Introduction to Containers

or: How I Learned to Stop Worrying and Love the Whale

CC-BY 4.0

Image Source: KOTA LIHAT by Bernard Spragg

$ whoami

Bob Killen

​

Research \

Cloud Administrator

​

rkillen@umich.edu

@mrbobbytables

​

Jeff Sica

​

Research \

Database Administrator

​

jsica@umich.edu

@jeefy

​

Before we Begin

Install Docker / Docker Compose

• OSX: �https://docs.docker.com/docker-for-mac/install/
• Windows: �https://docs.docker.com/docker-for-windows/install/
• Linux: �https://docs.docker.com/install/linux/docker-ce/<distro>/

​

<distro> = centos, debian, fedora, ubuntu

What is a Container? (the 30,000ft version)

A means to easily isolate, package, deliver, and deploy code.

​

Image Source: HANJIN container by John A.

A “Shipping Container”�for your code.

What a Container is Not

• A VM*
• Containers are not a VM. Docker is not a hypervisor.
• Persistent
• Containers are ephemeral in nature.
• Secure by Default
• A container is not a security panacea.
• They DO have the capability of being more secure, but effort is required.

​

* Some “Sandbox” containerizers spin up a container within a VM for each container.

Why Are Containers Becoming a Thing?

• Workloads are becoming multi-tier and more complex.
• Application(s) and their associated infrastructure are more dynamic. Application infrastructure now must “react” to changes and events.
• Developers can work locally and push globally.
• Facilitates a “microservice” architecture.

Why Are Containers Becoming a Thing?

• Reproducible
• Portable
• Easy to “plug-in” and link components

Why are containers important for [role]?

• ​

Containerization Concepts

Old Method

• “Monolithic” design
• Long development cycles
• Difficult to manage multiple environments
• Slow to scale and adapt

New Method

• Decoupled by design
• Short, iterative development cycles
• Quick to provision new environments.
• Easy to scale out and adapt

Containerization Concepts

Old Methodologies

• Mutable systems
• Managed via configuration management tools
• Imperative configuration
• Static networking

New Methodologies

• Immutable artifacts
• Orchestrated by a system
• Declarative configuration
• Dynamic networking
• Encourages decoupled “micro” services

"I like putting apps into containers because then I can pretend they're not my problem."

​

@sadoperator

​

​

Image Source: Hyundai

What is a Container...Really?

What is a Container...Really?

A process

What is a Container...Really?

A process

(with some additional properties)

What is a Container...Really?

• Isolated
• Kernel handles application process namespace separation.
• Fast
• Containers boot in milliseconds.
• Immutable
• Container images bundle an application, its dependencies, and other run-time requirements into an immutable, redistributable image.
• Small compared to full fledged VM.

What is a Container (The Technical Version)?

• Cgroups (Control groups)
• Feature of the Linux Kernel.
• Manages groups of processes and their resources.
• Namespaces
• Restricts a process to certain aspects of the host.
• Filesystem (image)
• Hierarchical layered filesystem.
• Tar file(s) used for distribution.

​

A Brief History

Container “Components”

Image Source: docker.com

Container vs VM

Image Source: docker.com

What is Docker?

• Docker is BOTH a Company (Docker Inc.) and a large Open Source project.
• Available on multiple platforms and architectures.
• The “Standard” when people think of container.

​

Image Source: docker.com

Container Lifecycle

(The Basics)

Image Source: bernswaelz

Running a Container

$ docker run alpine echo hello from alpine!

• Starts a container based off the alpine image that runs the command:�echo hello from alpine!

Running a Container

$ docker run alpine echo hello from alpine!

Unable to find image 'alpine:latest' locally

latest: Pulling from library/alpine

cd784148e348: Pull complete

Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1

Status: Downloaded newer image for alpine:latest

hello from alpine!

$

Running a Container

$ docker run alpine echo hello from alpine!

Unable to find image 'alpine:latest' locally

latest: Pulling from library/alpine

cd784148e348: Pull complete

Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1

Status: Downloaded newer image for alpine:latest

hello from alpine!

$

Running a Container

$ docker run alpine echo hello from alpine!

Unable to find image 'alpine:latest' locally

latest: Pulling from library/alpine

cd784148e348: Pull complete

Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1

Status: Downloaded newer image for alpine:latest

hello from alpine!

$

Image is not found locally.

Running a Container

$ docker run alpine echo hello from alpine!

Unable to find image 'alpine:latest' locally

latest: Pulling from library/alpine

cd784148e348: Pull complete

Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1

Status: Downloaded newer image for alpine:latest

hello from alpine!

$

Pulls image from remote source.

Image is not found locally.

Running a Container

$ docker run alpine echo hello from alpine!

Unable to find image 'alpine:latest' locally

latest: Pulling from library/alpine

cd784148e348: Pull complete

Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1

Status: Downloaded newer image for alpine:latest

hello from alpine!

$

Pulls image from remote source.

Image is verified.

Image is not found locally.

Running a Container

$ docker run alpine echo hello from alpine!

Unable to find image 'alpine:latest' locally

latest: Pulling from library/alpine

cd784148e348: Pull complete

Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1

Status: Downloaded newer image for alpine:latest

hello from alpine!

$

Image is verified.

Instance of image is run executing command:

echo hello from alpine!

Pulls image from remote source.

Image is not found locally.

What Happened?

$ docker images

• Lists locally cached container images.

What Happened?

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

alpine latest 3f53bb00af94 13 days ago 4.41MB

​

​

What Happened?

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

alpine latest 3f53bb00af94 13 days ago 4.41MB

​

​

Image was pulled and stored locally.

(we’ll explore this more later)

What Happened?

• Similar to linux ps (process status) command.
• Lists all (-a | --all) started and stopped container instances.
• -q - Displays only the container IDs.

$ docker ps -a

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED

ebf7c76e62f9 alpine "echo hello from alp…" 2 minutes ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 2 minutes ago confident_stallman

continued

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED

ebf7c76e62f9 alpine "echo hello from alp…" 2 minutes ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 2 minutes ago confident_stallman

Container given unique ID

continued

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED

ebf7c76e62f9 alpine "echo hello from alp…" 2 minutes ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 2 minutes ago confident_stallman

Container given unique ID

Time since it was started

continued

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED

ebf7c76e62f9 alpine "echo hello from alp…" 2 minutes ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 2 minutes ago confident_stallman

Container given unique ID

Time since it was started

Container status

continued

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED

ebf7c76e62f9 alpine "echo hello from alp…" 2 minutes ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 2 minutes ago confident_stallman

Container given unique ID

Time since it was started

Container status

Unique random name

continued

What Happened?

$ docker ps -a -q

ebf7c76e62f9

$

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

• Runs a container based off the alpine image in interactive mode (-i), attaches a pseudo-tty (-t) and launches the shell: /bin/sh

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

​

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

​

​

​

Shell inside container

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

/ # hostname

​

​

​

Shell inside container

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

/ # hostname

02816f632397

/ #

​

​

Shell inside container

Container ID is used as hostname

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

/ # hostname

02816f632397

/ # whoami

​

​

Shell inside container

Container ID is used as hostname

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

/ # hostname

02816f632397

/ # whoami

root

/ #

​

Shell inside container

Container ID is used as hostname

Different User inside container

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

/ # hostname

02816f632397

/ # whoami

root

/ # cat /etc/os-release

​

Shell inside container

Container ID is used as hostname

Different User inside container

Running an Interactive Container

$ docker run -i -t alpine /bin/sh

/ #

/ # hostname

02816f632397

/ # whoami

root

/ # cat /etc/os-release

NAME="Alpine Linux"

ID=alpine

VERSION_ID=3.8.2

PRETTY_NAME="Alpine Linux v3.8"

HOME_URL="http://alpinelinux.org"

BUG_REPORT_URL="http://bugs.alpinelinux.org"

Shell inside container

Container ID is used as hostname

Different User inside container

Independant OS from Host

What Happened?

