dokucama

User Tools

Site Tools

Trace: docker
virtualization:docker

DOCKER
Emulate only the user space. Container engine isolates user spaces.

  • cgroups: kernel mechanism for limiting and measuring the total resources used by a group of processes running on a system. For example, you can apply CPU, memory, network or IO quotas. cgroups
  • namespaces: Namespaces are a kernel mechanism for limiting the visibility that a group of processes has of the rest of a system. For example you can manage network stack in different namespaces.

Tutorial, all HERE
The principle of docker is we start a container to Run a Task. If there's no task to run, the container just stops and exits.

RUN container: 

docker run -it --rm  --name C2 {image-name-eg-busybox} /bin/bash   # 'it' for INTERACTIVE, rm to clean up the container and remove the file system when the container exits
docker run --rm -v /foo -v awesome:/bar busybox top  # to mount a local storage filesystem ( uses 'union' daemon to mount it )
cat /proc/1/cpuset # to Tell if I'm in a container or not
/docker/f51e9de5778477c1de6248c7e1bd98d4bd3780fe38d25589359c705e19003a49

Flags to be run with docker run (see man docker-run)

  • d ←- to run container in the background
  • i ←- interactive
  • t ←- allocate a pseudo-tty and attach to the standard input of any container
  • P ←- flag is new and tells Docker to map any required network ports inside our container to our host

Stop a container: 

docker stop f51e9de57784     # list containers with ps -a
docker restart <container-id/name>   # restart
docker run -itd --name c3 busybox    # start container daemon mode
docker run -it --name c2 busybox    # start container interactive mode
docker exec -it "id of running container" bash # connect running container

Remove all running and exited container (USER WITH CARE!): 

docker container kill $(docker ps -q)
docker rm $(docker ps -a -f status=exited -q)

To list containers, stop them , get logs etc,**check this link**

List images on the host: 

docker images
docker commit 3a09b2588478 mynewimage # Commit changes of running container (ie: saves it in a new layer)
docker build #  This is the preferred method!. Performs a repeatable build sequence.

To delete an image 

docker rmi [OPTIONS] IMAGE [IMAGE...]


Normally, docker files live in: 

usermod -aG docker jsantosa # so we can run it under non-root
[jotasancent@localhost Desktop]$ sudo ls -l /var/lib/docker/
total 56
drwx------. 20 root root  4096 Jul 10 12:50 containers       
drwx------.  5 root root  4096 Mar 29 13:49 devicemapper
/home/jsantosa/.local/share/containers # for podman

Show running container:

docker ps -a

note: PORTS means the TCP ports exposed by the container.

Manage Imaged and Containers: 

docker ps -a    # running containers
docker images   # stored images
docker search <pattern>  --no-trunc # looks for images in the remote registry and see the description
docker rm -f [container name or ID]
docker rmi [image name or ID]

docker inspect allows us to check the container's meta information: 

docker run -it ubuntu # start and connect to shell
docker inspect 25b4bff1417c | jq . # to check the instance params without having to connect to it
docker exec -it "id of running container" bash  # connect to shell running container

Creating images: 

docker import # command loads a tarball into Docker. The imported tarball becomes a standalone image. That new image has a single layer.

Troubleshooting

docker info

containers are no more than files running in a different namespace, therefore we can see what files change during execution and retrieve some of them to the host machine: 

docker diff <>
docker cp <container_id>:/var/log/nginx/error.log .

DOCKER NETWORKING CNM (classical) CNI (Kubernetes)

  • driver:
    • host
    • overlay
    • bridge
      • docker0 interface (~lap) (between host and internal, does nat)
      • veth0,1..
docker network create --driver=bridge --subnet=192.168.99.0/24 br0 # crates simple bridge network
docker run -itd --rm --name C1 --network=br0 busybox  # creates container and connects to that ^ network

This to assign cnm network to containers and more 

podman run -d ngnix # -d means demonize
find the docker0 ip

IPV6
docker_networking_deep_dive.pdf
Opposite to ipv4, docker in ipv6 does not use NAT. Each container gets its own IP.
For networking, we have two options:

  1. Every docker container gets /64 and advertises it via BGP. Each container is a bgp speaker
  2. Each container gets a chunk of the /64. Then we use NDP proxy to discover the containers.
virtualization/docker.txt · Last modified: by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki