Scribd
Upload
5 views72 pages

L03-04 - Docker - Containers

The document provides an overview of Docker and containerization, explaining that containers are lightweight, isolated environments that share a single kernel and can run applications in isolation. It details Docker's architecture, including its client-server model, image management, and commands for running, stopping, and managing containers. Additionally, it covers the creation and automation of Docker images using Dockerfiles and various commands for building and modifying images.

Uploaded by

steven.yaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views72 pages

L03-04 - Docker - Containers

The document provides an overview of Docker and containerization, explaining that containers are lightweight, isolated environments that share a single kernel and can run applications in isolation. It details Docker's architecture, including its client-server model, image management, and commands for running, stopping, and managing containers. Additionally, it covers the creation and automation of Docker images using Dockerfiles and various commands for building and modifying images.

Uploaded by

steven.yaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Docker – Containers

www.cognixia.com
www.cognixia.com
Containers

• Containers are operating system level virtualization


o Allows for multiple isolated user space instances called containers
o They share a single kernel
o Can be added or removed at any time
• Containers consist of a self contained Linux file system
o Can be from any Linux distribution which is compatible with the host kernel
o Usually contain a single application such as a server
• Operating system level virtualization is lightweight
o Is often used in Cloud Computing

www.cognixia.com
www.cognixia.com
Container Implementation
• Operating system level virtualization uses a
set of tools
o A virtualization subsystem Container 1 Container 2 Container 3

o A cgroup hierarchy for each container


o The container is mounted into the Management Interface
filesystem
Namespace
• A program inside the container is executed s
cgroups SELinux

o Using chroot to restrict it to the Driver


container file system s Linux kernel
o The cgroup constrains use of
Hardware
resources and isolates the container
from the rest of the system

www.cognixia.com
www.cognixia.com
Operating System Level Virtualization
• Operating system level virtualization is where an operating
system kernel can support multiple isolated user space
instances Container Container Container Container
o Instances are called containers or jails Binaries/libs Binaries/libs Binaries/libs Binaries/libs

o There is little overhead as the kernel implements


the containers LXC userspace Tools
• There are numerous implementations
o chroot has been available in UNIX since 1982
Host OS (Linux)
o FreeBSD jail
Server (Real or Virtual)
o Linux Containers (LXC) command line tools using
Linux cgroups
o LXD a container hypervisor built on LXC
o Docker is a suite of tools for creating and
managing containers

www.cognixia.com
www.cognixia.com
Docker

• Docker is a very light-weight software container and containerization platform


• Docker containers provide a way to run software in isolation
• What does a Docker Container contain and provide?
o Initially – only a base Linux operating system
o A boundary or a “jail” to contain running software
o Like a good jail, there are no unauthorized entries or exits
o A Docker Image is the foundation for any particular Docker container
• What is outside of Docker?
o Other Docker containers
o The operating system, kernel
o Any other operating software

www.cognixia.com
www.cognixia.com
Docker for Linux

Docker was originally a Linux application

It uses the kernel container functionality

It requires a 64 bit installation using a


kernel version 3.10 or later
Docker runs on many popular Linux
distributions
It is available as RPM, APT, or binary
versions
www.cognixia.com
www.cognixia.com
Docker for OS X

Docker runs natively on OS X

DMG install application running in user space

Is built on the xhyve hypervisor

Requires a 2010 or newer Mac with Intel MMU and


EPT support
Requires OS X 10.10.3 Yosemite or newer

Requires at least 4GB of RAM


www.cognixia.com
www.cognixia.com
Docker for Windows

Docker runs natively on Windows

Requires later versions of Windows 10 Pro or Enterprise

Docker requires the Hyper-V package

This is Microsoft's hypervisor for Windows

It virtualizes the Docker environment and Linux kernel spec

Docker can't run alongside VirtualBox VMs


www.cognixia.com
www.cognixia.com
Exercise 1 : Install Docker on Linux & Windows
• Use Installation document to install docker on Linux Ubuntu and Windows 10

www.cognixia.com
www.cognixia.com
Docker Architecture
• Docker uses a client-server architecture
• Client
o Is the primary user interface which
communicates using a REST API
o Over HTTP
o Over local Unix socket
• Server
o Is the Docker daemon
o Responsible for building, running, and
distributing containers
• Registry
o Responsible for the storage, management, and
delivery of Docker Images
o Docker Hub
o Private
o Other vendors

www.cognixia.com
www.cognixia.com
Docker Images & Containers
• Docker images are read-only templates
o Foundation is a simplified version of the Linux operating
system
o Changes to foundation, such as application installations
added to the Image
o Images are the templates or build commands for Docker
• Docker containers are running environments
o Has OS, environment, program, network, etc.
o Runs (probably one) application
o All required software contained in image
o Can have boot-up configuration
o They can be run, started, stopped, and deleted

www.cognixia.com
www.cognixia.com
Docker Images

• Docker images are built in layers


o Each layer is a file system
o The layers are combined in a union file system to
make a single image
o Images are the build component of Docker
• Images start from a base image
o Foundation is usually a specifically prepared Linux
operating system
o Custom base images can also be created
o Docker Image are then built by adding layers:
o Interactively
o Defined in a directive file called a “Docker
File”
www.cognixia.com
www.cognixia.com
Running Containers