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

alpine latest 3f53bb00af94 13 days ago 4.41MB

​

​

What Happened?

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

alpine latest 3f53bb00af94 13 days ago 4.41MB

​

​

No new images pulled.

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED 02816f632397 alpine "/bin/sh" 27 minutes ago

ebf7c76e62f9 alpine "echo hello from alp…" 2 days ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 1 second ago ecstatic_mendeleev

Exited (0) 2 days ago confident_stallman

continued

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED 02816f632397 alpine "/bin/sh" 27 minutes ago

ebf7c76e62f9 alpine "echo hello from alp…" 2 days ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 1 second ago ecstatic_mendeleev

Exited (0) 2 days ago confident_stallman

continued

Container given unique ID

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED 02816f632397 alpine "/bin/sh" 27 minutes ago

ebf7c76e62f9 alpine "echo hello from alp…" 2 days ago

​

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 1 second ago ecstatic_mendeleev

Exited (0) 2 days ago confident_stallman

continued

Container given unique ID

Unique random name

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

• Runs a container based off the nginx:stable-alpine image in daemon mode (-d) and maps port (-p) 80 of the container to port 80 on the host.
• -p syntax: [bind ip|0.0.0.0]:<host port>:<container port>

Daemonized Container is Running

In browser visit:

http://localhost

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

Unable to find image 'nginx:stable-alpine' locally

stable-alpine: Pulling from library/nginx

cd784148e348: Already exists

12b08f7ef616: Pull complete

65071a4e699c: Pull complete

9936647427be: Pull complete

Digest: sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96

Status: Downloaded newer image for nginx:stable-alpine

75a606c744eb2ac6c73067b8c2a861fef66cd4d03dbf29f7db8b7a6700568211

$

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

Unable to find image 'nginx:stable-alpine' locally

stable-alpine: Pulling from library/nginx

cd784148e348: Already exists

12b08f7ef616: Pull complete

65071a4e699c: Pull complete

9936647427be: Pull complete

Digest: sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96

Status: Downloaded newer image for nginx:stable-alpine

75a606c744eb2ac6c73067b8c2a861fef66cd4d03dbf29f7db8b7a6700568211

$

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

Unable to find image 'nginx:stable-alpine' locally

stable-alpine: Pulling from library/nginx

cd784148e348: Already exists

12b08f7ef616: Pull complete

65071a4e699c: Pull complete

9936647427be: Pull complete

Digest: sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96

Status: Downloaded newer image for nginx:stable-alpine

75a606c744eb2ac6c73067b8c2a861fef66cd4d03dbf29f7db8b7a6700568211

$

Image is not found locally.

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

Unable to find image 'nginx:stable-alpine' locally

stable-alpine: Pulling from library/nginx

cd784148e348: Already exists

12b08f7ef616: Pull complete

65071a4e699c: Pull complete

9936647427be: Pull complete

Digest: sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96

Status: Downloaded newer image for nginx:stable-alpine

75a606c744eb2ac6c73067b8c2a861fef66cd4d03dbf29f7db8b7a6700568211

$

Pulls needed image layers.

Image is not found locally.

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

Unable to find image 'nginx:stable-alpine' locally

stable-alpine: Pulling from library/nginx

cd784148e348: Already exists

12b08f7ef616: Pull complete

65071a4e699c: Pull complete

9936647427be: Pull complete

Digest: sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96

Status: Downloaded newer image for nginx:stable-alpine

75a606c744eb2ac6c73067b8c2a861fef66cd4d03dbf29f7db8b7a6700568211

$

Pulls needed image layers.

Image is verified.

Image is not found locally.

Daemonizing a Container

$ docker run -d -p 80:80 nginx:stable-alpine

Unable to find image 'nginx:stable-alpine' locally

stable-alpine: Pulling from library/nginx

cd784148e348: Already exists

12b08f7ef616: Pull complete

65071a4e699c: Pull complete

9936647427be: Pull complete

Digest: sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96

Status: Downloaded newer image for nginx:stable-alpine

75a606c744eb2ac6c73067b8c2a861fef66cd4d03dbf29f7db8b7a6700568211

$

Pulls needed image layers.

Image is verified.

Image is not found locally.

Instance of image is started in background with Container ID: 75a606c744eb

What Happened?

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

nginx stable-alpine c5b6f731fbc0 2 weeks ago 17.7MB

alpine latest 3f53bb00af94 2 weeks ago 4.41MB

​

What Happened?

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

nginx stable-alpine c5b6f731fbc0 2 weeks ago 17.7MB

alpine latest 3f53bb00af94 2 weeks ago 4.41MB

​

New image nginx:stable-alpine was pulled and cached

What Happened?

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

​

continued

What Happened?

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

​

continued

Container given unique ID

What Happened?

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

​

continued

Container given unique ID

Default command executed

What Happened?

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

​

continued

Container given unique ID

Default command executed

Container status

What Happened?

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

​

continued

Container given unique ID

Port Mapping

Default command executed

Container status

What Happened?

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

​

continued

Container given unique ID

Port Mapping

Default command executed

Container status

Unique random name

What Happened?

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

02816f632397 alpine "/bin/sh" 5 hours ago

ebf7c76e62f9 alpine "echo hello from alp…" 3 days ago

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

Exited (0) 4 hours ago ecstatic_mendeleev

Exited (0) 3 days ago confident_stallman

​

continued

Stopping a Container

$ docker stop <container name | container ID>

• Stops a running container.
• Does not delete the container.

Stopping a Container

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up About an hour 0.0.0.0:80->80/tcp loving_lederberg

continued

Stopping a Container

$ docker stop loving_lederberg

Stopping a Container

$ docker stop loving_lederberg

loving_lederberg

$

Stopping a Container

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Exited (0) 1 minutes ago 0.0.0.0:80->80/tcp loving_lederberg

continued

Starting a Container

$ docker start <container name | container ID>

• Starts a stopped or exited container.

Starting a Container

$ docker start loving_lederberg

loving_lederberg

$

Starting a Container

$ docker ps

CONTAINER ID IMAGE COMMAND CREATED

75a606c744eb nginx:stable-alpine "nginx -g 'daemon of…" About an hour ago

​

​

​

​

​

STATUS PORTS NAMES

Up 24 seconds 0.0.0.0:80->80/tcp loving_lederberg

continued

Viewing Container Logs

$ docker logs <container name | container ID>

• Views the stdout and stderr of the specified container.
• -f - follow logs. Similar to: tail -f <file>
• -t <num> - view the last <num> lines. Similar to: tail -n <num>

Container Logs

$ docker logs loving_lederberg

​

​

Container Logs

$ docker logs loving_lederberg

172.17.0.1 - - [09/Jan/2019:14:27:05 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "-"

172.17.0.1 - - [09/Jan/2019:14:27:05 +0000] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "-"

$

​

Cleaning Up

Image Source: Nuke HD by dudex

Deleting containers

$ docker rm <container name | container ID>

• Deletes the stopped container.
• -f - force stops (SIGKILL) then deletes the container.

