denise-sanders/dockerNotes

## dockerNotes
Docker:

containerization is not hardware; Docker doesnt simulate resources and offer them to a program, but restrict all resources except what is specifically allowed. Linux already has containerization, so Docker doesn't provide the software to do this; it provieds a wrapper and an easy interface so people dont mess up containering.

Docker's containers are isolated with respect to:
pid - a container gets its own pid namespace, which means containers cant see or control processses in other containers (i think). Also, solves problems like if you already have nginx running (solves the port conflict)). Can be overrided with --pid. Can be called "process isolation"
uts namespace - (host and domain name)
mnt namespace - file system access and structure. that new container will have its own MNT namespace, and a new mount point will be created for the container to the image.
ipc namespace - process communication over shared memeory (does this mean it cant use shared memeory?)
net namespace - network access an structure
usr namespace - user names and identifiers
chroot - is used to make the root of the image file system the root in the container’s context. This prevents anything running inside the container from referencing any other part of the host file system.
cgroups - resource protection

Docker image: snapshot of all the files that should be available to a program running inside a container.
^ a container is a running image? The computer uses the image to create the container

Docker solves problems in installation and dependencies, and keeping things separate.

Portability. On MacOSx and windows, Docker uses a small, scalable machine to run containers, which is better than running each program in a vm because better performance. There is minimal overhead of running the vm

Anything in a container can only access things in a container. Therefore, if there is something malicious inside a container it can only attack whats in the container.

Docker containers can only run software that runs on linux (at least at the time docker in actoin was written, I bet this has changed by now). but it can run anywhere.

Containers dont help with programs that have full access to the machine. And its dangerous to run containers that run on administrative accesss.

Docker runs as root. because of all the resources it has to manage? Because of what it has to create?

repository/image name is the name of the image.

The running state of a container is directly tied to the running state of a single running program inside the container. What if you have two programs? Do you specify a main one?

detached containers are detached from the terminal. (does that mean no input and output from the command line?)
interactive containers take input or display output on the terminal. thats it. '-i' keeps the input to a container open, and '-t' has docker allocate a virtual terminal for the container, which lets you pass signals to the container (like sigkill and whatever, or just any input? I think its just signals like isgn kill and -i handles the other stuff)

There are logs! Specify which one with 'docker logs <container name>' <- can use the flag -f or --follow to continue having updates of the logs printed to the screen

docker exec is used to run additional processes in a container.

Metaconflicts: conflicts between containers in the docker layer.


In bash its supes easy to save the container id:
CID=$(docker create nginx:latest)
CID=$(docker ps --latest --quiet)

docker containers are always in four states: running, paused, exited, restarted
gee what a surprise: containers must be started after containers they depend on
^ means you cant have circular dependencies

docker inspect shows you all metadata for a container

Building environment agnostic systems:
	Docker has three tools for this:
	 - read-only file systems (use --read-only flag to invoke)
	 - environment variable injection (when you run the contianer with -e or --env you can specify the name=value of hte environment variables you use)
	 - volumes (seem to let you make exceptions to read only and maybe other thigns as well)

Durable contianers:
	the --restart flag can be used to auto restart, never restart, wait and hten restart, when failures are detected
	the problem is its hard to diagnose because you cant run commands in a broken container. Might wanna have the container user supervisor or init.d process
	docker containers have an entrypoint program, you can overwrite it by passing --entrypoint="<whatever command>"

you can see process runnning in a container by running 'docker top <container name>'

docker rm removes containers, cleans up all the resources

images have identifiers, but the id changes ever time a change is made to the image, so its easier to keep track of the repository
<repository>/<username>/<shortname>:<tags>


Dockerfiles are scripts for creating images. These let there images be marked as trusted because its known what is in the image

to export an image:
docker save -o myfile.tar busybox.latest
to load:
docker load -i myfile.tar

docker build -t <repository name> dockerfilename

A layer is an image that is related to at least one other image. Usually what we use as an image is a collection of image layers


docker rmi (removes one or more images)

A union file system is part of a critical set of tools that combine to create effective file system isolation. The other tools are MNT namespaces and the chroot system call. From inside a container, the file system operates as though it’s not running in a container or operating on an image. From the perspective of the container, it has exclusive copies of the files provided by the image, which is done by the union file system.


A network interface has an address and represents a location. You can think of interfaces as analogous to real-world locations with addresses. A network interface is like a mailbox. Messages are delivered to a mailbox for recipients at that address, and messages are taken from a mailbox to be delivered elsewhere. It’s common for computers to have two kinds of interfaces: an Ethernet interface and a loopback interface. An Ethernet interface is what you’re likely most familiar with. It’s used to connect to other interfaces and processes. A loopback interface isn’t connected to any other interface. At first this might seem useless, but it’s often useful to be able to use network protocols to communicate with other programs on the same computer. In those cases a loopback is a great solution.