• The docker `run` command starts a container based on a named Docker Image
o Docker first looks for a local copy of the image
o If it does not exist it is pulled from a Docker Registry
o The default Registry is the Docker Hub Registry
o A new container is created using the file system from the image
o A read-write layer is added to the top of the file system
o A network interface is created and an IP address is assigned from a pool
o Standard input, output, and error streams are connected
o A specified application is executed
o Docker container appears as a child of the daemon process, ms are connected

www.cognixia.com
www.cognixia.com
Pulling & Running Containers
• A Docker Image must be located on the local computer
o It may have been created locally
o It may have been pulled from a Registry
o It may be missing
• The `pull` command insures that the specified image is on the local computer
o It will transfer all constituent layers of the image as separate transfers
• The `run` command creates and initiates a container based on the image
o The example runs the latest CentOS image
o It runs the command `command`
docker pull centos:latest

docker run centos:latest whoami


docker run centos:latest pwd
docker run centos:latest date

www.cognixia.com
www.cognixia.com
Running a Container Interactively

To use a container interactively requires switches to the run


command
• -i or --interactive keeps STDIN open
• -t or --tty allocates a pseudo TTY

docker run –i –t centos:latest /bin/bash

www.cognixia.com
www.cognixia.com
Listing Running Containers

• Running containers can be listed using the ps command


o Note that the container has been given a name
• The stats command shows running container resource usage,
use ^C to exit

docker ps
docker stats

www.cognixia.com
www.cognixia.com
Naming Containers

Containers can be explicitly named using the --name switch


• By default, Docker makes up a comical name such as
hungry_lumiere
• Most commands will accept either the name or the ID of the
container
• Note: The `ps` command accepts a switch `-a` for all containers
docker run –it –-name centosC1 centos:latest /bin/bash
docker stop centos
docker rm centos

www.cognixia.com
www.cognixia.com
Attaching to Running Container
• Attaching to a container attaches to the contained process's STDIN, STDOUT, and
STDERR
o You can attach with either the container ID or its name
o Several command prompts can attach to the same container process
o All tty sessions see the same input and outputs
o The container ID is obtained using ps
On
• first
You terminal:
can detach from a container and leave it running using ^p ^q
docker run –it –-name centosC1 centos:latest /bin/bash
> date
On second terminal:
docker attach centosC1
> date
www.cognixia.com
www.cognixia.com
Stopping Running Containers

Containers can be stopped using the stop command


• It has an optional –t or --time parameter which defaults to 10
seconds
• The main process, PID=1, is sent a SIGTERM
• After the timeout interval, it is sent a SIGKILL

docker stop centos

www.cognixia.com
www.cognixia.com
Pausing Containers

• Docker containers may be paused


o Use the `pause` command
o All container processes are suspended as a group
o It does not use the SIGSTOP, SIGCONT mechanism as processes can see the signals
o It uses the cgroups freezer mechanism where all processes in a cgroup and its children are
suspended without the processes being aware
• Process can be resumes using the unpause command
On first terminal:
docker run –it –-name centosC1 centos:latest /bin/bash
On second terminal: On second terminal:
docker pause centosC1 docker unpause centosC1
> date
www.cognixia.com
www.cognixia.com
Starting Containers

• Once a container is stopped, it is still available


o The ps –a command shows all containers
• A stopped container can be started with the start command
o The –i or --interactive switch connects STDIN
o The –a or attach switch attaches STDIN and STDERR

docker ps -a
docker start -ai centosC1 OR
Docker restart centosC1
www.cognixia.com
www.cognixia.com
Removing Containers