Deleting containers

$ docker rm $(docker ps -a -q)

• Deletes all stopped containers.

Summary - Container Lifecycle

• Containers at their root are a process.
• Containers are an ephemeral instance of image.
• They are lightweight and quick to start, stop or remove.
• A container can be “daemonized” to run in the background.
• Their logs store stdout and stderr.

Command Reference

Command Reference

Images

What is a Container Image?

• A container is an instance of an Image.
• An Image is a read-only filesystem for a Container.
• The filesystem is made of layers that represent logical changes from the previous layer.

What is a Container Image?

• A container is an instance of an Image.
• An Image is a read-only files ystem for a Container.
• The filesystem is made of layers that represent logical changes from the previous layer.

What is a Container Image?

• Each layer is hashed giving it a unique ID.
• Images are “Deduped”.
• Layers are shared among all Images and can be deduped.

Layer Hierarchy

myhadoop:latest

myspark:latest

mynode:latest

7bff100f35cb

42acf078bf60

0246bb21855f

59b059d445c1

f1969daa376c

8d54164793e0

0246bb21855f

59b059d445c1

c6d52c0daf49

8bc7877153ca

d4fb3d7df954

59b059d445c1

Layer Hierarchy

myhadoop:latest

myspark:latest

mynode:latest

7bff100f35cb

42acf078bf60

0246bb21855f

59b059d445c1

f1969daa376c

8d54164793e0

0246bb21855f

59b059d445c1

c6d52c0daf49

8bc7877153ca

d4fb3d7df954

59b059d445c1

Layer Hierarchy

myhadoop:latest

myspark:latest

mynode:latest

7bff100f35cb

42acf078bf60

0246bb21855f

59b059d445c1

f1969daa376c

8d54164793e0

0246bb21855f

59b059d445c1

c6d52c0daf49

8bc7877153ca

d4fb3d7df954

59b059d445c1

myhadoop:latest

myspark:latest

mynode:latest

Layer Hierarchy

What Happens When a Container is Run

• A Read/Write Layer is added.
• Uses Copy-on-Write underlying layers are not impacted.

What Happens When a Container is Run

• A Read/Write Layer is added.
• Uses Copy-on-Write underlying layers are not impacted.

​

​

How do you build those layers...

Dockerfile

• A list of instructions of how to assemble an image.
• Each instruction* generates a layer.
• Built with docker build command.

FROM ubuntu:18.04

​

RUN apt-get update

​

RUN apt-get -y install nginx

​

COPY website /var/www

​

EXPOSE 80 443

​

CMD ["nginx", "-g", "daemon off;"]

Dockerfile Instruction: FROM

FROM <image name>

• Specifies which image should be used as its base image.
• Dockerfiles MUST begin with a FROM statement.

FROM ubuntu:18.04

​

RUN apt-get update

​

RUN apt-get -y install nginx

​

COPY website /var/www

​

...

Dockerfile Instruction: RUN

RUN <command>

• Executes commands within the container.

FROM ubuntu:18.04

​

RUN apt-get update

​

RUN apt-get -y install nginx

​

COPY website /var/www

​

...

Dockerfile Instruction: RUN

RUN <command>

• Multiple commands can be chained together using && and \
• These commands will be a part of the same layer.
• Layers should act as a logical grouping of commands.

FROM ubuntu:18.04

​

RUN apt-get update \

&& apt-get -y install nginx

​

COPY website /var/www

​

...

Dockerfile Instruction: COPY

COPY <source host path> <dest container path>

• Copies files and directories from a relative location on the host to the destination within the container image.

...

​

COPY website /var/www

​

EXPOSE 80 443

​

CMD ["nginx", "-g", "daemon off;"]

Dockerfile Instruction: EXPOSE

EXPOSE <ports>

• Informs Docker that the specified ports should be exposed outside the container.
• Protocol can be specified in the form of: <port>/<udp|tcp> e.g. 53/udp or 80/tcp

...

​

COPY website /var/www

​

EXPOSE 80 443

​

CMD ["nginx", "-g", "daemon off;"]

​

Dockerfile Instruction: CMD

CMD <command>

• Provides default command to be run by the container.
• Easily overridden.

...

​

EXPOSE 80 443

​

CMD ["nginx", "-g", "daemon off;"]

​

Dockerfile Instruction: ENTRYPOINT

ENTRYPOINT <command>

• Provides default executable for the container.
• CMD becomes the arguments passed to the the executable specified by the entrypoint.

...

​

EXPOSE 80 443

​

ENTRYPOINT [“nginx”]

​

CMD ["-g", "daemon off;"]

​

Dockerfile Instruction: ENV

ENV <key>=<value>

• Sets environment variables within the container.

...

​

ENV ENVIRONMENT=prod

​

​

EXPOSE 80 443

​

...

Dockerfile Instruction: ENV

ENV <key>=<value>

• Sets environment variables within the container.
• Can add multiple environment variables at the same time with \

...

​

ENV ENVIRONMENT=prod \

NGINX_VERSION=1.14.0

​

EXPOSE 80 443

​

...

Other Useful Dockerfile Instructions

Building an Image

$ docker build -t <repository>:<tag> <path>

• Builds image within context directory.
• -t (--tag) ‘tags’ the image with an image name.
• <repository>:<tag> is made up of 4 optional parts.
• Directory supplied by <path> must have a Dockerfile in it.

Build Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0a8536502efb

Get:1 http://security.ubuntu.com/ubuntu bionic-security

...

Reading package lists...

Removing intermediate container 0a8536502efb

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Running in f877470644a8

Reading package lists...

...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

Removing intermediate container f877470644a8

---> b6d51460362e

​

​

Step 4/6 : COPY website /var/www

---> 1830a2706de4

Step 5/6 : EXPOSE 80 443

---> Running in 31e60cf54092

Removing intermediate container 31e60cf54092

---> 4adc00a6e923

Step 6/6 : CMD ["nginx", "-g", "daemon off;"]

---> Running in f445e6f565ff

Removing intermediate container f445e6f565ff

---> a0cbc29fc92e

Successfully built a0cbc29fc92e

Successfully tagged mynginx:latest

​

​

continued

continued

Build Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0a8536502efb

Get:1 http://security.ubuntu.com/ubuntu bionic-security

...

Reading package lists...

Removing intermediate container 0a8536502efb

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Running in f877470644a8

Reading package lists...

...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

Removing intermediate container f877470644a8

---> b6d51460362e

​

continued

Directory is compressed (tar) and send to Docker Daemon.

Build Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0a8536502efb

Get:1 http://security.ubuntu.com/ubuntu bionic-security

...

Reading package lists...

Removing intermediate container 0a8536502efb

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Running in f877470644a8

Reading package lists...

...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

Removing intermediate container f877470644a8

---> b6d51460362e

​

continued

Directory is compressed (tar) and send to Docker Daemon.

Downloads base image.

Build Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0a8536502efb

Get:1 http://security.ubuntu.com/ubuntu bionic-security

...

Reading package lists...

Removing intermediate container 0a8536502efb

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Running in f877470644a8

Reading package lists...

