Sean

docker basic

01 August 2015

install docker on centos machine

  • install yum install -y docker

  • check docker status systemctl status docker.service

  • systemctl start docker.service

min kernel version: 3.10.0

basic commands

docker -v

docker version

docker info

update docker on ubuntu

  1. add gpg key
wget -qO- https://get.docker.com/gpg | apt-key add -
  1. add docker repository to sources.list
echo deb http://get.docker.com/ubuntu docker main > /etc/apt/sources.list.d/docker.list
  1. apt-get update
  2. apt-get install lxc-docker

run docker without roots

add users to Docker group to create namespace, cgroups and binds to /var/run/docker.sock

sudo gpasswd -a sean docker

cat /etc/group

config docker to communicate on network

docker default listen on a local unix socket, to config to run on tcp, we need:

  1. check netstat netstat -tlp

  2. stop docker service docker stop

  3. run docker with -H command docker -H 192.168.58.32:2375 -H unix:///var/run/docker.sock -d &

  4. let docker client to talk to docker server via tcp export DOCKER_HOST="tcp://192.168.58.32:2375"

some basic concept

image we are working in a large shipping company

Docker Engine

which is also called Docker demo is the Shipping Yard

Docker Images

is the manifests of the goods which to ship

docker containers

is the shipping containers

they all play good in there role

Where images are stored

on ubuntu it’s stored in /var/lib/docker/aufs/diff/xxxxxxxxx/

copy images to other hosts

  1. create a new image base on the current image
docker commit <image-hash> new-image-name
  1. save the image to tar file
docker save -o /tmp/imagename.tar  imagename

peek inside to tar ball

tar -tf /tmp/imagename.tar

docker load -i /tmp/imagename.tar
  1. commands for working with container
docker run --cpu-shares=256

docker run memory=1g

ctrl + p + q detaching from container

  1. use nsenter to access to a running container use docker inspect to get the pid of a running container docker inspect <container> | grep Pid nsenter -m -u -n -p -i -t <pid> /bin/bash

  2. get ternimal inside a container

docker exec -it <container> /bin/bash
  1. use docker to install software
docker run -v /usr/local/bin:/target  jpetazzo/nsenter

Installing nscenter to /target
Installing docker-enter to /target

use -v option to mount local directory to container, thus when container start, it will copy the file from container target directory to the local directory

build with Dockerfile

docker build -t hello .

docker will take current diretory as build context, that is said all the file in the current directory can be used to build the image

use private registry

docker tag <image-id> <dns-server of docker registry>:<port>/<image-name>
docker push <dns-server of docker registry>:<port>/<image-name>

eg:

docker tag 43df3123 registry.docker.com:5000/private-test
docker push registry.docker.com:5000/private-test

note

add DOCKER_OPTS="--insecure-registry registry.docker.com:5000" into docker config file at /etc/default/docker

for redhat system that use systemd

edit the systemd unit file for the docker service

/usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS --insecure-registry registry.docker.com:5000

reduce the number of Layers in images

each instruction will become a new layer, that add lots of unnessary layer, we can reduce the number of layers

RUN apt-get update && apt-get install -y \
	    apache2 \
		apache2-utils \
        vim \
		&& apt-get clean \
		&& rm -rf /var/lib/apt/lists/*
EXPOSE 80
CMD ["apache2ctl", "-D", "FIREGROUND"]

Dockerfile Instruction

CMD

only executes at runtime when lanuch the container

there can only be one CMD instruction per Dockerfile, and the cmd specified in docker run ... <command> will override the cmd instruction in Dockerfile

CMD echo "Hello world"

CMD ["echo", "hello world"]

ENTRYPOINT

can’t be overridden at run-time with normal commands docker run …

any command at run-time is used as an argument to ENTRYPOINT


ENTRYPOINT ["echo"]

docker run image Helloworld   //helloworld will be treated as argument

so using ENTRYPOINT like this are containers behave like a binary

when use CMD with ENTRYPOINT, things get interesting, as CMD can be override by the commandline, so we can use CMD as the default arguments of ENTRYPOINT

CMD ["hello world"]
ENTRYPOINT ["echo"]

docker run -it helloworld    //hello world
docker run -it hey there    //hey there

ENV

used to set the enviroment variable in the container ``` ENV var1=ping var2=8.8.8.8

CMD $var1 $var2 ```

Volumns

docker run -it -v /data --name=volumecontainer ubuntu

after the volumecontainer started, we can access the volume from another container by --volumnes-from=volumecontainer

docker run -it --volumes-from=volumecontainer ubuntu /bin/bash

we can also mount the directory from our host machine to the container

docker run -v /data:/data  //that will mount the /data directory from our local host to the /data in the container

VOLUMN instruction

VOLUME /data

if we want to remove the container with volume, we need to specify the -v option docker rm -v otherwise the volume will not be deleted

docker networking

docker0 bridge

inspect the network interface by ip a

there is an interface called docker0, when the docker daemon starts on our docker host, it creates this docker0 interface, it’s actually a bit more than just an interface, it actually a bridge creatd entirely in software inside the linux kernel, and docker0 is crucial to container networking, it passes or switches packets between two connected devices.

we can use bridge-utils package to see the details of the docker0 interface

brctl show docker0

docker inspect see NetworkSettings

when look inside the container file /var/lib/docker/containers//, you can see hosts resolv.conf

docker run --dns=8.8.4.4

this will use 8.8.4.4 as dns in the new container

if the network docker assign has confilcate with the current network that is said the range of the address has been used.

ip link del docker0    delete the docker0 link

edit the docker config file

vim /etc/default/docker

DOCKER_OPTS=--bip=150.150.0.1/24

–icc is short for inter-container communication, default to true, turning off this option will stop the container to communicate with each other. –iptables indicate if is allowed to modify iptable

be aware of this, if you found your container is not able to talk each other, chech these two option

private network ranges

10.0.0.0/255.0.0.0 10.0.0.0/8 // from 10.0.0.0 - 10.255.255.255 172.16.0.0/255.240.0.0 172.16.0.0/15 // from 172.16.0.0 - 172.31.255.255 192.168.0.0/255.255.0.0 192.168.0.0/16 // from 192.168.0.0 - 192.168.255.255

EXPOSE

EXPOSE 80 //expose 80 port to hostmachine

logging

docker -d -l debug & //start docker daemon with log level debug

/etc/default/docker

DOCKER_OPTS=”–log-level=fatal”

blog comments powered by Disqus