- Docker
- Privilege
- Dockerfile
- Networking
- Contiv networking
- LXC
- cgroups
Docker
- single process only
- container is immutable ⇒ external mount is required for persistent data (volume)
- registry ≡ image repository
- REST API
- docker CLI → dockerd (API/socket)
- stop operation ≡ stop PID 1
; interactive pseudoterminal
$ docker run -it --rm <NAME> <EXEC>
; instance name
$ docker run -it --name <NAME>
; detached
$ docker run -it -d
; mount
$ docker run -it -v <LOCAL_PATH>:<CONTAINER_PATH>
$ docker run -it --mount source=<LOCAL_PATH>,target=<CONTAINER_PATH>,type=bind
; pass sensitive info via variables
$ docker run -it --env-file=<PATH>
$ docker run -it -p <LOCAL_PORT>:<CONTAINER_PORT>
$ docker run -it --network <NET>
$ docker container ls -a
; remove stopped containers
$ docker container prune
$ docker container cp <LOCAL_PATH> <CONTAINER>:<CONTAINER_PATH>
$ docker container exec <CONTAINER> <CMD>
$ docker container stop <NAME>
$ docker pull <CONTAINER>
$ docker login <REGISTRY_URL>
; -f ≡ real-time
$ docker logs <CONTAINER>
Privilege
- levels
- privileged: default, container root ≡ host root
- unprivileged: more secure
Dockerfile
- FROM: origin image
- LABEL: metadata, can be several
- COPY: copy to container file system
- WORKDIR
- RUN: every call creates new layer ⇒ use \ and &&
- ENV: environment variables
- ENTRYPOINT:
- commands on container start
- modes
- shell: default
- exec: recommended, [“cmd”, “params”]
- ADD: ≈ COPY
- can work with URLs
- uncompresses archives
- EXPOSE: describes open ports, documentation-only
- CMD: arguments for ENTRYPOINT by default ≡ command not specified via docker run
- ARG: Dockerfile variables
- HEALTHCHECK CMD: command is run periodically
$ docker build -t <CONTAINER>:<TAG> <PATH> -f <DOCKERFILE>
$ docker image ls
$ docker image inspect --format='{{json .<SECTION>}}' | json_pp
$ docker image rm <CONTAINER>:<TAG>
; list layers and their size
$ docker image history <CONTAINER>
Networking
- drivers
- bridge
- L2 within VM
- NAT for external access to container
- host
- 1:1 mapping to host ports
- 1 network by default (host)
- overlay
- VXLAN between hosts
- ports
- TCP 2377: cluster management
- TCP/UDP 7946: nodes communication
- macvlan
- extends external L2 into VM
- containers are assigned real addresses
- DNS and ARP programming for resolution
- plug-ins
- Contiv: ACI
- Kuryr: Openstack
- Weave: VXLAN (service discovery, encryption, partition tolerance)
$ docker network create -d <DRIVER> <NET>
$ docker network create -d macvlan --subnet=<SUBNET> -gateway=<GW> -o parent <INTF>
$ docker network connect <NET> <CONTAINER>
Contiv networking
LXC
cgroups
- controls CPU, RAM, disk, network allocation and utilization