Docker containers can be removed with the rm command


• The –f or --force switch causes running containers to be force
stopped for removal
• The ps –aq command shows all containers IDs to enable all to
be removed
docker rm centosC1
docker rm $(docker ps –aq)

www.cognixia.com
www.cognixia.com
Daemon Containers

• Containers can be run in the background


o Use the run command with the –d or --detach switch
• Signals can be sent using the kill command
o The default signal is SIGTERM

docker run –d –-name webserver nginx


docker kill webserver

www.cognixia.com
www.cognixia.com
Docker Images

• Docker has a number of base images on Docker Hub


o Including many versions of Linux distributions
o The image centos:latest will be used as a base
• Application images are created by adding layers to a base image
o It can be done manually from a container running a shell
o It can be automated using Docker's build process
• The Docker search facility can be used to search for images on
Docker Hub
www.cognixia.com
www.cognixia.com
Listing and Removing Images

• Images can be listed using the images command


• Images can be deleted using the rmi command

docker images
docker rmi centos-git

www.cognixia.com
www.cognixia.com
Adding Packages

The CentOS base image is cut down


o It doesn't have the which or ifconfig commands
o We can install these from the command line using yum

docker run –it –-name centosC1 centos:latest


yum install –y which
yum install –y net-tools
exit

www.cognixia.com
www.cognixia.com
Building Image Interactively

• Any changes made interactively are only in the container


o The diff command can be used to see which files have been changed
• The changed container can be committed to create an image
• The image can then be run
o The run --rm option deletes the container on exit
docker run –it -–name centosC1 centos:latest
yum install –y which
yum install –y net-tools
exit

docker diff centosC1


docker commit centosC1 centos-net
docker rm centosC1
docker run --rm –it –-name centosC2 centos-net
www.cognixia.com
www.cognixia.com
Verifying Changes

The images can be inspected to see the layers


o The inspect command returns a JSON array by default
o It can be used on images and containers
o The –s or –-size switch gives the size of a container
o The –f or –format switch can be used to extract the JSON
fields
docker inspect centos-net

www.cognixia.com
www.cognixia.com
Automating Docker Image Build

• Docker image creation can be automated


• Create a directory containing all the files required for the
build
• Add a file called Dockerfile which defines the build process
• The directory becomes the build context
• Each command in the build file creates a layer of the image
• A new container is created at each stage

www.cognixia.com
www.cognixia.com
Dockerfile

• Dockerfile contains build directives


o FROM defines the starting image
o MAINTAINER defines the email address of the builder

FROM centos:latest
MAINTAINER [email protected]

www.cognixia.com
www.cognixia.com
SHELL

• The Dockerfile SHELL command defines the default shell to use


o It must be specified in JSON form
o The default for Linux and windows are shown
o It takes the form SHELL ["executable", "parameters"]

SHELL ["/bin/sh", "-c"]


SHELL ["cmd", "/S", "/C"]

www.cognixia.com
www.cognixia.com
COPY

• The Dockerfile COPY command copies files into the container


o The source files or directories must be in the build context
o The source files can contain UNIX shell wildcards ? * []
o Destination directories must end in a / and will get created if
they don't exist

COPY jdk*.rpm /tmp/

www.cognixia.com
www.cognixia.com
ADD

• The Dockerfile ADD command copies files and remote file URLs into the
container
o The source files or directories must be in the build context or remote
URLs
o The source files can contain UNIX shell wildcards ? * []
o Destination directories must end in a / and will get created if they don't
exist
o Local source files in tar or compressed tar format get unpacked

ADD apache-maven*.tar.gz /opt/

www.cognixia.com
www.cognixia.com
RUN

• The Dockerfile RUN command executes a Linux command


o Multiple commands can be separated with a ; - needed for
cd
o Commands shouldn't block for input – commands have a –y
switch which answers yes to all questions
RUN yum install –y which
RUN rpm –i /tmp/*rpm
RUN cd /opt; ln –s apache-maven* maven

www.cognixia.com
www.cognixia.com
ENV

The Dockerfile ENV command sets environment variables in the image.

ENV JAVA_HOME=/usr/java/latest
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/maven/bin

www.cognixia.com
www.cognixia.com
EXPOSE

Exposes the port at which the container application will be made available

EXPOSE 22

www.cognixia.com
www.cognixia.com
COMMAND

The Dockerfile CMD command sets the default application.