In keeping with the mailbox metaphor, a port is like a recipient or a sender. There might be several people who receive messages at a single address. For example, a single address might receive messages for Wendy Webserver, Deborah Database, and Casey Cache, as illustrated in figure 5.1. Each recipient should only open his or her own messages. In reality, ports are just numbers and defined as part of the Transmission Control Protocol (TCP) and represent a process.

All containers connected to docker0 can talk to each other (bc are part of same virtual subnet)

Four kinds of Networking options for Docker containers:
- closed: no network traffic is allowed, and processes in the container only have access to the loopback interface. To build this kind, simply ignore the step where you create an externally accessible network interface. Programs in this container can only talk to each other
- bridged: (the default)


# starting docker script

SQL_CID=$(docker create -e MYSQL_ROOT_PASSWORD=ch2demo mysql:5)

docker start $SQL_CID

MAILER_CID=$(docker create dockerinaction/ch2_mailer)
docker start $MAILER_CID

WP_CID=$(docker create --link $SQL_CID:mysql -p 80 \
    -v /run/lock/apache2/ -v /run/apache2/ \
    --read-only wordpress:4)

docker start $WP_CID

AGENT_CID=$(docker create --link $WP_CID:insideweb \
    --link $MAILER_CID:insidemailer \
    dockerinaction/ch2_agent)

docker start $AGENT_CID


 A volume is a mount point on the container’s directory tree where a part of the host directory tree is mounted. Use for data that has a scope or lifecycle greater than the container.
 ^Probably a fun idea to put log data in a file attached by a volume
 Two kinda of volumes:
 bind mount- any directory or file specified by the user
 managed volume - use locations created by the Docker daemon in Docker managed space (DockerSpace)
 --volume ~/where/im/mounting:/home/absolute/path/to/file.txt:ro
 ^ the ro specifies read only, is optional
 ^ if you specify a nonexistant host directory, docker creates it. But usually you want to create i and set the permissions and ownerships
 ^ to create a managed volume, run -- volume with jus the mount point
	Docker:

	containerization is not hardware; Docker doesnt simulate resources and offer them to a program, but restrict all resources except what is specifically allowed. Linux already has containerization, so Docker doesn't provide the software to do this; it provieds a wrapper and an easy interface so people dont mess up containering.

	Docker's containers are isolated with respect to:
	pid - a container gets its own pid namespace, which means containers cant see or control processses in other containers (i think). Also, solves problems like if you already have nginx running (solves the port conflict)). Can be overrided with --pid. Can be called "process isolation"
	uts namespace - (host and domain name)
	mnt namespace - file system access and structure. that new container will have its own MNT namespace, and a new mount point will be created for the container to the image.
	ipc namespace - process communication over shared memeory (does this mean it cant use shared memeory?)
	net namespace - network access an structure
	usr namespace - user names and identifiers
	chroot - is used to make the root of the image file system the root in the container’s context. This prevents anything running inside the container from referencing any other part of the host file system.
	cgroups - resource protection

	Docker image: snapshot of all the files that should be available to a program running inside a container.
	^ a container is a running image? The computer uses the image to create the container

	Docker solves problems in installation and dependencies, and keeping things separate.

	Portability. On MacOSx and windows, Docker uses a small, scalable machine to run containers, which is better than running each program in a vm because better performance. There is minimal overhead of running the vm

	Anything in a container can only access things in a container. Therefore, if there is something malicious inside a container it can only attack whats in the container.

	Docker containers can only run software that runs on linux (at least at the time docker in actoin was written, I bet this has changed by now). but it can run anywhere.

	Containers dont help with programs that have full access to the machine. And its dangerous to run containers that run on administrative accesss.

	Docker runs as root. because of all the resources it has to manage? Because of what it has to create?

	repository/image name is the name of the image.

	The running state of a container is directly tied to the running state of a single running program inside the container. What if you have two programs? Do you specify a main one?

	detached containers are detached from the terminal. (does that mean no input and output from the command line?)
	interactive containers take input or display output on the terminal. thats it. '-i' keeps the input to a container open, and '-t' has docker allocate a virtual terminal for the container, which lets you pass signals to the container (like sigkill and whatever, or just any input? I think its just signals like isgn kill and -i handles the other stuff)

	There are logs! Specify which one with 'docker logs <container name>' <- can use the flag -f or --follow to continue having updates of the logs printed to the screen

	docker exec is used to run additional processes in a container.

