**__DOCKER__**\\
Emulate only the user space. Container engine isolates user spaces.
  * **cgroups**: kernel mechanism for limiting and measuring the total resources used by a group of processes running on a system. For example, you can apply **CPU**, memory, network or IO quotas. cgroups
  * **namespaces**: Namespaces are a kernel mechanism for limiting the visibility that a group of processes has of the rest of a system. For example you can manage **network stack** in different namespaces.


Tutorial, all [[https://container.training/intro-fullday.yml.html#65|HERE]]\\
The principle of docker is we start a container to __Run a Task__. If there's no task to run, the container just __stops and exits__.\\


----
RUN container: 
  docker run -it --rm  --name C2 {image-name-eg-busybox} /bin/bash   # 'it' for INTERACTIVE, rm to clean up the container and remove the file system when the container exits
  docker run --rm -v /foo -v awesome:/bar busybox top  # to mount a local storage filesystem ( uses 'union' daemon to mount it )
  cat /proc/1/cpuset # to Tell if I'm in a container or not
  /docker/f51e9de5778477c1de6248c7e1bd98d4bd3780fe38d25589359c705e19003a49

Flags to be run with //docker run// (see  //man docker-run//)
  * d <-- to run container in the background
  * i <-- interactive
  * t <-- allocate a pseudo-tty and attach to the standard input of any container
  * P <-- flag is new and tells Docker to map any required network ports inside our container to our host

Stop a container:
  docker stop f51e9de57784     # list containers with ps -a
  docker restart <container-id/name>   # restart
  docker run -itd --name c3 busybox    # start container daemon mode
  docker run -it --name c2 busybox    # start container interactive mode
  docker exec -it "id of running container" bash # connect running container
  
Remove all running and exited container (USER WITH CARE!):
  docker container kill $(docker ps -q)
  docker rm $(docker ps -a -f status=exited -q)

To list containers, stop them , get logs etc,[[https://www.docker.com/sites/default/files/Docker_CheatSheet_08.09.2016_0.pdf|**check this link**]]
  
List images on the host:
  docker images
  docker commit 3a09b2588478 mynewimage # Commit changes of running container (ie: saves it in a new layer)
  docker build #  This is the preferred method!. Performs a repeatable build sequence.
    

 
To delete an image
  docker rmi [OPTIONS] IMAGE [IMAGE...]


----

\\
Normally, docker files live in:
  usermod -aG docker jsantosa # so we can run it under non-root
  [jotasancent@localhost Desktop]$ sudo ls -l /var/lib/docker/
  total 56
  drwx------. 20 root root  4096 Jul 10 12:50 containers       
  drwx------.  5 root root  4096 Mar 29 13:49 devicemapper
  /home/jsantosa/.local/share/containers # for podman
Show running container:\\
  docker ps -a
note: PORTS means the TCP ports exposed by the container.

Manage Imaged and Containers:
  docker ps -a    # running containers
  docker images   # stored images
  docker search <pattern>  --no-trunc # looks for images in the remote registry and see the description
  docker rm -f [container name or ID]
  docker rmi [image name or ID]

''docker inspect'' allows us to check the container's meta information:
  docker run -it ubuntu # start and connect to shell
  docker inspect 25b4bff1417c | jq . # to check the instance params without having to connect to it
  docker exec -it "id of running container" bash  # connect to shell running container
  
  
  
Creating images:
  docker import # command loads a tarball into Docker. The imported tarball becomes a standalone image. That new image has a single layer.


__Troubleshooting__\\
  docker info
  
containers are no more than files running in a different namespace, therefore we can see what files change during execution and retrieve some of them to the host machine:
  docker diff <>
  docker cp <container_id>:/var/log/nginx/error.log .

----
__**DOCKER NETWORKING**__ CNM (classical) CNI (Kubernetes)
  * driver:
    * host
    * overlay
    * bridge
      * docker0 interface (~lap) (between host and internal, does nat)
      * veth0,1..

  docker network create --driver=bridge --subnet=192.168.99.0/24 br0 # crates simple bridge network
  docker run -itd --rm --name C1 --network=br0 busybox  # creates container and connects to that ^ network

[[https://container.training/intro-fullday.yml.html#239 |This]] to assign cnm network to containers and more

  podman run -d ngnix # -d means demonize
  find the docker0 ip 



__IPV6__\\
{{ :virtualization:docker_networking_deep_dive.pdf |}}\\
Opposite to ipv4, docker in ipv6 does **not use NAT**. Each container gets its own IP.\\
For networking, we have two options:
  - Every docker container gets /64 and advertises it via BGP. Each container is a bgp speaker
  - Each container gets a chunk of the /64. Then we use NDP proxy to discover the containers.