A to Z of Docker

DOCKER
SWAPNIL JAIN
@JSWAPNIL
DEVOPS CONSULTANT & TRAINER

ABOUT ME
SWAPNIL JAIN
• 17 years of broad technical experience
• Red Hat Certified Architect (RHCA) Level X
• Awarded as “Best Instructor” for 2015-2016 by Red Hat
• Founder & Director at Pisces Solutions P. Ltd
• Founder & CTO at Ambedded Taiwan, and creator of worlds first ARM MicroServer Based Ceph
Appliance “MARS200”, winner of “Best of Interop 2016” innovation award
• Red Hat Certified Instructor, delivering trainings in India, Singapore, Hong Kong, Japan,
Australia, New Zealand and now USA
• Trained 600+ Candidates on different OpenSource Products & Technologies

DAY 1
AGENDA
1. Introduction to Containers
2. Docker & Its Architecture
3. Creating Your first Docker Container
4.Simple Web Application
5.Working with Images

DAY 2
AGENDA
6.Building Docker Images
7.Triggers in Docker Images
8.Networking with Docker
9.Manage data in containers
10.Linking Multiple Containers

DAY 3
AGENDA
11.Docker Public Registries
12.Create your own private Docker Registry
13.Running a Secured Docker Registry
14.Content trust in Docker
15.Limiting a container's resources
16.Multi-stage builds

YOU SHOULD HAVE 1 DOCKER HOST RUNNING
PREREQUISITE

PREREQUISITE
1.At-least 1 Docker host running
2.Computer with internet connection and a web browser
3.Nice to have a docker hub account (hub.docker.com)

EXTRA DETAILS
1.Lab Guide: http://docker-fundamentals.mask365.com
2.Online Labs: http://docker.mask365.com
3.References: https://github.com/swapnil-linux/dockertraining
4.Chat during training:
• Chat SignUp: https://goo.gl/khxmQB
• Chat: https://mask365trainings.slack.com/
5. Slide Deck: http://www.googlinux.com/docker-training.pdf
ASK ME

LAB DETAILS
1.To follow along, you need at-least 1 Docker hosts with
docker version 1.12+ (recommended version 17.07)
2.If you are doing (or re-doing) this on your own, you can
use the online labs at http://docker.mask365.com

DOCKER.MASK365.COM
ONLINE LABS
• Open a new browser tab to docker.mask365.com.
• Confirm that you're not a robot
• Click on "ADD NEW INSTANCE": congratulations, you have your first Docker
node! Unless instructed, all commands must be run from the first VM, node1
• We will (mostly) interact with node1 only
• Note the countdown in the corner; when it expires, your instances are destroyed
• If you give your URL to somebody else, they can access your nodes too, (You can
use that for pair programming, or to get help from a mentor)

FEEL FREE TO ASK QUESTIONS ANY TIME

ALL RIGHT! WE’RE ALL SET. LET’S DO THIS.

FROM WIKIPEDIA, THE FREE ENCYCLOPAEDIA
VIRTUALIZATION

VIRTUALIZATION
• Virtualization refers to the act of creating a virtual (rather than actual) version of
something, including virtual computer hardware platforms, operating systems,
storage devices, and computer network resources.

VIRTUALIZATION
• Virtualization refers to the act of creating a virtual (rather than actual) version of
something, including virtual computer hardware platforms, operating systems,
storage devices, and computer network resources.
• Virtualization began in the 1960s, as a method of logically dividing the system
resources provided by mainframe computers between different applications. Since
then, the meaning of the term has broadened.

WHAT IS IT?
CLOUD COMPUTING
• Wikipedia: It is a model for enabling
ubiquitous, on-demand access to a
shared pool of configurable
c o m p u t i n g re s o u rc e s . C l o u d
computing and storage solutions
provide users and enterprises with
various capabilities to store and
process their data in third-party
data centers.
https://en.wikipedia.org/wiki/Cloud_computing

CLOUD ARCHITECTURE
& SERVICE MODELS

CLOUD ARCHITECTURE & SERVICE MODELS
• IaaS - Infrastructure as a Service
• PaaS - Platform as a Service
• SaaS - Software as a Service

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
On Premise
APPLICATION

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
On Premise IaaS
APPLICATION

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
CloudProvider
On Premise IaaS
APPLICATION