...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

Removing intermediate container f877470644a8

---> b6d51460362e

​

continued

Directory is compressed (tar) and send to Docker Daemon.

Instruction (RUN) is executed in intermediate container.

Downloads base image.

Build Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0a8536502efb

Get:1 http://security.ubuntu.com/ubuntu bionic-security

...

Reading package lists...

Removing intermediate container 0a8536502efb

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Running in f877470644a8

Reading package lists...

...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

Removing intermediate container f877470644a8

---> b6d51460362e

​

continued

Directory is compressed (tar) and send to Docker Daemon.

Instruction (RUN) is executed in intermediate container.

Intermediate container is removed if instruction completed successfully.

Downloads base image.

Build Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0a8536502efb

Get:1 http://security.ubuntu.com/ubuntu bionic-security

...

Reading package lists...

Removing intermediate container 0a8536502efb

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Running in f877470644a8

Reading package lists...

...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

Removing intermediate container f877470644a8

---> b6d51460362e

​

continued

Directory is compressed (tar) and send to Docker Daemon.

Instruction (RUN) is executed in intermediate container.

Intermediate container is removed if instruction completed successfully.

Downloads base image.

Results “committed” to image.

Build Example

​

Step 4/6 : COPY website /var/www

---> 1830a2706de4

Step 5/6 : EXPOSE 80 443

---> Running in 31e60cf54092

Removing intermediate container 31e60cf54092

---> 4adc00a6e923

Step 6/6 : CMD ["nginx", "-g", "daemon off;"]

---> Running in f445e6f565ff

Removing intermediate container f445e6f565ff

---> a0cbc29fc92e

Successfully built a0cbc29fc92e

Successfully tagged mynginx:latest

​

​

continued

Image build completed successfully.

Build Example

​

Step 4/6 : COPY website /var/www

---> 1830a2706de4

Step 5/6 : EXPOSE 80 443

---> Running in 31e60cf54092

Removing intermediate container 31e60cf54092

---> 4adc00a6e923

Step 6/6 : CMD ["nginx", "-g", "daemon off;"]

---> Running in f445e6f565ff

Removing intermediate container f445e6f565ff

---> a0cbc29fc92e

Successfully built a0cbc29fc92e

Successfully tagged mynginx:latest

$

​

​

continued

Image build completed successfully.

Image tagged.

Build Cache Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Using cache

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Using cache

---> b6d51460362e

​

​

Step 4/6 : COPY website /var/www

---> Using cache

---> 1830a2706de4

Step 5/6 : EXPOSE 80 443

---> Using cache

---> 4adc00a6e923

Step 6/6 : CMD ["nginx", "-g", "daemon off;"]

---> Using cache

---> a0cbc29fc92e

Successfully built a0cbc29fc92e

Successfully tagged mynginx:latest

continued

continued

Build Cache Example

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Using cache

---> d23ca2e87023

Step 3/6 : RUN apt-get -y install nginx

---> Using cache

---> b6d51460362e

​

​

Step 4/6 : COPY website /var/www

---> Using cache

---> 1830a2706de4

Step 5/6 : EXPOSE 80 443

---> Using cache

---> 4adc00a6e923

Step 6/6 : CMD ["nginx", "-g", "daemon off;"]

---> Using cache

---> a0cbc29fc92e

Successfully built a0cbc29fc92e

Successfully tagged mynginx:latest

continued

continued

Image cache used for subsequent builds.

Failed Builds

$ docker rmi mynginx

Untagged: mynginx:latest

Deleted: sha256:...

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0e1bfd467e44

Removing intermediate container 0e1bfd467e44

---> 10a25e9b38e3

Step 3/6 : RUN apt-get -y install nginx

---> Running in d3ad013c6afd

Removing intermediate container d3ad013c6afd

---> 939dccaf4632

Step 4/6 : COPY website /var/www

COPY failed: stat /var/lib/docker/tmp/docker-builder918141210/website: no such file or directory

$

Renamed website directory.

Failed Builds

$ docker rmi mynginx

Untagged: mynginx:latest

Deleted: sha256:...

$ docker build -t mynginx .

Sending build context to Docker daemon 3.584kB

Step 1/6 : FROM ubuntu:18.04

---> 1d9c17228a9e

Step 2/6 : RUN apt-get update

---> Running in 0e1bfd467e44

Removing intermediate container 0e1bfd467e44

---> 10a25e9b38e3

Step 3/6 : RUN apt-get -y install nginx

---> Running in d3ad013c6afd

Removing intermediate container d3ad013c6afd

---> 939dccaf4632

Step 4/6 : COPY website /var/www

COPY failed: stat /var/lib/docker/tmp/docker-builder918141210/website: no such file or directory

$

Renamed website directory.

Successful changes still committed to image.

Failed Builds

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

<none> <none> 939dccaf4632 13 minutes ago 171MB

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

nginx stable-alpine c5b6f731fbc0 3 weeks ago 17.7MB

alpine latest 3f53bb00af94 3 weeks ago 4.41MB

​

​

​

Intermediate image of successful build steps.

Image Names and Tags

• Images themselves don’t have a name. They have the image ID (hash).
• Images can have multiple tags.
• Image names/tags are additive descriptors that are applied to images to make them easier to work with.

Image Names and Tags

<registry>/<namespace>/<image name>:<tag>

Image Names and Tags Examples

• nginx:stable-alpine
• arcts/keepalived:1.2.2
• quay.io/weaveworks/flux
• localhost:8080/test/myfirstimage:latest

Tagging an Image

$ docker tag <image name | image ID>

• Adds an additional tag to the image ID.

Tagging an Image

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

$

$ docker tag ubuntu:18.04 ubuntu:bionic

$

$ docker images

​

​

Tagged image

Tagging an Image

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

$

$ docker tag ubuntu:18.04 ubuntu:bionic

$

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

ubuntu bionic 1d9c17228a9e 2 weeks ago 86.7MB

​

​

Tagged image

Same image ID

Removing an Image

$ docker rmi <image name>:<tag>

• Removes image from local cache.
• ONLY removes layers not used by other images/containers.
• If more than one tag points to the same image, ONLY removes the tag.

Removing an Image

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

ubuntu bionic 1d9c17228a9e 2 weeks ago 86.7MB

$ docker rmi ubuntu:bionic

​

​

​

​

Removing an Image

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

ubuntu bionic 1d9c17228a9e 2 weeks ago 86.7MB

$ docker rmi ubuntu:bionic

Untagged: ubuntu:bionic

$

​

​

​

Image untagged

Removing an Image

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu 18.04 1d9c17228a9e 2 weeks ago 86.7MB

ubuntu bionic 1d9c17228a9e 2 weeks ago 86.7MB

$ docker rmi ubuntu:bionic

Untagged: ubuntu:bionic

$ docker rmi ubuntu:18.04

Untagged: ubuntu@sha256:868fd30a0e47b8d8ac485df174795b5e2fe8a6c8f056cc707b232d65b8a1ab68

Deleted: sha256:1d9c17228a9e80a0a23927f24f3cf17d012cf0bb3eae5e3541a8c6987ab9bd5a

Deleted: sha256:3288cd6e6e7d42bcb4a74121b412c42a11f96da52685e42dbf9de6a747a55c6b

Deleted: sha256:b1636589630239bdb9153f95ac564bcd2afd9202aaf8511cbf5a9a37e03daf35

Deleted: sha256:043f492f40c539cfe7cee4cb8aae00ed1d5b19e864fbe6ea35ec92a2333bacc4

Deleted: sha256:2fb7bfc6145d0ad40334f1802707c2e2390bdcfc16ca636d9ed8a56c1101f5b9

$

​

​

Image untagged

Image deleted

Docker Hub + Docker Login

$ docker login <registry address>

• Defaults to Docker Hub
• Sign up: https://hub.docker.com/signup
• Credentials stored in host keyring or ~/.docker/config
• Can view image information at: https://hub.docker.com/u/<user|org>

$ docker login

Username: mrbobbytables

Password:

Login Succeeded

$

Pulling an Image

$ docker pull <image name>:<image tag>

• Used to download image(s).
• Does not require login unless image is private.
• If no tag specified, will default to pull latest
• docker run / docker build will pull the image automatically.

