This is an old revision of the document!
DOCKER
Emulate only the user space. Container engine isolates user spaces.
- cgroups: kernel mechanism for limiting and measuring the total resources used by a group of processes running on a system. For example, you can apply CPU, memory, network or IO quotas. cgroups
- namespaces: Namespaces are a kernel mechanism for limiting the visibility that a group of processes has of the rest of a system. For example you can limit visibility to certain process trees, network interfaces..
Tutorial, all HERE
The principle of docker is we start a container to Run a Task. If there's no task to run, the container just stops and exists.
RUN container:
docker run -it --rm --name C2 {image-name} /bin/bash # 'it' for INTERACTIVE, rm to clean up the container and remove the file system when the container exits
docker run --rm -v /foo -v awesome:/bar busybox top # to mount a local storage filesystem ( uses 'union' daemon to mount it )
cat /proc/1/cpuset # to Tell if I'm in a container or not
/docker/f51e9de5778477c1de6248c7e1bd98d4bd3780fe38d25589359c705e19003a49
Flags to be run with docker run (see man docker-run)
- d ←- to run container in the background
- i ←- interactive
- t ←- allocate a pseudo-tty and attach to the standard input of any container
- P ←- flag is new and tells Docker to map any required network ports inside our container to our host
Stop a container:
docker stop f51e9de57784 # list containers with ps -a docker restart <container-id/name> # restart docker exec -it "id of running container" bash # connect running container
To list containers, stop them , get logs etc,**check this link**
List images on the host:
docker images docker commit 3a09b2588478 mynewimage # Commit changes of running container (ie: saves it in a new layer) docker build # This is the preferred method!. Performs a repeatable build sequence.
To delete an image
docker rmi [OPTIONS] IMAGE [IMAGE...]
Normally, docker files live in:
usermod -aG docker jsantosa # so we can run it under non-root [jotasancent@localhost Desktop]$ sudo ls -l /var/lib/docker/ total 56 drwx------. 20 root root 4096 Jul 10 12:50 containers drwx------. 5 root root 4096 Mar 29 13:49 devicemapper /home/jsantosa/.local/share/containers # for podman
Show running container:
docker ps -a
note: PORTS means the TCP ports exposed by the container.
Manage Imaged and Containers:
docker ps -a # running containers docker images # stored images docker search <pattern> --no-trunc # looks for images in the remote registry and see the description docker rm -f [container name or ID] docker rmi [image name or ID]
docker inspect allows us to check the container's meta information:
docker run -it ubuntu # start and connect to shell docker inspect 25b4bff1417c | jq . # to check the instance params without having to connect to it docker exec -it "id of running container" bash # connect to shell running container
Creating images:
docker import # command loads a tarball into Docker. The imported tarball becomes a standalone image. That new image has a single layer.
Troubleshooting
docker info
containers are no more than files running in a different namespace, therefore we can see what files change during execution and retrieve some of them to the host machine:
docker diff <> docker cp <container_id>:/var/log/nginx/error.log .
DOCKER NETWORKING CNM (classical) CNI (Kubernetes)
- driver:
- host
- overlay
- bridge
- docker0 interface (~lap) (between host and internal, does nat)
- veth0,1..
docker network create --driver=bridge --subnet=192.168.99.0/24 br0 # crates simple bridge network docker run -itd --rm --name C1 --network=br0 busybox # creates container and connects to that ^ network
This to assign cnm network to containers and more
podman run -d ngnix # -d means demonize find the docker0 ip
DOCKER NETWORKING:
IPV6
docker_networking_deep_dive.pdf
Opposite to ipv4, docker in ipv6 does not use NAT. Each container gets its own IP.
For networking, we have two options:
- Every docker container gets /64 and advertises it via BGP. Each container is a bgp speaker
- Each container gets a chunk of the /64. Then we use NDP proxy to discover the containers.