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
YouManageCloudProvider
On Premise IaaS
AWS
Google Cloud
OpenStack
APPLICATION
DATA
APPLICATION

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
YouManageCloudProvider
On Premise IaaS PaaS
AWS
Google Cloud
OpenStack
APPLICATION
DATA
APPLICATION

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
CloudProvider
CloudProvider
AWS
Google Cloud
OpenStack
APPLICATION
DATA
APPLICATION

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
You
CloudProvider
CloudProvider
AWS
Google Cloud
OpenStack
OpenShift
Apprenda
APPLICATION
DATA
APPLICATION
DATA
APPLICATION
{

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
You
CloudProvider
CloudProvider
On Premise IaaS PaaS SaaS
AWS
Google Cloud
OpenStack
OpenShift
Apprenda
APPLICATION
DATA
APPLICATION
DATA
APPLICATION
{

NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
DATA
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
YouManage
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
You
NETWORK
STORAGE
SERVERS
VIRTUALIZATION
OS
MIDDLEWARE
RUNTIME
CloudProvider
CloudProvider
CloudProvider
On Premise IaaS PaaS SaaS
AWS
Google Cloud
OpenStack
OpenShift
Apprenda
Google Apps
Salesforce
WebEx
APPLICATION
DATA
APPLICATION
DATA
APPLICATION
DATA
APPLICATION
{

IT DEPENDS WHO YOU ASK
WHAT ARE CONTAINERS?

IT DEPENDS WHO YOU ASK
WHAT ARE CONTAINERS?
Container is a light weight Operating System Virtualization ?

WHAT IS A CONTAINER?
• Container is a process running on your system in an isolated environment.
• Multiple containers can run on the same machine and share the OS kernel with other
containers, each running as isolated processes in user space.
• Containers take up less space than VMs (container images are typically tens of MBs in
size), and start almost instantly.
• Isolation is created using:
• Linux Kernel Namespaces runs isolated process from other processes
• Cgroups limit the use of CPU, RAM, virtual memory, and I/O bandwidth, among other
hardware and kernel resources.

HOW IS IT DIFFERENT FROM TRADITIONAL VIRTUALIZATION?
• Traditional Virtualization: Provides Virtual Hardware
• Containers: Virtual Operating System
• isolated process on the host (more in next unit)

HOW IS IT DIFFERENT FROM TRADITIONAL VIRTUALIZATION?

CONTAINERIZATION TECHNOLOGIES
Container implementation was first available in 1982 as chroot in most Unix like
operating systems, in 2004 as zones in solaris and became more popular after
implementation as Docker containers since 2013.

BUILD, SHIP, RUN
WHAT IS DOCKER ?

BUILD, SHIP, RUN
WHAT IS DOCKER ?
Literal meaning of Docker is "a person employed in a port
to load and unload ships". If Container is a lightweight
operating system virtualization, Docker is software to
create and manage containers.

DOCKER ARCHITECTURE
dockerd
DOCKER ENGINE

DOCKER ARCHITECTURE
dockerd
DOCKER ENGINE
REST API

DOCKER ARCHITECTURE
dockerd
DOCKER ENGINE
REST API
docker CLI

DOCKER ARCHITECTURE
dockerd
DOCKER ENGINE
REST API
docker CLI
OBJECTS

DOCKER ECHOSYSTEM
• Registry
• Images
• Containers

REGISTRY
• A Docker registry stores Docker images. Docker Hub is
public registries that anyone can use, and Docker is
configured to look for images on Docker Hub by default.
You can even run your own private registry.
• When you use the docker pull or docker run commands,
the required images are pulled from your configured
registry. When you use the docker push command, your
image is pushed to your configured registry.

IMAGES
• An image is a read-only template with instructions for creating a Docker container.
Often, an image is based on another image, with some additional customization. For
example, you may build an image which is based on the ubuntu image, but installs the
Apache web server and your application, as well as the configuration details needed to
make your application run.
• You might create your own images or you might only use those created by others and
published in a registry. To build your own image, you create a Dockerfile with a simple
syntax for defining the steps needed to create the image and run it. Each instruction in
a Dockerfile creates a layer in the image. When you change the Dockerfile and rebuild
the image, only those layers which have changed are rebuilt. This is part of what makes
images so lightweight, small, and fast, when compared to other virtualization
technologies.