Pulling an Image

$ docker pull ubuntu:18.04

18.04: Pulling from library/ubuntu

84ed7d2f608f: Pull complete

be2bf1c4a48d: Pull complete

a5bdc6303093: Pull complete

e9055237d68d: Pull complete

Digest: sha256:868fd30a0e47b8d8ac485df174795b5e2fe8a6c8f056cc707b232d65b8a1ab68

Status: Downloaded newer image for ubuntu:18.04

​

​

​

​

Pushing an Image

$ docker push <image name>:<image tag>

• If no registry in image name: defaults to Docker Hub
• Only pushes layers not stored in it already.

​

​

Pushing an Image

$ docker tag mynginx mrbobbytables/mynginx

$ docker push mrbobbytables/mynginx

The push refers to repository [docker.io/mrbobbytables/mynginx]

e40e8eb7296d: Pushed

7efdc7f1001c: Pushed

8e26e7457281: Pushed

2c77720cf318: Mounted from ubuntu:18.04

1f6b6c7dc482: Mounted from ubuntu:18.04

c8dbbe73b68c: Mounted from ubuntu:18.04

2fb7bfc6145d: Mounted from ubuntu:18.04

latest: digest: sha256:c99b42b130c9e8cf17ce15f1c136047c3b99391a8caa40d60d78c022b0cb57ee size: 1781

​

​

​

​

​

Pushing an Image

$ docker tag mynginx mrbobbytables/mynginx

$ docker push mrbobbytables/mynginx

The push refers to repository [docker.io/mrbobbytables/mynginx]

e40e8eb7296d: Pushed

7efdc7f1001c: Pushed

8e26e7457281: Pushed

2c77720cf318: Mounted from ubuntu:18.04

1f6b6c7dc482: Mounted from ubuntu:18.04

c8dbbe73b68c: Mounted from ubuntu:18.04

2fb7bfc6145d: Mounted from ubuntu:18.04

latest: digest: sha256:c99b42b130c9e8cf17ce15f1c136047c3b99391a8caa40d60d78c022b0cb57ee size: 1781

​

​

​

​

​

Layers already present in Registry

Pushing an Image

$ docker tag mynginx mrbobbytables/mynginx

$ docker push mrbobbytables/mynginx

The push refers to repository [docker.io/mrbobbytables/mynginx]

e40e8eb7296d: Pushed

7efdc7f1001c: Pushed

8e26e7457281: Pushed

2c77720cf318: Mounted from ubuntu:18.04

1f6b6c7dc482: Mounted from ubuntu:18.04

c8dbbe73b68c: Mounted from ubuntu:18.04

2fb7bfc6145d: Mounted from ubuntu:18.04

latest: digest: sha256:c99b42b130c9e8cf17ce15f1c136047c3b99391a8caa40d60d78c022b0cb57ee size: 1781

​

​

​

​

​

Layers already present in Registry

Layers pushed

Summary - Images

• Images are a read-only file system made up of layers.
• Each layer exists on the file system once, deduping data both on disk and in transport.
• Images are made by building (docker build) Dockerfiles.
• Images are tagged with friendly names in addition to their Container ID (hash).
• They are distributed by pushing/pulling from a registry.

Command Reference

Dockerfile Instruction Reference

Dockerfile Instruction Reference

Exercise:

Getting to Know Images

Image Source: Captain Albert E. Theberge, NOAA Corps

Networking

Image Source: pxhere

Container Networking Overview

• Containers do not directly expose their services on the host’s network by default.
• They must be explicitly published to be exposed externally.
• Most services should NOT be directly exposed on the host’s network.
• Containers can be attached to independant private networks.

Why Private Networks?

• Multi-tier apps
• Does a database need to be exposed publicly? Or just the web server that communicates with it?

Why Private Networks?

Application stacks can be Isolated from each other and still be made externally available.

Multi-Host Network

Private Container Networks can span hosts when a “Swarm” cluster is created.

Container Network Model

• Container Networks are functionally similar to a virtual switch backed by a driver (network type).
• They have their own set of IP Address Management (IPAM) settings.
• Each network has their own internal DNS server.

Container Network Drivers

(Note: Tutorial will only use bridge network)

Listing Networks

$ docker network ls

NETWORK ID NAME DRIVER SCOPE

6a840fc500f8 bridge bridge local

e9a8161ec260 host host local

e97466e77f45 none null local

​

Default Networks

Creating a Network

$ docker network create <network name>

• Creates bridge network on host.
• IPAM, driver etc. are configurable during creation only.
• Networks are given a uuid just like Container ID.

Creating a Network

$ docker network create mynetwork

2a1566734b671d2ddc550c77c08edea4c1efc56391ebbcf22526fbb0d6c80c19

$

​

​

Network ID

Creating a Network

$ docker network create mynetwork

2a1566734b671d2ddc550c77c08edea4c1efc56391ebbcf22526fbb0d6c80c19

$

$

$ docker network ls

NETWORK ID NAME DRIVER SCOPE

6a840fc500f8 bridge bridge local

e9a8161ec260 host host local

2a1566734b67 mynetwork bridge local

e97466e77f45 none null local

$

Network ID

Created Network

Using a Created Network

$ docker run -d --network <network name> ...

• Container starts on specified network

Revisiting EXPOSE and Published Ports

• Images “expose” ports that are assumed to be running services.
• Exposed ports are accessible on the private container network.

EXPOSE <ports>

EXPOSE 80 443

STATUS PORTS

Up 3 seconds 80/tcp

Revisiting EXPOSE and Published Ports

• Exposed ports are mapped externally when they are published (-p).
• Can be exposed on explicit Host IPs. Default: 0.0.0.0

EXPOSE 80 443

TUS PORTS

conds 0.0.0.0:80->80/tcp

$ docker run -d -p [ip]:<host port>:<container port>

docker run -d -p 80:80 ...

More on Published Ports

• If no mapping is specified a random port will be used out of a range 32768 to 61000.
• Changing port mappings is useful:
• unprivileged service running on 8080 can be mapped to 80 on the host (-p 80:8080)

Container Identity

$ docker run -d --name <container name> --network ..

• --name does two things:
• Replaces the container generated name (e.g. sharp_dubinsky) with the given name.
• Creates a DNS entry on the specified network with the container name.
• Will NOT create a DNS entry if the Container is on the default network.