CMD /bin/bash

www.cognixia.com
www.cognixia.com
Building an Image

• The build process requires a directory


o All of the directory contents are transferred to the daemon
o It must contain a Dockerfile build script
o Images should be tagged image-name:version
o A temporary container is created for each command in the
build
docker build –t centos-java:latest .

www.cognixia.com
www.cognixia.com
Exercise 2 : Automate Build of Docker Image
• Use document to build Jtrac image and run a container using it

www.cognixia.com
www.cognixia.com
Docker Registry

• A major issue using Docker is getting the correct versions of images


o Docker uses registries to distribute images
o Registries can be hosted or you can have a private version
• Considerations about registries:
o Performance, rollout frequency, and number of images
o Security issues, including access control and digitally signing
images

www.cognixia.com
www.cognixia.com
Docker Registry Service

• A registry is a service used to manage and distribute images


• It is based on a description
• Registries manage Docker images stored in repositories
• Repositories are collections of related images
o Different versions of an application
o All images have the name of the repository with a tag name
to distinguish between images

www.cognixia.com
www.cognixia.com
Docker Hub Default Registry

• Docker Hub is the default registry


o It has a root namespace for official images
o Root images include versions of supported Linux
distributions
o For example the nginx images can be addressed in
different ways
hub.docker.com/_/nginx:1.9
nginx:1.9

www.cognixia.com
www.cognixia.com
Labels
• Labels are used to uniquely identify images
o Labels look like URIs
o Components separated by /
• Label components:
o Registry FQDN
o Namespace _ is for Docker Hub, r is for user
o User or organization name
o Repository name: tag
o A tag is either a version number or a descriptive label

https://hub.docker.com/r/databliss/netkernel-se/

URI = Uniform Resource Identifier


FQDN = Fully Qualified Domain Name
www.cognixia.com
www.cognixia.com
Other Docker Registries

Docker Hub is not the only Docker registry.


• Google Container Registry
o Part of the Google Cloud Platform, good for access control and
security
• Amazon EC2 Container Service
o Part of Amazon AWS
• Quay
o Has free and pay for plans
• Private Registry
www.cognixia.com
www.cognixia.com
Using Docker Hub Repository

• First it is necessary to log into the registry


o You will be prompted for a password
o The credentials will be stored in ~/.docker/config.json
o The password is stored as a hash

docker login --username=user

www.cognixia.com
www.cognixia.com
Using Docker Hub Repository

• Images need to have the same name as the repository


o Create a container from an image
o Commit the image to the Docker Hub registry name
o Alternatively, create a new tag for the image
• Images can then be pushed into the repository
o It can take a while as all layers are pushed
docker create –-name java centos-java
docker commit java phill/question:java-1.0
docker push phill/question
www.cognixia.com
www.cognixia.com
Using Docker Hub Repository

• Image tags can be viewed on the Docker Hub web site


• Images are retrieved
o By using the docker pull command

docker pull phill/question:java-1.0

www.cognixia.com
www.cognixia.com
Deleting Images

• Images can be deleted from the command line


• Docker Hub doesn't allow images to be deleted at present
o Can only delete the entire repository from the Settings
menu

docker rmi phill/question:java-1.0

www.cognixia.com
www.cognixia.com
Private Registries

• Private registries are a good solution for the following cases:


o Provide a local image cache to speed up image loading
o Allow teams to share images locally
o Store images specific to a project lifecycle stage,
development, and UAT
o Guarantee that the registry will be available for as long as
required

www.cognixia.com
www.cognixia.com
Creating Private Registry

• The easiest way to create a private registry is to use a prebuilt


Docker container
o Docker Hub has a number of registry images including the
official one
• The registry images can be pulled from Docker Hub

docker pull registry:2

www.cognixia.com
www.cognixia.com
Running Private Registry

• The registry image can now be run as a container


o It needs to be run as a daemon container
o The –p option exposes the container's ports as local ports
o It usually uses port 5000

docker run –d –p 5000:5000 –-name registry registry

www.cognixia.com
www.cognixia.com
Using Registry

• The registry is identified by hostname:port


o For example localhost:5000
o Images need to be named with the registry prefix
o For example, localhost:5000/alpine
o The image can then be pushed into the registry or pulled from it

docker pull alpine


docker tag alpine:latest localhost:5000/alpine:latest
docker push localhost:5000/alpine

www.cognixia.com
www.cognixia.com
Exercise 3 : Building Private Docker Registry
• Use document to build private docker registry and push images to it

www.cognixia.com
www.cognixia.com
Docker Networking

Docker Container Network

Default User-defined

Bridge Host None

www.cognixia.com
www.cognixia.com
Docker Container Networks - Default

• Docker creates three networks by default, which can't be removed


• The none network is local to the container – it has localhost
• The host network gives the container the same network as the host
• The bridge network is the default
• A docker0 or bridge0 virtual interface is created on the host

$ docker network ls

NETWORK ID NAME DRIVER SCOPE


9d6a9ab487ba bridge bridge local
c7956146a031 host host local
115642b21a91 none null local

www.cognixia.com
www.cognixia.com
Default – Bridge Network

• The bridge network creates a subnet and a subnet mask.


