Docker

  1. Docker
    1. Privilege
    2. Dockerfile
    3. Networking
      1. Contiv networking
  2. LXC
  3. cgroups

Docker

  • single process only
  • container is immutable ⇒ external mount is required for persistent data (volume)
  • registry ≡ image repository
  • REST API
  • docker CLI → dockerd (API/socket)
  • stop operation ≡ stop PID 1
; interactive pseudoterminal 
$ docker run -it --rm <NAME> <EXEC>

; instance name
$ docker run -it --name <NAME>

; detached
$ docker run -it -d

; mount
$ docker run -it -v <LOCAL_PATH>:<CONTAINER_PATH>
$ docker run -it --mount source=<LOCAL_PATH>,target=<CONTAINER_PATH>,type=bind

; pass sensitive info via variables
$ docker run -it --env-file=<PATH>

$ docker run -it -p <LOCAL_PORT>:<CONTAINER_PORT>
$ docker run -it --network <NET>
$ docker container ls -a

; remove stopped containers
$ docker container prune

$ docker container cp <LOCAL_PATH> <CONTAINER>:<CONTAINER_PATH>

$ docker container exec <CONTAINER> <CMD>

$ docker container stop <NAME>
$ docker pull <CONTAINER>

$ docker login <REGISTRY_URL>

; -f ≡ real-time
$ docker logs <CONTAINER>

Privilege

  • levels
    • privileged: default, container root ≡ host root
    • unprivileged: more secure

Dockerfile

  • FROM: origin image
  • LABEL: metadata, can be several
  • COPY: copy to container file system
  • WORKDIR
  • RUN: every call creates new layer ⇒ use \ and &&
  • ENV: environment variables
  • ENTRYPOINT:
    • commands on container start
    • modes
      • shell: default
      • exec: recommended, [“cmd”, “params”]
  • ADD: ≈ COPY
    • can work with URLs
    • uncompresses archives
  • EXPOSE: describes open ports, documentation-only
  • CMD: arguments for ENTRYPOINT by default ≡ command not specified via docker run
  • ARG: Dockerfile variables
  • HEALTHCHECK CMD: command is run periodically
$ docker build -t <CONTAINER>:<TAG> <PATH> -f <DOCKERFILE>
$ docker image ls

$ docker image inspect --format='{{json .<SECTION>}}' | json_pp

$ docker image rm <CONTAINER>:<TAG>

; list layers and their size
$ docker image history <CONTAINER>

Networking

  • drivers
    • bridge
      • L2 within VM
      • NAT for external access to container
    • host
      • 1:1 mapping to host ports
      • 1 network by default (host)
    • overlay
      • VXLAN between hosts
      • ports
        • TCP 2377: cluster management
        • TCP/UDP 7946: nodes communication
    • macvlan
      • extends external L2 into VM
      • containers are assigned real addresses
  • DNS and ARP programming for resolution
  • plug-ins
    • Contiv: ACI
    • Kuryr: Openstack
    • Weave: VXLAN (service discovery, encryption, partition tolerance)
$ docker network create -d <DRIVER> <NET>
$ docker network create -d macvlan --subnet=<SUBNET> -gateway=<GW> -o parent <INTF>

$ docker network connect <NET> <CONTAINER>

Contiv networking

LXC

cgroups

  • controls CPU, RAM, disk, network allocation and utilization