Using Networks and Named Containers

$ docker run -d --network mynetwork --name mynginx nginx:stable-alpine

fb256726d1b826fd87b8181f0faeef4b4757223466359f8ccc79f1a00e134ed2

$ docker run -it --network mynetwork nicolaka/netshoot /bin/bash

bash-4.4# curl mynginx

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

...

</body>

</html>

$

​

Using Container ID the service (nginx running on port 80) can be accsed from another container on the same network.

Summary - Networking

• Containers can be attached to different private virtual networks.
• Multiple network types are supported.
• Exposed Container services are accessible on private networks without publishing them.
• Using named containers on created private networks lets you access services in a consistent way without having to know the container’s IP (service discovery).

​

Command Reference

Exercise:

Exploring Container Networking

Storage

Storage Overview

• Containers themselves are ephemeral.
• Persistent Data must be managed separately from the container itself.
• Files and Directories are stored “outside” the container and can be mounted to locations within the container.
• Example: /home/bob/myawesomesite -> /var/www

Storage Overview

• Persistent Data volumes can also be mounted in a variety ways with different sources such as NFS and tmpfs via “volume drivers”.
• There are two primary means of working with persistent data:
• Mounting at runtime
• Using Docker Volumes

Using a Mount

$ docker run -d -v <host path>:<container path>:[ro|rw]

• Creates a “bind mount” of the host path to a path within the container.
• ro|rw - can optionally be used to specify the volume as read-only or read-write (default: read-write)

Bind Mount Example

$ echo -e “Hello there.\n General Kenobi!” > /tmp/www/index.html

$

$ docker run -d -v /tmp/www:/usr/share/nginx/html -p 80:80 nginx:stable-alpine

24103e7dac126cf2e4087252d3895f9598c01fba93668d64a983395d00740873

$

​

Mounts: /tmp/www -> /usr/share/nginx/html

Bind Mount Example

$ echo -e “Hello there.\n General Kenobi!” > /tmp/www/index.html

$

$ docker run -d -v /tmp/www:/usr/share/nginx/html -p 80:80 nginx:stable-alpine

24103e7dac126cf2e4087252d3895f9598c01fba93668d64a983395d00740873

$

$ curl localhost

Hello There.

General Kenobi!

$

Mounts: /tmp/www -> /usr/share/nginx/html

Content stored on host served up from the container.

Bind Mount Example

$ docker stop 24103e && docker rm 24103e

24103e

24103e

$

Stop and delete previous container.

Bind Mount Example

$ docker stop 24103e && docker rm 24103e

24103e

24103e

$ docker run -d -v /tmp/www:/usr/share/nginx/html -p 80:80 nginx:stable-alpine

723d26858cd75a01d130f5720cf9cfdaacd9d0a8470df597db64cebe9e1b64dd

$

New Container with same mount:� /tmp/www -> /usr/share/nginx/html

Stop and delete previous container.

Bind Mount Example

$ docker stop 24103e && docker rm 24103e

24103e

24103e

$ docker run -d -v /tmp/www:/usr/share/nginx/html -p 80:80 nginx:stable-alpine

723d26858cd75a01d130f5720cf9cfdaacd9d0a8470df597db64cebe9e1b64dd

$

$ curl localhost

Hello There.

General Kenobi!

$

$ docker stop 24103e && docker rm 24103e

24103e

24103e

$ docker run -d -v /tmp/www:/usr/share/nginx/html -p 80:80 nginx:stable-alpine

723d26858cd75a01d130f5720cf9cfdaacd9d0a8470df597db64cebe9e1b64dd

$

$ curl localhost

Hello There.

General Kenobi!

$

​

Content persisted across container deletions.

New Container with same mount:� /tmp/www -> /usr/share/nginx/html

Content not removed when container was removed

Stop and delete previous container.

Volumes

• Volumes can be declared with the docker volume command, in the container image, or at run time.
• docker volume can create and manage them independently.
• Container image relies on the VOLUME directive.
• They can be created at run time with --volume (-v)

Working with the volume command

$ docker volume <create|ls|inspect|rm>

• Manages the lifecycle of volumes.
• Volume driver default: local
• stored under: /var/lib/docker/volumes

Working with Volumes: create

$ docker volume create myvol

myvol

$

​

Creates volume with default driver

Working with Volumes: ls

$ docker volume ls

DRIVER VOLUME NAME

local myvol

$

Lists all volumes

Working with Volumes: inspect

$ docker volume inspect myvol

[

{

"CreatedAt": "2019-01-25T15:34:22Z",

"Driver": "local",

"Labels": {},

"Mountpoint": "/var/lib/docker/volumes/myvol/_data",

"Name": "myvol",

"Options": {},

"Scope": "local"

}

]

​

​

Information regarding the volume

Working with Volumes: inspect

$ docker volume inspect myvol

[

{

"CreatedAt": "2019-01-25T15:34:22Z",

"Driver": "local",

"Labels": {},

"Mountpoint": "/var/lib/docker/volumes/myvol/_data",

"Name": "myvol",

"Options": {},

"Scope": "local"

}

]

​

​

Information regarding the volume

Created volumes using local driver are stored in /var/lib/docker/volumes

Working with Volumes: rm

$ docker volume rm myvol

myvol

$

$ docker volume ls

DRIVER VOLUME NAME

​

​

Deletes the volume

Using Volumes

$ docker run -d -v <volume name>:<container path> ...

• Use -v (--volume) and pass the volume name as the “host path”

$ docker run -d -v myvol:/var/lib/mysql mysql ...

Using Volumes

$ docker volume ls

DRIVER VOLUME NAME

local myvol

$ docker run -d -v myvol:/var/lib/mysql mysql

4d732d66630f18c00186d1a29159f0dcb750ef6de300406fc5e269089404e36e

$

​

Local volume attached to container

Using Volumes

$ docker volume ls

DRIVER VOLUME NAME

local myvol

$ docker run -d -v myvol:/var/lib/mysql mysql

4d732d66630f18c00186d1a29159f0dcb750ef6de300406fc5e269089404e36e

$ docker stop 4d732 && docker rm 4d732

4d732

4d732

$ docker volume ls

DRIVER VOLUME NAME

local myvol

​

Local volume attached to container.

Volume persists after container deleted.

Revisiting VOLUME Directive

• Will automatically provision�a volume when the�container image is spun up.

VOLUME <path>

VOLUME /var/lib/mysql

$ docker run -d mysql

76bf01fc976643b5f224dde5bc3a6a150827d6e4d3024a05e5c38dfa0e20e594

$ docker volume ls

DRIVER VOLUME NAME

local abff9cbcc0f9df64f0efe004c90a5404a1ffb2c001fde1386ee8ba5e0776035f

​

​

​

Revisiting VOLUME Directive

$ docker rm 76bf0

76bf0

$ docker volume ls

DRIVER VOLUME NAME

local abff9cbcc0f9df64f0efe004c90a5404a1ffb2c001fde1386ee8ba5e0776035f

$

Removing the container does NOT

delete the auto-created volume.

Summary

• Mounts and Volumes provide a way to store persistent data outside of the ephemeral container.
• Volumes can be backed by external storage systems such as NFS.
• Volumes specified in an image will have automatically create a volume on the host.

Command Reference

Exercise:

Storage

Inspecting and Debugging

Inspecting and Debugging

• Debugging ephemeral systems is...hard.
• State is not preserved.
• Docker provides some introspection mechanisms.
• inspect
• format
• attach
• exec

Inspect

docker <*|image|network|volume> inspect <id>

• Returns detailed information about the Docker object.
• Default output is json.
• Can use filters to quickly get desired information.

