-app
RUN ng build --prod
# second stage
FROM nginx
COPY --from=builder /app/my-app/dist/my-app/ /usr/share/nginx/html
48.
49. Docker Compose
Tool for defining and running multi-container Docker applications
YAML configuration (docker-compose.yml)
Features:
Multiple isolated environments on a single host
Preserve volume data when containers are created
Only recreate containers that have changed
Variables and moving a composition between environments
54. Docker Registry
Service that storing your Docker images
Open source – Apache license
Tightly control where your images are being stored
Fully own your images distribution pipeline
Integrate image storage and distribution tightly into your in-house development
Filesystem
/var/lib/registry
61. Docker – CPU/Memory
By default, a container can consume all available resources on the host machine if it
requires it
Limit CPU usage
-c / --cpu-shares=1024
--cpu-period=25000 (microseconds)
--cpu-quota=25000 (microseconds)
Limit memory usage
--memory 1024M
--memory-swap 1024M
By default, when you set --memory, docker will set the --memory-swap size twice
--kernel-swap 1024M
Java 10
63. Docker - best practices
One application per container
Only install what you need
Review who has access to your Docker hosts
Use the latest version
Use the resources
Awesome docker
https://awesome-docker.netlify.com/
https://github.com/veggiemonk/awesome-docker
65. Use Caching Effectively
FROM ubuntu
COPY . /app
RUN apt-get update
RUN apt-get -y install openjdk-8-jdk
COPY . /app
CMD [‘java’, ‘-jar’, ‘/app/target/app.jar’]
66. Single / Multi line variables
FROM alpine
ENV var1=abc
ENV var2=def
FROM alpine
ENV var1=abc
var2=def
67. Single / Multi line variables
FROM ubuntu
RUN wget tomcat.zip
RUN unzip tomcat.zip
RUN rm tomcat.zip
FROM alpine
RUN wget tomcat.zip
unzip tomat.zip
rm tomcat.zip
32 MB 21 MB
68. Tools
cAdvisor https://github.com/google/cadvisor/
Analyzes resource usage and performance characteristics of running containers
Node-exporter https://github.com/prometheus/node_exporter/
Exporter for machine metrics http://prometheus.io/
Prometheus https://prometheus.io/
Power your metrics and alerting with a leading open-source monitoring solution
Grafana https://grafana.com/
The open platform for beautiful analytics and monitoring
69. To Be Continued …
- Docker internals
cgroups
Limiting the resources that can be used by a processes
namespaces
Isolating filesystem resources
unionFS
Resource Management / Implicite sharing
70. To Be Continued …
- Docker Security
The Docker Bench Security is a script that checks for dozens of common best-
practices around deploying Docker containers in production
Docker Security Scanning
Flatten a Docker container
So it is only possible to “flatten” a Docker container, not an image. So we need to start a container from an image first. Then we can export and import the container in one line:
1
docker export <CONTAINER ID> | docker import - some-image-name:latest
Flatten a Docker container
So it is only possible to “flatten” a Docker container, not an image. So we need to start a container from an image first. Then we can export and import the container in one line:
1
docker export <CONTAINER ID> | docker import - some-image-name:latest
-volumes not being used by any container
docker volume ls -f dangling=true
docker volume prune
-volumes-from <containerId>
*removing
docker rm -v <containerId>
docker volume rm <volumeName>
volume inspect <volumeName>
docker volume create myVolume
docker run -dit
--name alpine1
-v myVolume:/volume
alpine
docker network create my-network
docker network ls
docker network inspect mysql_default
docker network prune
Docker container run … --network my-network
https://docs.docker.com/network/
Podłączenie kontenera do sieci typu bridge spowoduję, że kontenery będące w tej samej sieci będą się mogły pingować a kontenery będące w innych sieciach już nie.
Podłączenie kontenera do sieci none spowoduję, że kontener będzie miał tylko interfejs pętli zwrotnej loopback.
Podłączenie kontenera do sieci host powoduję, że będzie on współdzielił porty i adresy IP hosta.
https://docs.docker.com/network/bridge/
FROM <image>:<tag>
MAINTAINER
WORKDIR
ADD <source path or URL> <destination path> (copy the files from the source into the containers)
COPY <source path or URL> <destination path> (copy new files of directories>
As you can see, the functionality of COPY is almost the same as the ADD instruction, with one
difference. COPY supports only the basic copying of local files into the container. On the
other hand, ADD gives some more features, such as archive extraction, downloading files
through URL, and so on. Docker's best practices say that you should prefer COPY if you do
not need those additional features of ADD. The Dockerfile will be cleaner and easier to
understand thanks to the transparency of the COPY command.
RUN
CMD command parameter1 parameterN
ENTRYPOINT
EXPOSEVOLUMELABEL
ENV
USER
ARGONBUILD
[144]
Let's summarize what we have learned about the
differences and their cooperation:
A Dockerfile should specify at least one CMD or ENTRYPOINT instruction
Only the last CMD and ENTRYPOINT in a Dockerfile will be used
ENTRYPOINT should be defined when using the container as an executable
You should use the CMD instruction as a way of defining default arguments for
the command defined as ENTRYPOINT or for executing an ad-hoc command in a
container
CMD will be overridden when running the container with alternative arguments
ENTRYPOINT sets the concrete default application that is used every time a
container is created using the image
If you couple ENTRYPOINT with CMD, you can remove an executable from CMD
and just leave its arguments which will be passed to ENTRYPOINT
The best use for ENTRYPOINT is to set the image's main command, allowing that
image to be run as though it was that command (and then use CMD as the default
flags)
FROM <image>:<tag>
MAINTAINER
WORKDIR
ADD <source path or URL> <destination path> (copy the files from the source into the containers)
COPY <source path or URL> <destination path> (copy new files of directories>
As you can see, the functionality of COPY is almost the same as the ADD instruction, with one
difference. COPY supports only the basic copying of local files into the container. On the
other hand, ADD gives some more features, such as archive extraction, downloading files
through URL, and so on. Docker's best practices say that you should prefer COPY if you do
not need those additional features of ADD. The Dockerfile will be cleaner and easier to
understand thanks to the transparency of the COPY command.
RUN
CMD command parameter1 parameterN
ENTRYPOINT
EXPOSEVOLUMELABEL
ENV
USER
ARGONBUILD
[144]
Let's summarize what we have learned about the
differences and their cooperation:
A Dockerfile should specify at least one CMD or ENTRYPOINT instruction
Only the last CMD and ENTRYPOINT in a Dockerfile will be used
ENTRYPOINT should be defined when using the container as an executable
You should use the CMD instruction as a way of defining default arguments for
the command defined as ENTRYPOINT or for executing an ad-hoc command in a
container
CMD will be overridden when running the container with alternative arguments
ENTRYPOINT sets the concrete default application that is used every time a
container is created using the image
If you couple ENTRYPOINT with CMD, you can remove an executable from CMD
and just leave its arguments which will be passed to ENTRYPOINT
The best use for ENTRYPOINT is to set the image's main command, allowing that
image to be run as though it was that command (and then use CMD as the default
flags)