$ docker network inspect bridge
[ {
"Name": "bridge",
"Id":
"9d6a9ab487ba1d00715bfa60833a9cf5daa564d9a02918424ca3d38e26b2b5f8",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]},
www.cognixia.com
www.cognixia.com
Default – Bridge Network

• The bridge network assigns MAC and IP addresses to each


container
$ docker network inspect bridge
...
"Containers": {
"eb6dc24ff73fff0da60e98b02aa28e76f92f316aeed73f774ef7b3b0220b5b69": {
"Name": "centos",
"EndpointID":
"5b4437f5c54b0923f4558ecc01f9326fafa0fbb4d1f8564131d6dac9bd47e0de",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},

www.cognixia.com
www.cognixia.com
Default – Bridge Network Hosts File

• The bridge network supplies a /etc/hosts file for each


container
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 eb6dc24ff73f

www.cognixia.com
www.cognixia.com
Default – Host Network

A container attached to a host network has the same network


as the host
It has the same network configuration as the host
It is not used much any more

www.cognixia.com
www.cognixia.com
Default – None Network

• A container attached to a none network has no network


• It has only a localhost interface
• It can't communicate with other networked containers
• It is not used much any more

www.cognixia.com
www.cognixia.com
Docker Container Network – User Defined Network

• User defined networks can be created


oDocker provides drivers including bridge

• Containers can only communicate with


other containers on the same network
• Multiple networks can be created
• Containers can be connected to
multiple networks
oCan communicate with any container on any
connected network

www.cognixia.com
www.cognixia.com
Creating User Defined Network

• New networks can be created


• The default driver is the bridge network
• A new subnet is created unless addresses are specified
$ docker network create isolated_bridge
b58db4ec8887a9187151c46850d69b58276a95d780e7465a24aaffb014f6ad8

$ docker network ls
NETWORK ID NAME DRIVER SCOPE
9d6a9ab487ba bridge bridge local
c7956146a031 host host local
db58db4ec888 isolated_bridge bridge local
115642b21a91 none null local

www.cognixia.com
www.cognixia.com
Using networks

• Networks can be specified only when a container is run


• A network can be added to an existing container
oA new network interface is added

• A network can be disconnected from a container


• A user-defined network can be removed

docker run -it --network isolated_bridge --name java centos-java


docker network connect isolated_bridge centos
docker network disconnect isolated_bridge centos
docker network rm isolated_bridge

www.cognixia.com
www.cognixia.com
Exercise 4 : Docker networking
• Networking between container on docker network

www.cognixia.com
www.cognixia.com
Docker Compose

• Docker Compose is a tool for running multi-container Docker


applications
• A configuration file is used to define the services
• All of the services can be run using a single command
• Compose can manage the lifecycle of an application
• Start, stop, and rebuild services
• View the status of running services
• Get the log output of running services
• Run a command on a service
www.cognixia.com
www.cognixia.com
Installing Compose

• Run this command to download the latest version of Docker Compose:


cd ~
sudo curl -L
"https://github.com/docker/compose/releases/download/1.22.0/docker-
compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

• Apply executable permissions to the binary:


sudo chmod +x /usr/local/bin/docker-compose

www.cognixia.com
www.cognixia.com
Compose

• Create a directory for Docker Compose


• Create a YAML file called docker-compose.yml
• The docker-compose command needs to be run from the directory containing
the YAML file
• Any number of containers can be specified
version: "2"
services:
sshd:
build: sshd
image: centos-sshd:latest
ports:
- "2222:22"

www.cognixia.com
www.cognixia.com
Compose

• First of all create a directory with name of service containing a


Dockerfile under Docker Compose folder
• Docker Compose would use this to build image

FROM centos:latest
RUN yum install -y openssh-server
RUN mkdir /var/run/sshd
RUN useradd -c "Student User" -m student
RUN echo "student:student" | chpasswd
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -q -N ""
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

www.cognixia.com
www.cognixia.com
Run Compose

• Docker Compose has an up option which runs all containers


• The –d option runs it in the background
• The down option terminates all managed containers

docker-compose up -d

ssh –p 2222 student@locahost

docker-compose down

www.cognixia.com
www.cognixia.com
Exercise 5 : Docker Compose
• Use docker compose to run cotnainers

www.cognixia.com
www.cognixia.com
Run Command

• A single command can be executed on a container


• A new container is started from the image
• The –-rm option removes the container after the command
is run
• The –-name option names the new container
• The –p option publishes container ports to the host
• A TTY is allocated unless the –T option is given
www.cognixia.com
www.cognixia.com
THANK YOU

www.cognixia.com www.cognixia.com

You might also like