Inspect

docker <*|image|network|volume> inspect <id>

• Returns detailed information about the Docker object.
• Default output is json.
• Can use filters to quickly get desired information.

Inspect: image

$ docker image inspect nginx:stable-alpine

[

{

"Id": "sha256:c5b6f731fbc07a20c352256b94891c178e687910dd3fd5318c7bb0b6f6962780",

"RepoTags": [

"nginx:stable-alpine"

],

"RepoDigests": [

"nginx@sha256:e3f77f7f4a6bb5e7820e013fa60b96602b34f5704e796cfd94b561ae73adcf96"

],

"Parent": "",

"Comment": "",

"Created": "2018-12-21T01:22:30.534924761Z",

...

​

Inspect: network

$ docker network inspect mynetwork

[

{

"Name": "mynetwork",

"Id": "07cc816ffe6e272364004c71355299ee283038cd0bca65bcda58eab0b87859d1",

"Created": "2019-01-20T22:04:57.4853317Z",

"Scope": "local",

"Driver": "bridge",

"EnableIPv6": false,

"IPAM": {

"Driver": "default",

"Options": {},

...

Inspect: volume

$ docker volume inspect myvol

[

{

"CreatedAt": "2019-01-27T15:09:31Z",

"Driver": "local",

"Labels": null,

"Mountpoint": "/var/lib/docker/volumes/myvol/_data",

"Name": "myvol",

"Options": null,

"Scope": "local"

}

]

​

Inspect: container

$ docker inspect frosty_benz

[

{

"Id": "f0ab9306a8cbdc51d890213d895af20362df452a186bc9ac1e7518f73bccf040",

"Created": "2019-01-27T19:19:44.9049437Z",

"Path": "nginx",

"Args": [

"-g",

"daemon off;"

],

"State": {

"Status": "running",

"Running": true,

...

Inspect: container

$ docker inspect frosty_benz

[

{

"Id": "f0ab9306a8cbdc51d890213d895af20362df452a186bc9ac1e7518f73bccf040",

"Created": "2019-01-27T19:19:44.9049437Z",

"Path": "nginx",

"Args": [

"-g",

"daemon off;"

],

"State": {

"Status": "running",

"Running": true,

...

LOTS of information!

Formatted Output

• Can apply custom formatters to just about any output.
• Uses golang templates.
• Limited set of additional helper functions provided:

• join
• json
• lower
• split

• title
• upper
• println

Formatted Output Examples

$ docker inspect frosty_benz --format=”{{ .Config.Image }}”

nginx:stable-alpine

$

$ docker inspect frosty_benz --format="{{ .NetworkSettings.IPAddress }}"

172.17.0.2

$

$ docker image inspect nginx:stable-alpine --format="{{ .Created }}"

2018-12-21T01:22:30.534924761Z

$

$ docker network inspect mynetwork --format="{{ (index .IPAM.Config 0).Subnet }}"

172.20.0.0/16

​

Attaching to a Running Container

docker attach <container name>

• Attaches to the “console” of a running container.
• Useful to reattach to an interactive container ( -i -t)

Attaching to a Container

$ docker run -i -t alpine /bin/sh

/ # hostname

f6022e824572

/ # exit

$

$ docker start f6022e824572

f6022e824572

$

$ docker attach f6022e824572

/ # hostname

f6022e824572

/ #

Exec’ing into a Running Container

docker exec <container name> <command>

• Executed a command in a running container.
• Can spawn an interactive second shell within the container using -i and -t.

Executing a Command in a Container

$ docker run -d nginx:alpine-stable

599d394ad9ec1952c68ac33347678e6de9b9dce9ab5c05c5c5aedb3ced91fc20

$

$ docker exec 599d394ad9ec hostname

599d394ad9ec

$

$ docker exec 599d394ad9ec cat /etc/os-release

NAME="Alpine Linux"

ID=alpine

VERSION_ID=3.8.2

...

Exec’ing into a Container

$ docker run -d nginx:alpine-stable

599d394ad9ec1952c68ac33347678e6de9b9dce9ab5c05c5c5aedb3ced91fc20

$

$ docker exec -i -t 599d394ad9ec /bin/sh

/ #

/ # hostname

599d394ad9ec

/ #

Attach vs Exec

/ # ps aux

PID USER TIME COMMAND

1 root 0:00 /bin/sh

15 root 0:00 ps aux

​

/ # ps aux

PID USER TIME COMMAND

1 root 0:00 /bin/sh

6 root 0:00 /bin/sh

13 root 0:00 ps aux

​

Attach

Exec

Summary

• Docker provides some useful commands for debugging and troubleshooting containers.
• inspect - Output debug information on various container resources.
• format - Useful for formatting output and filtering.
• attach - Attaches to the console of a running container.
• exec - Spawns a process within a container.

Command Reference

Exercise:

Inspecting and Troubleshooting

Developer Workflow

Developer Workflow

Assumption:

You already have the application working locally.

Developer Workflow

Three step process

​

1. Make the application work within a container locally.
2. Add at-runtime configuration via volumes and environment variables.
3. Mirror production as close as possible.

Developer Workflow

What that means

​

• Make a Dockerfile based on your local environment.
• Update code to use environment variables or config files where appropriate.
• Write a `docker-compose.yaml` file to spin up services the app relies on, locally.

Step 1: Dockerfile

Developer Workflow

# For this example we're going to use Python

# Alpine is a lightweight OS that makes for smaller containers

FROM python:3.4-alpine

​

# Copy our current working directory contents into the /code folder

COPY . /code

​

# Set the default directory to be /code

WORKDIR /code

​

# Install Python dependencies

RUN pip install -r requirements.txt

​

# Set the default command to be `python app.py`

CMD ["python", "app.py"]

​

Developer Workflow

$ docker build -t flask_app .

...

$ docker run -d -p 6379:6379 --name redis redis:alpine

...

$ docker run -i -t -p 8080:8080 flask_app

​

We’re not done.

Step 2: Runtime Configuration

Developer Workflow

import time, redis

from flask import Flask

​

app = Flask(__name__)

cache = redis.Redis(host='redis', port=6379)

​

...�@app.route('/')

def hello():

count = get_hit_count()

return 'Hello World! I have been seen {} times.\n'.format(count)

​

if __name__ == "__main__":

app.run(host="0.0.0.0", port=8080, debug=True)

​

Developer Workflow

import time, redis, os

from flask import Flask

​

app = Flask(__name__)

cache = redis.Redis(host=os.getenv(‘REDIS_HOST’, ‘redis’), port=os.getenv(‘REDIS_PORT’, ‘6379’))

...�@app.route('/')

def hello():

count = get_hit_count()

return 'Hello World! I have been seen {} times.\n'.format(count)

​

if __name__ == "__main__":

app.run(host="0.0.0.0", port=os.getenv(‘FLASK_PORT’, ‘8080’), debug=True)

​

Developer Workflow

$ docker build -t flask_app .

...

$ docker run -d -p 6379:6379 --name redis redis:alpine

...

$ docker run -i -t \

-p 8080:8080 \

-e REDIS_HOST=redis \

-e REDIS_PORT=6379 \

-e FLASK_PORT=8080 \

flask_app

​

We’re still not done.

