-
engine/server (daemon)
docker version
ordocker info
-
Image: application we want to run
- hub.docker.com (default image registry)
-
Container: the instance of that image running as a process
- many containers can run off of the same image
docker container run --publish 80:80 --detach nginx:1.11
--publish
or-p
- detach runs in the background (or -d)
- 80:80 maps container port 80 to localhost port 80
:1.11
specifies a version but defaults tolatest
if not specified
docker container ls
or docker ps
will list running containers
docker container logs <name>
will spit out logs for detached container
docker container top
docker container rm <name1> <name2>
optional -f
flag to remove a container that is currently running
- looks for image locally first, then to default registry
- creates new container based on that image
- NOTE: the powerful part of docker is that it's not cloning the image and starting a new one, it's simply creating a new layer of changes on top of the existing image so there is no duplication
- gives a virtual IP on a private network inside the docker engine
- opens up port 80 and forwards to port 80 in the container
- starts the container by using the CMD in the image Dockerfile
- just (restricted) processes
- limited to what resources they can access
- exit when the process stops
- can see the process running on the host machine (
ps aux | grep <name>
)
- when running
mysql
use the--env
or-e
option to pass inMYSQL_RANDOM_ROOT_PASSWORD=yes
docker image ls
to show all local images
docker container top
- process list in a single containerdocker container inspect
- details of one container configdocker container stats
ordocker stats
- all container streaming stats
docker container run -it
- start a new container interactively (t is a pseudo-tty and i is interactive)docker container run -it --name proxy nginx bash
- normally containers will immediately run the command of the process they're starting (such as
nginx
) but in this case the command that was run is bash, which can be seen by looking atdocker container ls -a
- when you
exit
the shell the container stops because the startup command stopped
- normally containers will immediately run the command of the process they're starting (such as
- NOTE: mutually exclusive with
--detach
/-d
- in the case of an image like
ubuntu
,bash
is its default startup command- distros will have be a very minimal install
- to reconnect to a stopped interactive container pass
-ai
(attach)docker container start -ai ubuntu
docker container exec -it
- run additional command in existing container- this will allow you to run a shell inside of an existing container, like
mysql
docker exec -it <name> <new_command>
docker exec -it mysql bash
docker exec -u root -it <container_name> <new_command>
- this will allow you to run a shell inside of an existing container, like
docker pull <image_name>
- fetches the imagedocker image ls
- show all locally cached images
-
docker container run -p
- exposes default ports on the physical network -
docker container port <name>
- check ports -
Each container connected to a private virtual network called "bridge"
-
each virtual network routes through the NAT firewall on host IP (docker daemon configuring the firewall on the host inferface so the containers can get out to the internet)
-
All containers on a virtual network can talk to each other without exposing ports with
-p
- Best practice here is to have a separate virtual network for each app
- app1 for
mysql
,php
, andapache
- app2 for
mongo
andnodejs
containers
- app1 for
- containers can be connected to zero or more virtual networks
- Best practice here is to have a separate virtual network for each app
-
skip virtual networks and use host IP (
--net=host
) -
can use different Docker network drivers to gain new abilities
-
docker container inspect --format '{{ .NetworkSettings.IPAddress }}' nginx
- easier then grep when you learn the format of the container files
- get the actual IP of the container
172.17.0.4
which is a different subnet than localifconfig en0
shows me the host is a192.168
subnet
- can also be used on services
-
docker network create my_app_net
- creates a new virtual network to attach containers to
docker network ls
- list networksdocker network inspect
docker network create --driver
docker network connect
- attach a network to a containerdocker network disconnect
- detach a network from a container
sudo docker cp <container_name>:/etc/nginx/nginx.conf ./
copies the/etc/nginx/nginx.conf
file in the container to the current directory on the host machine- `docker container run --name nginx
- Volumes: make special location outside of a container's unified file system
VOLUME /var/lib/mysql
- stored in
/var/lib/docker/volumes
on the host (in a VM on Mac and Windows) and bound to/var/lib/mysql
in the container docker volume ls
- needs to be destroyed separately from the container (for insurance)
docker volume prune
- can name volumes with
docker run -d --name mysql -v mysql-db:/var/lib/mysql:ro mysql
:ro
makes it read-only
- Bind Mounts: link container path to host path
- can't use in Dockerfile, must be at
container run
docker container run -d --name mysql -v /Users/nickbrown/data:/var/lib/mysql
- can't use in Dockerfile, must be at
- configures relationships between containers
- save docker container run settings in file
- made up of two separate but related things
- yaml file describing options for containers/networks/volumes
- a cli tool (
docker-compose
) used for local dev/test automation along with the yaml files
docker-compose up
to execute thedocker-compose.yaml
in the current directory-
version: '3.1' # if no version is specificed then v1 is assumed. Recommend v2 minimum services: # containers. same as docker run site-flask-app: # a friendly name. this is also DNS name inside network # image: flask-app # use a pre-built image build: ./ # build the image in the given directory then run ports: - '80:80' # command: # Optional, replace the default CMD specified by the image # environment: # Optional, same as -e in docker run # volumes: # Optional, same as -v in docker run # volumes: # Optional, same as docker volume create # networks: # Optional, same as docker network create
-
a set of nodes all running the same docker image
-
manager
s in a Raft consesus group andworker
s in a gossip network- ??? what does that mean ???
