![FOLLOW DOCKERFILE SYNTAXFOLLOW DOCKERFILE SYNTAX
FROM <image>[:<tag>] # base image
RUN <command> # runs command only once during build
CMD command param1 param2 # runs on container boot
EXPOSE <port> [<port>/<protocol>...]
ENV <key> <value> # only inside a container
ADD [--chown=<user>:<group>] <src>... <dest>
COPY <src>... <dest>
ENTRYPOINT command param1 param2 # container will run as an ex
VOLUME ["/data"]
USER <user>[:<group>] # who runs executables
WORKDIR /path # where run executables
HEALTHCHECK [OPTIONS] CMD command](https://image.slidesharecdn.com/docker-from-scratch-180627104939/85/Docker-from-scratch-24-320.jpg)
Docker from scratch
- 1. FROM scratch MAINTAINER Michal Wojtowicz michal@wojtowicz.ovh
- 3. WHAT IS DOCKER?WHAT IS DOCKER? makes easier to create, build and ship apps in containers single build contains only your application, libs/dependencies follows Open Container Initiative (part of Linux Foundation)
- 4. WHAT IS A CONTAINER?WHAT IS A CONTAINER?
- 5. WHAT IS A CONTAINER?WHAT IS A CONTAINER? It looks like VM: own process space own network can run things as root can install packages can play with system services
- 6. WHAT IS A CONTAINER?WHAT IS A CONTAINER? But it's not a VM: share host's kernel can't boot different OS boot much faster
- 7. HOW CONTAINER DIFFERS FROM VM?HOW CONTAINER DIFFERS FROM VM?
- 8. HOW CONTAINER DIFFERS FROM VM?HOW CONTAINER DIFFERS FROM VM?
- 9. VIRTUALIZATION ON LINUXVIRTUALIZATION ON LINUX Containers share same Linux Kernel as host machine They always share Linux kernel
- 10. VIRTUALIZATION ON OSX AND WINDOWSVIRTUALIZATION ON OSX AND WINDOWS Requires additional Virtual Machine with Linux Kernel Hyper-V on Windows 10 HyperKit on macOS since Yosemite Docker-machine (based on Virtualbox) on earlier versions
- 11. KERNEL NAMESPACES - WHAT'S THEKERNEL NAMESPACES - WHAT'S THE POINT?POINT? Each process is associated with a namespace and can only see or use the resources associated with that namespace, and descendant namespaces where applicable.
- 12. PID NAMESPACEPID NAMESPACE processes can see each other in bounds of same PID namespace when PID 1 is killed, whole namespace is killed either
- 13. NET NAMESPACENET NAMESPACE Allows to own private network stack including: interfaces routing tables firewall rules sockets
- 14. MNT NAMESPACEMNT NAMESPACE isolates mount points for a processes allows different views of the host's files mount points can be shared
- 15. UTS NAMESPACEUTS NAMESPACE isolates the hostname and the NIS domain name
- 16. IPC NAMESPACE (INTERPROCESSIPC NAMESPACE (INTERPROCESS COMMUNICATION)COMMUNICATION) semaphores POSIX message queues shared memory
- 17. USER NAMESPACEUSER NAMESPACE table of user IDs maps container's user to host user used for priviledge isolation
- 18. WHAT IS NOT NAMESPACED?WHAT IS NOT NAMESPACED? time - try to change it inside the container / # whoami root / # uname -a Linux 51a456ca0479 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 / # date +%T -s "10:13:13" date: can't set date: Operation not permitted kernel keyring - syscalls are also blocked things under /sys/
- 19. ONE SERVICE - ONE CONTAINERONE SERVICE - ONE CONTAINER PHILOSOPHYPHILOSOPHY easier to scale easier to maintain doesn't face first process assassination issue more effort needed to configure than VM-like approach
- 21. WHAT IS AN IMAGE?WHAT IS AN IMAGE? overlays kernel can contain libraries/binaries can define exposed ports, workdir runs default process in container
- 22. WHAT'S INSIDE THE IMAGE?WHAT'S INSIDE THE IMAGE? Linux distro dependencies like in Ubuntu image Prebuilt dependencies for app useful in containers Everything is packed up as layers Images are read-only
- 23. HOW TO BUILD OWN IMAGE?HOW TO BUILD OWN IMAGE?