Step 3: Docker Compose

Docker Compose

version: '3'

services:

web:

build: .

ports:

- "8080:8080"

volumes:

- .:/code

env_file:

- ./.env

redis:

image: "redis:alpine"

​

Docker Compose

$ docker-compose up

​

Docker Compose

$ docker-compose up

Starting docker-compose-example_redis_1 ... done

Starting docker-compose-example_web_1 ... done

Attaching to docker-compose-example_redis_1, docker-compose-example_web_1

​

Docker Compose

$ docker-compose up

Starting docker-compose-example_redis_1 ... done

Starting docker-compose-example_web_1 ... done

Attaching to docker-compose-example_redis_1, docker-compose-example_web_1

redis_1 | 1:C 18 Feb 2019 17:45:31.326 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo

redis_1 | 1:C 18 Feb 2019 17:45:31.326 # Redis version=5.0.3, bits=64, commit=00000000, modified=0, pid=1, just started

redis_1 | 1:C 18 Feb 2019 17:45:31.326 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf

redis_1 | 1:M 18 Feb 2019 17:45:31.328 * Running mode=standalone, port=6379.

web_1 | * Tip: There are .env files present. Do "pip install python-dotenv" to use them.

web_1 | * Serving Flask app "app" (lazy loading)

web_1 | * Environment: production

​

Best Practices & Tips

Security: Don’t run your container as root

• Root jailbreak from within container == root on host.
• Run container as a specific user/group.
• Example: www-data for nginx.
• Root should be restricted to building image only.
• Use USER Dockerfile directive.

​

Security: Just enough to get the job done

• Use an image with “just enough” to run your application.
• Decreases the size of your container image.
• Decreases chance of a vulnerable package.
• Decreases exploitability IF compromised.

​

Security: read only filesystem

• Run image with read-only root filesystem (--read-only).
• Prevents the “2nd phase” of many exploits. Example: if package is exploited, attacker cannot download additional tools to container.
• mount tmpfs (--tmpfs) volumes to locations where files WILL need to be written, example: /var/run.
• tmpfs can be mounted with restrictions such as noexec and nosuid.

Security

$ docker run -d -p 80:80 --read-only \

--tmpfs /run:rw,noexec,nosuid,size=1m \

--tmpfs /var/cache/nginx:rw,noexec,nosuid,size=5m \

nginx:stable-alpine

5e2d8cf6b08f1e2a1dbb4446b1710057acfb5d6658234efbea082e3643e468c1

​

​

Security: read only filesystem

$ docker run -d -p 80:80 --read-only \

--tmpfs /run:rw,noexec,nosuid,size=1m \

--tmpfs /var/cache/nginx:rw,noexec,nosuid,size=5m \

nginx:stable-alpine

5e2d8cf6b08f1e2a1dbb4446b1710057acfb5d6658234efbea082e3643e468c1

$

​

read only

restricted tmpfs

Security: read only filesystem

$ docker run -d -p 80:80 --read-only \

--tmpfs /run:rw,noexec,nosuid,size=1m \

--tmpfs /var/cache/nginx:rw,noexec,nosuid,size=5m \

nginx:stable-alpine

5e2d8cf6b08f1e2a1dbb4446b1710057acfb5d6658234efbea082e3643e468c1

$

$ docker exec -it 5e2d8 touch /amireadonly

touch: /amireadonly: Read-only file system

$

​

read only

restricted tmpfs

Prevented writing to filesystem

Security: read only filesystem

$ docker run -d -p 80:80 --read-only \

--tmpfs /run:rw,noexec,nosuid,size=1m \

--tmpfs /var/cache/nginx:rw,noexec,nosuid,size=5m \

nginx:stable-alpine

5e2d8cf6b08f1e2a1dbb4446b1710057acfb5d6658234efbea082e3643e468c1

$

$ docker exec -it 5e2d8 touch /amireadonly

touch: /amireadonly: Read-only file system

$

docker exec -it 5e2d8 touch /run/amireadonly

$

$ docker exec -it 5e2d8 ls /run

amireadonly nginx.pid

​

read only

restricted tmpfs

Prevented writing to filesystem

Can write to tmpfs

Security: Linux Capabilities

• Linux capabilities further break down permissions beyond root/non-root or privileges/unprivileged.
• Docker’s default set of capabilities is a very good compromise of secure (completely unprivileged) and usable (privileged).
• Capabilities can be added/dropped with --cap-add and --cap-drop.

Security: Linux Capabilities

• AUDIT_CONTROL
• AUDIT_READ
• AUDIT_WRITE
• BLOCK_SUSPEND
• CHOWN
• DAC_OVERRIDE
• DAC_READ_SEARCH
• FOWNER
• FSETID
• IPC_LOCK
• KILL
• LEASE
• LINUX_IMMUTABLE

• MAC_ADMIN
• MAC_OVERRIDE
• MKNOD
• NET_ADMIN
• NET_BIND_SERVICE
• NET_BROADCAST
• NET_RAW
• SETGID
• SETFCAP
• SETPCAP
• SETUID
• SYS_ADMIN
• SYS_BOOT

• SYS_CHROOT
• SYS_MODULE
• SYS_NICE
• SYS_PACCT
• SYS_PTRACE
• SYS_RAWIO
• SYS_RESOURCE
• SYS_TIME
• SYS_TTY_CONFIG
• SYSLOG
• WAKE_ALARM

Security: Linux Capabilities

• AUDIT_CONTROL
• AUDIT_READ
• AUDIT_WRITE
• BLOCK_SUSPEND
• CHOWN
• DAC_OVERRIDE
• DAC_READ_SEARCH
• FOWNER
• FSETID
• IPC_LOCK
• KILL
• LEASE
• LINUX_IMMUTABLE

• MAC_ADMIN
• MAC_OVERRIDE
• MKNOD
• NET_ADMIN
• NET_BIND_SERVICE
• NET_BROADCAST
• NET_RAW
• SETGID
• SETFCAP
• SETPCAP
• SETUID
• SYS_ADMIN
• SYS_BOOT

• SYS_CHROOT
• SYS_MODULE
• SYS_NICE
• SYS_PACCT
• SYS_PTRACE
• SYS_RAWIO
• SYS_RESOURCE
• SYS_TIME
• SYS_TTY_CONFIG
• SYSLOG
• WAKE_ALARM

Security: Linux Capabilities

• AUDIT_CONTROL
• AUDIT_READ
• AUDIT_WRITE
• BLOCK_SUSPEND
• CHOWN
• DAC_OVERRIDE
• DAC_READ_SEARCH
• FOWNER
• FSETID
• IPC_LOCK
• KILL
• LEASE
• LINUX_IMMUTABLE

• MAC_ADMIN
• MAC_OVERRIDE
• MKNOD
• NET_ADMIN
• NET_BIND_SERVICE
• NET_BROADCAST
• NET_RAW
• SETGID
• SETFCAP
• SETPCAP
• SETUID
• SYS_ADMIN
• SYS_BOOT

• SYS_CHROOT
• SYS_MODULE
• SYS_NICE
• SYS_PACCT
• SYS_PTRACE
• SYS_RAWIO
• SYS_RESOURCE
• SYS_TIME
• SYS_TTY_CONFIG
• SYSLOG
• WAKE_ALARM

Security: Linux Capabilities

Security: Linux Capabilities