Docker: from zero to multi-container setups
I've hacked some Docker. Here are the resources that were most essential for me.
What is Docker?
Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications. Consisting of Docker Engine, a portable, lightweight runtime and packaging tool, and Docker Hub, a cloud service for sharing applications and automating workflows, Docker enables apps to be quickly assembled from components and eliminates the friction between development, QA, and production environments. As a result, IT can ship faster and run the same app, unchanged, on laptops, data center VMs, and any cloud.
Basics of Building with Docker
Start with official Docker User Guide. It starts from scratch and teaches you a lot. Hop off when you feel comfortable with the idea of integrating a few containers.
Beyond the Basics
fig is a great way to do your first multi-container experiments.http://www.fig.sh/
Fig has evolved into an official tool, docker-compose, part of a really promising toolchain: Orchestrating Docker with Machine, Swarm, and Compose
Read Dockerfile best practices (official)
Mind your “init" process! (remember, this is still Linux)
- Why you have to care: problems with the PID 1 zombie reaping Docker and the PID 1 Zombie Reaping Problem
- For mature Docker usage, you need a complete init process. Even if you do not use Phusion's baseimage-docker, its init process sets a good example
- If you need to set environment variables, you may want to follow Phusion's example
Docker logs can grow unbounded... you'll want to handle that if you use Docker in production. i.e. Manage Docker logs with fluentd
Troubleshooting for boot2docker users: "If you use a lot of containers which expose the same port, you have to use docker dynamic port forwarding." boot2docker Workarounds: Port Forwarding on Sterooids. I ran into this the first time I tried running several NetflixOSS services in Docker containers, using boot2docker. For more helpful tips on running Docker on OS X, check this great post.
For the curious and the skeptical
- Here's an early success story with impressive scale: Running 14,000 tests a day
- Why to use Docker instead of just using Vagrant
- Regarding CoreOS... ignore CoreOS for now, use Docker, Vagrant, etc. CoreOS might become relevant when they get their stuff together (for example, ship with Python, to support Ansible...) but not yet.
- Set up a private PaaS at your company to hack with: Deis or Flynn (comparison)
- Century Link Labs has lots of great blog posts about Docker
- Security. Like any other virtualization technology, you must stay aware of security issues. Docker isn't magical. Here's some reading material:
- Obviously, you should be wary of non-official images from Docker Hub. (No surprises here.) Set up your own Docker Hub at your organization.
- From the Docker Security docs, "You can add an extra layer of safety by enabling Apparmor, SELinux, GRSEC, or your favorite hardening solution."
- Docker's just a bit dodgy, but ready for rollout says Gartner
- CVE-2014-3499 (HIGH) was a privilege issue, but this was very early on... note that one of the Docker maintainers had a very good reply to discussion of this vulnerability: "When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly."
- An article rounding up a few security flaws and fixes (CVE-2014-5277, CVE-2014-6407, CVE-2014-6408)
- Another post criticizing insecure verification for images by one founder of Flynn, the Docker-powered private PaaS I mentioned earlier
- In any case, if Docker goes sour, you'll be able to migrate. Cf. the App Container Spec effort (& additional reading & additional reading)