CONTAINER
• A container is a runnable instance of an image. You can create, run, stop, move,
or delete a container using the Docker API or CLI. You can connect a container to
one or more networks, attach storage to it, or even create a new image based on
its current state.
• By default, a container is relatively well isolated from other containers and its
host machine. You can control how isolated a container’s network, storage, or
other underlying subsystems are from other containers or from the host machine.
• A container is defined by its image as well as any configuration options you
provide to it when you create or run it. When a container stops, any changes to
its state that are not stored in persistent storage disappears.

• Linux Kernel Namespaces
• Control Groups
• Union File System
• SELinux (Red Hat)
THE UNDERLYING TECHNOLOGY
WHAT MAKES A DOCKER CONTAINER

LINUX KERNEL NAMESPACES
• PID (Process Isolation)
• NET (Managing Network Interfaces)
• IPC (Interprocess Communication)
• User and Group IDs
• MNT (File System Mount Points)
• UTS (Isolating Kernel and version identifiers)

WELCOMWELCOM
TO
DOCKER
WELCOME

WELCOMWELCOM
TO
DOCKER
WELCOME
TO
DOCKER

TO
DOCKER
WELCOM WELCOME
1 2 3

SELINUX
• SELinux controls access to processes by Type and
Level. Docker offers two forms of SELinux protection:
type enforcement and multi-category security (MCS)
separation.
• SELinux labels consist of 4 parts:
USER:ROLE:TYPE:LEVEL

SELINUX - TYPE ENFORCEMENT
• Type enforcement is a kind of enforcement in which rules are based
on process type. It works in the following way. The default type for a
confined container process is svirt_lxc_net_t. This type is permitted
to read and execute all files types under /usr and most types under
/etc. svirt_lxc_net_t is permitted to use the network but is not
permitted to read content under /var, /home, /root, /mnt …
svirt_lxc_net_t is permitted to write only to files labeled
svirt_sandbox_file_t and docker_var_lib_t. All files in a container are
labeled by default as svirt_sandbox_file_t. Access to docker_var_lib_t
is permitted in order to allow the use of docker volumes.

SELINUX - MCS SEPARATION
• Multi-Category Security (MCS) Separation is sometimes called svirt. It works
in the following way. A unique value is assigned to the level field of the
SELinux label of each container. By default each container is assigned the MCS
Level equivalent to the PID of the docker process that starts the container.
• The standard targeted policy includes rules that dictate that the MCS Labels
of the process must dominate the MCS label of the target. The target is
usually a file. The MCS Label usually looks something like s0:c1,c2 Such a label
would Dominate files labeled s0, s0:c1, s0:c2, s0:c1,c2. It would not, however,
dominate s0:c1,c3. All MCS Labels are required to use two Categories. This
guarantees that no two containers can have the same MCS Label by default.

NAMESPACES + CGROUPS + UFS + SELINUX
WHAT MAKES A CONTAINER
• Container format: Docker Engine combines the
namespaces, control groups, UnionFS and SELinux into
a wrapper called a container format. The default
container format is libcontainer.
• In the future, Docker may support other container
formats by integrating with technologies such as BSD
Jails or Solaris Zones.

DOCKER VERSION
Wait, What, 17.07 ?!?

DOCKER VERSION
• Docker Inc. announced Docker Enterprise Edition
• Docker 1.13 = Docker 17.03 (year.month, like Ubuntu)
• Every month, there is a new "edge" release (with new features)
• Every quarter there is a new "stable" release
• Docker CE releases are maintained 4+ months
• Docker EE releases are maintained 12+ months

MOBY PROJECT
• DockerCon 2017 Austin: Docker announces it's opening/moving
more components outside of Docker Inc. org to Moby org.
• Why? To help separate and clarify the open source
"projects" (LinuxKit, SwarmKit, containerd) from the Docker
"products" (Docker CE, Docker EE, Docker for X)
• "An open framework to assemble specialised container systems
without reinventing wheel."
• Not for Docker users. For docker internals devs and system builders.

MY FIRST CONTAINER
docker run alpine ping 8.8.8.8

NO MORE SLIDES
refer to chapter 3 onwards of lab guide for hand-on excercises

@jswapnil
www.googlinux.com
www.linkedin.com/in/jswapnil
THANK YOU

A to Z of Docker

More Related Content

What's hot (20)

Similar to A to Z of Docker (20)

Recently uploaded (20)

A to Z of Docker