	Metaconflicts: conflicts between containers in the docker layer.


	In bash its supes easy to save the container id:
	CID=$(docker create nginx:latest)
	CID=$(docker ps --latest --quiet)

	docker containers are always in four states: running, paused, exited, restarted
	gee what a surprise: containers must be started after containers they depend on
	^ means you cant have circular dependencies

	docker inspect shows you all metadata for a container

	Building environment agnostic systems:
	Docker has three tools for this:
	- read-only file systems (use --read-only flag to invoke)
	- environment variable injection (when you run the contianer with -e or --env you can specify the name=value of hte environment variables you use)
	- volumes (seem to let you make exceptions to read only and maybe other thigns as well)

	Durable contianers:
	the --restart flag can be used to auto restart, never restart, wait and hten restart, when failures are detected
	the problem is its hard to diagnose because you cant run commands in a broken container. Might wanna have the container user supervisor or init.d process
	docker containers have an entrypoint program, you can overwrite it by passing --entrypoint="<whatever command>"

	you can see process runnning in a container by running 'docker top <container name>'

	docker rm removes containers, cleans up all the resources

	images have identifiers, but the id changes ever time a change is made to the image, so its easier to keep track of the repository
	<repository>/<username>/<shortname>:<tags>


	Dockerfiles are scripts for creating images. These let there images be marked as trusted because its known what is in the image

	to export an image:
	docker save -o myfile.tar busybox.latest
	to load:
	docker load -i myfile.tar

	docker build -t <repository name> dockerfilename

	A layer is an image that is related to at least one other image. Usually what we use as an image is a collection of image layers


	docker rmi (removes one or more images)

	A union file system is part of a critical set of tools that combine to create effective file system isolation. The other tools are MNT namespaces and the chroot system call. From inside a container, the file system operates as though it’s not running in a container or operating on an image. From the perspective of the container, it has exclusive copies of the files provided by the image, which is done by the union file system.



	A network interface has an address and represents a location. You can think of interfaces as analogous to real-world locations with addresses. A network interface is like a mailbox. Messages are delivered to a mailbox for recipients at that address, and messages are taken from a mailbox to be delivered elsewhere. It’s common for computers to have two kinds of interfaces: an Ethernet interface and a loopback interface. An Ethernet interface is what you’re likely most familiar with. It’s used to connect to other interfaces and processes. A loopback interface isn’t connected to any other interface. At first this might seem useless, but it’s often useful to be able to use network protocols to communicate with other programs on the same computer. In those cases a loopback is a great solution.

	In keeping with the mailbox metaphor, a port is like a recipient or a sender. There might be several people who receive messages at a single address. For example, a single address might receive messages for Wendy Webserver, Deborah Database, and Casey Cache, as illustrated in figure 5.1. Each recipient should only open his or her own messages. In reality, ports are just numbers and defined as part of the Transmission Control Protocol (TCP) and represent a process.

	All containers connected to docker0 can talk to each other (bc are part of same virtual subnet)

	Four kinds of Networking options for Docker containers:
	- closed: no network traffic is allowed, and processes in the container only have access to the loopback interface. To build this kind, simply ignore the step where you create an externally accessible network interface. Programs in this container can only talk to each other
	- bridged: (the default)


	# starting docker script

	SQL_CID=$(docker create -e MYSQL_ROOT_PASSWORD=ch2demo mysql:5)

	docker start $SQL_CID

	MAILER_CID=$(docker create dockerinaction/ch2_mailer)
	docker start $MAILER_CID

	WP_CID=$(docker create --link $SQL_CID:mysql -p 80 \
	-v /run/lock/apache2/ -v /run/apache2/ \
	--read-only wordpress:4)

	docker start $WP_CID

	AGENT_CID=$(docker create --link $WP_CID:insideweb \
	--link $MAILER_CID:insidemailer \
	dockerinaction/ch2_agent)

	docker start $AGENT_CID


	A volume is a mount point on the container’s directory tree where a part of the host directory tree is mounted. Use for data that has a scope or lifecycle greater than the container.
	^Probably a fun idea to put log data in a file attached by a volume
	Two kinda of volumes:
	bind mount- any directory or file specified by the user
	managed volume - use locations created by the Docker daemon in Docker managed space (DockerSpace)
	--volume ~/where/im/mounting:/home/absolute/path/to/file.txt:ro
	^ the ro specifies read only, is optional
	^ if you specify a nonexistant host directory, docker creates it. But usually you want to create i and set the permissions and ownerships
	^ to create a managed volume, run -- volume with jus the mount point