-
docker run
was concerned with managing a single image,docker service
replaces run and starts a swarm with an initialmanager
- allows us to add replicas known as
tasks
to - a single
service
can have multiple tasks, and each one of those tasks will launch a container
- allows us to add replicas known as
-
if we start an
nginx service
and tell it to create 3 replica nodes it will create a manager node running thenginx:latest
image and spin up additional images (tasks
) on available nodes (that don't already have the image running) in the cluster/swarm, up to the maximum of 3 -
to check if swarm is running, perform a
docker info | grep [sS]warm
-
docker swarm init
- performs PKI (Public Key Infrastructure)
- root signing certificate created for the new swarm
- certs issues for first manager node
- join tokens are created (which are used to join other nodes in the swarm)
- Raft database created to store root CA, configs, and secrets
- Raft is a protocol used to enforce consistency across nodes in a cluster
- encrypted by default on disk
- prevents need for another key/value system to hold orchestration secrets (why are we using Ansible here?)
- how is this provisioned within swarm?
- replicates logs amongst managers via mutual TLS in the control plane
- performs PKI (Public Key Infrastructure)
-
docker node ls
to list nodes- there can be only one
leader
at a time -
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS lqeiauxsuqvgah1cpj22m5g3x * linuxkit-025000000001 Ready Active Leader
- there can be only one
-
docker service create alpine ping 8.8.8.8
to tell the swarm to create a new task- will return a service id and assign it a random name much like containers
docker service ls
to see a list of all services-
ID NAME MODE REPLICAS IMAGE PORTS xsmfp3su05zw nifty_dijkstra replicated 1/1 alpine:latest
docker service ps nifty_dijkstra
to see the actual container which will additionally tell you whatnode
the task/container is running on-
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS kye1ugk97sxp nifty_dijkstra.1 alpine:latest linuxkit-025000000001 Running Running 4 minutes ago
-
docker service update nifty_dijsktra --replicas 3
to scale up the cluster- another
docker service ps nifty_dijsktra
will show the additional tasks -
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS kye1ugk97sxp nifty_dijkstra.1 alpine:latest linuxkit-025000000001 Running Running 6 minutes ago u59hhh38smza nifty_dijkstra.2 alpine:latest linuxkit-025000000001 Running Running 29 seconds ago 3d47i7q8xv1y nifty_dijkstra.3 alpine:latest linuxkit-025000000001 Running Running 29 seconds ago
- another
-
docker update
will allow you to update configuration (cpu/ram/etc) of a single container, whereasservice
will let you control the effects across the entire swarm in a way that ensures consistent availability -
docker container rm -f nifty_dijkstra.2.u59hhh38smzasaigyfsh1xkgr
to remove a singletask
out of a swarm anddocker service ls
will show one removed and then shortly after that the swarm brought up a new instancedocker service ps nifty_dijsktra
will show the entire history oftask
s that failed and were replaced by starting a new container-
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS kye1ugk97sxp nifty_dijkstra.1 alpine:latest linuxkit-025000000001 Running Running 18 minutes ago j07xza549lkg nifty_dijkstra.2 alpine:latest linuxkit-025000000001 Running Running 2 minutes ago u59hhh38smza \_ nifty_dijkstra.2 alpine:latest linuxkit-025000000001 Shutdown Failed 2 minutes ago "task: non-zero exit (137)" 3d47i7q8xv1y nifty_dijkstra.3 alpine:latest linuxkit-025000000001 Running Running 12 minutes ago
-
docker service rm nifty_dijkstra
to remove the entire service -- it will take a few seconds to clean up the task containers
- What are the various different network drivers e.g.
bridge
- How are virtual network specifically different from subnets