- 24. FOLLOW DOCKERFILE SYNTAXFOLLOW DOCKERFILE SYNTAX FROM <image>[:<tag>] # base image RUN <command> # runs command only once during build CMD command param1 param2 # runs on container boot EXPOSE <port> [<port>/<protocol>...] ENV <key> <value> # only inside a container ADD [--chown=<user>:<group>] <src>... <dest> COPY <src>... <dest> ENTRYPOINT command param1 param2 # container will run as an ex VOLUME ["/data"] USER <user>[:<group>] # who runs executables WORKDIR /path # where run executables HEALTHCHECK [OPTIONS] CMD command
- 25. $ docker build . Sending build context to Docker daemon 15.36 kB Step 1/4 : FROM alpine:3.2 ---> 31f630c65071 Step 2/4 : MAINTAINER forest.gump@example.com ---> Using cache ---> 2a1c91448f5f Step 3/4 : RUN apk update && apk add apache2 && rm -r /var/cac ---> Using cache ---> 21ed6e7fbb73 Step 4/4 : CMD apache2 ---> Using cache ---> 7ea8aef582cc Successfully built 7ea8aef582cc
- 26. RUNNING CONTAINERRUNNING CONTAINER $ docker run -it ubuntu:14.04 /bin/bash $ docker run -it tomcat -d -p 8080:80
- 27. DOCKER-COMPOSE - TO THE RESCUEDOCKER-COMPOSE - TO THE RESCUE version: '3' services: web: image: apache links: - database ports: - '8080:80' volumes: - ./project:/var/www:rw database: image: mysql $ docker-compose up
- 28. CI/CDCI/CD
- 29. BITBUCKET PIPELINESBITBUCKET PIPELINES similar syntax to docker-compose.yml limit of only one container with mounted codebase codebase can be mounted into different containers with steps services are the only way of having multiple containers services are reachable through network only
- 30. image: alpine:latest pipelines: default: - step: image: node:8.9.4 caches: - node_modules script: - npm run build branches: master: - step: script: - ./generateReleaseNotes.sh
- 31. GITLAB PIPELINESGITLAB PIPELINES can organise chain of processes which leads to release
- 32. GITLAB PIPELINESGITLAB PIPELINES limit of only one container with mounted codebase codebase can be mounted into different containers with jobs services are the only way of having multiple containers services are reachable through network only
- 33. image: php:latest services: - mysql:5.7 variables: MYSQL_DATABASE: fancyDB MYSQL_ROOT_PASSWORD: secret DB_HOST: mysql DB_USERNAME: root stages: - test - deploy
- 34. SECURITY - GET RID OF ROOTSECURITY - GET RID OF ROOT PRIVILEGESPRIVILEGES follow the principle of least privilege Docker requires root privileges to run, containers themselves do not process running in a container is no different from other process many images just run as root and leave it up to you
- 35. $ docker run -v /root:/tmp/rootdir alpine:latest ls -la /tmp/r drwxr-xr-x+ 126 root root 4032 Jun 21 13:43 . drwxr-xr-x 7 root root 224 Jun 15 12:31 .. -rw-r--r-- 1 root root 266 Nov 26 2017 secretFile
- 36. FROM anyimage:latest RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser USER appuser
- 38. ELASTIC CONTAINERELASTIC CONTAINER SERVICE (ECS)SERVICE (ECS) user manages clusters of containers cluster defines type of underlying EC2 instances one underlying instance can run many containers it's still up to user to administrate instances
- 39. FARGATEFARGATE user doesn't have to manage cluster and instances user precises only CPU/memory requirements containers are created on AWS managed instances Kubernetes support coming in 2018
- 40. NEXT STEP - ORCHESTRASTIONNEXT STEP - ORCHESTRASTION Docker Swarm Kubernetes AWS/Azure/Google solutions
- 42. THANK YOU FORTHANK YOU FOR YOUR TIMEYOUR TIME Slides are available on https://michailw.github.io/talks/docker/