Skip to content

Instantly share code, notes, and snippets.

@cflynn07
Created November 25, 2020 17:16
Show Gist options
  • Save cflynn07/a53b9f19cb179f9ef22998af62f7842a to your computer and use it in GitHub Desktop.
Save cflynn07/a53b9f19cb179f9ef22998af62f7842a to your computer and use it in GitHub Desktop.
Ch 2. Docker
Three things to be aware of when referring to docker as a tech
Runtime
Lowest level, starts/stops containers. Builds OS constructs like namespaces and cgroups
Containerd & runc
runc - low-level runtime, interface with OS start/stop. Every container has a runc instance managing it.
containerd - higher-level runtime, manages entire lifecycle including pulling images
Daemon
Orchestrator
OCI - governance council, standardizes low-level fundamental components of container infrastructure
Ch 3. Installing Docker
Ch 4. The big picture
Default communication IPC/Unix socket /var/run/docker.sock
Image: object w/ OS filesystem, app, dependencies
Ch 5. The Docker Engine
Original docker arch: daemon -> LXC -> linux stuff (namespaces, cgroups, etc)
Modern docker arch: client -> daemon -> containerd -> runc + plugins
Libcontainer developed as replacement for LXC to aid in multi-platform
runc - reference implementation of OCI container-runtime-spec
containerd presents images to runc as valid OCI bundles
runc is basically wrapper for libcontainer
Docker daemon communicates with containerd via gRPC
runc starts container as child process and exits, also interfaces with OS for namespaces/cgroups/etc
Docker-containerd-shim - keeps STDIN/STDOUT streams open and reports container’s exit status back to daemon
/etc/docker/daemon.json configuration file
Ch 6. Images
Dangling image, image that no longer has a tag. Happens most often when building new image and reusing a tag
Storage driver - responsible for stacking layers, presenting as unified filesystem/image
Distribution hash - hash of the compressed version of the layer
Manifest lists - list of architectures supported by a particular image tag, each supported arch has a “manifest” detailing its specific layers
“Docker manifest” command lets you inspect manifest of any image on docker hub
Ch 7. Containers
Restarts restart current container, do not create new container
Ch 8. Containerizing an app
COPY & ADD instructions perform checksums on files when determining whether or not to use cache
Tip: apt-get install command flag “no-install-recommends”
Ch 9. Deploying Apps with Docker Compose
Docker-compose is a python binary (originally was “fig”)
Docker-compose “overlay” networks allow stand alone containers to attach to it
Ch 10. Docker Swarm
Nodes divided managers/workers
Etcd used for configuration and state storage
Nodes join swarm as managers or workers depending on their “token” value
Managers active-passive, commands forwarded to active
Swarm uses Raft consensus algorithm
Tip: use odd number of managers, avoid split-brain
Services can be created declaratively or imperatively, a la k8s
Background reconciliation loop
Ch 11. Docker Networking
CNM - container network model. Open-source pluggable architecture for networking.
Libnetwork - dockers implementation of CNM
CNM 3 parts, sandboxes, endpoints, networks
Endpoints connect sandbox to network (virtual network interfaces)
Networks are software switches
“Bridge” default network driver (replicates a switch)
Default docker “bridge” network doesn’t support docker-dns lookups of containers? (why?) but user-defined bridge networks do
Port mappings (host port to container port)
Overlay networks - multi-host
MACVLAN/transparent(windows) driver connects to existing networks, makes containers first-class citizens on existing network (mac address, ip address)
Possible to config swam services + containers with custom DNS resolvers (just edits /etc/resolv.conf)
Ch 12. Docker overlay networking
Overlay networks only extend to worker nodes when they are tasked with running a container in the network (lazy)
Docker overlay networking uses VXLAN tunnels to create virtual layer 2 overlay networks
VTEP - VXLAN Tunnel Endpoint
Ch. 13 Volumes and persistent data
Additional drivers available hub.docker.com
Ch. 14 Deploying apps with Docker Stacks
Secrets, “external” means required to exist before stack can be deployed
Stacks, unlike compose, do not support builds
Secrets mounted to containers as regular files (/run/secrets)
Placement constraints limit which nodes a service runs on
Ch. 15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment