![docker run
docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
-d -> detached
-t -> allocate a pseudo-tty
-i -> keep STDIN open even if not attached
--name -> container name
--rm -> delete container when it exists
-P [--publish-all] -> publish exposed ports to random ports
-p [-publish] -> publish a container’s ports to the host](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-14-320.jpg)
![Docker pull / push
docker pull [OPTIONS] NAME[:TAG]
Pull an image or a repository from a registry (e.g. Docker Hub)
docker push [OPTIONS] NAME[:TAG]
Push an image or a repository from a registry (e.g. Docker Hub)](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-19-320.jpg)
![save / load / export / import
docker save [OPTIONS] IMAGE [IMAGE]
Save one or more images to a tar archive registry (e.g. Docker Hub)
docker load [OPTIONS] NAME[:TAG]
Load an image from a tar archive or STDIN
docker export [OPTIONS] CONTAINER
Export a container’s filesystem as a tar archive
docker import [OPTIONS]
Import the contents from a tarball to create a filesystem image](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-20-320.jpg)
![Docker commit
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
-m Commit message
-p Pause container during commit
-c Apply Dockerfile instruction to the created image
docker commit -m `message` <container-id> <container-name>:<version>](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-21-320.jpg)
![Volumes
docker volume ls
docker run –v
-v [--volume]
-m [--mount]](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-26-320.jpg)
![Docker – Environmental variables
ARG <key>[=<default value>]
Build time arguments ( --build-arg <key>=<value> )
ENV <key> <value>
ENV <key>=<value>
Environmental variables](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-43-320.jpg)
![Use Caching Effectively
FROM ubuntu
COPY . /app
RUN apt-get update
RUN apt-get -y install openjdk-8-jdk
COPY . /app
CMD [‘java’, ‘-jar’, ‘/app/target/app.jar’]](https://image.slidesharecdn.com/dockerfordeveloperszjava-190417185954/85/Docker-for-developers-z-java-65-320.jpg)
Docker for developers z java
- 1. Docker for Developers ANDRZEJ SYDOR
- 2. Agenda Docker introduction Containers: run, start, stop, rm, ps Images: pull, push, import, export, save, load Networking Volumes UI tools Dockerfile Docker Compose Best practices
- 3. Docker Docker is the leading software container platform Founded in 2013 as Linux developer tool Fundamentally solves the „works on my machine” problem Container industry inventor, leader and innovative Transform app and infrastructure security, portability, agility and efficiency
- 4. One Application on One Physical Server Limitations Slow development times Huge costs Wasted resources Difficult to scale Difficult to migrate Vendor lock in
- 5. Hypervisior – Based Virtualization Benefit: Better resource pooling One physical machine divided into multiple virtual machines Easier to scale VMs in the cloud Rapid elasticity Pay as you go model Limitations: Each VM stills requires: CPU limitations Storage RAM An entire guest operating system Full guest OS means wasted resources Application portability not guaranteed
- 6. Docker Standarized packaging for software and dependencies Isolate apps from each other Share the same OS kernel Works with all major Linux and Windows Server
- 8. Key Benefits of Docker Containers Speed No OS to boot – applications online in seconds Portability Less dependencies between proces layers = ability to move between infrastructure Efficiency Less OS overhead Improved resource efficiency
- 9. WORA / PODA / CaaS WORA = Write Once Run Anywhere {J,W,E}AR PODA = Package Once Deploy Anywhere CaaS = Container as a Service
- 10. Docker Image The basis of a Docker container Container The image when it is ‚running’ Registry Stores, distributes and manages Docker images Dockerfile Commands to assemble an image Docker Compose Define and share multi-container definitions
- 11. Docker Docker Engine The client-server application contains Docker daemon, REST API, CLI Docker Machine A tool to launch Docker hosts on multiple platforms Docker Client Command-line interface to interact with Docker daemons Docker Hub Repository for Docker Images Docker Store A storefront for official Docker images and plugins as well as licensed products
- 12. Docker Engine
- 14. docker run docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...] -d -> detached -t -> allocate a pseudo-tty -i -> keep STDIN open even if not attached --name -> container name --rm -> delete container when it exists -P [--publish-all] -> publish exposed ports to random ports -p [-publish] -> publish a container’s ports to the host
- 16. Docker Images Layers Layers are read only An image is a collection of files and some meta data Images are comprised of multiple layers A layer is also contains software you want to run Each image contains a base layer Docker uses a copy on write systems
- 17. Docker layers docker image history <container-id>
- 18. Docker Sharing Layers Images can share layers in order to speed up transfer times and optimize disk and memory usage Parent images that already exists on the host do not have to be downloaded
- 19. Docker pull / push docker pull [OPTIONS] NAME[:TAG] Pull an image or a repository from a registry (e.g. Docker Hub) docker push [OPTIONS] NAME[:TAG] Push an image or a repository from a registry (e.g. Docker Hub)
- 20. save / load / export / import docker save [OPTIONS] IMAGE [IMAGE] Save one or more images to a tar archive registry (e.g. Docker Hub) docker load [OPTIONS] NAME[:TAG] Load an image from a tar archive or STDIN docker export [OPTIONS] CONTAINER Export a container’s filesystem as a tar archive docker import [OPTIONS] Import the contents from a tarball to create a filesystem image
- 21. Docker commit docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]] -m Commit message -p Pause container during commit -c Apply Dockerfile instruction to the created image docker commit -m `message` <container-id> <container-name>:<version>
- 23. Docker flatten docker export <container> | docker import - <image> - Experiental flag --squash
- 24. Docker flatten
- 25. Docker Volumes
- 26. Volumes docker volume ls docker run –v -v [--volume] -m [--mount]
- 28. Networking IPAM (IP address management) Planning, tracking and managing IP addressess within the network IPAM has DNS and DHCP services docker inspect -f='{{json .Containers}}’ <network> docker inspect --format='{{.NetworkSettings.IPAddress}}’ <network>
- 29. Network drivers bridge Standalone containers that need to communicate none Disable all networking host Use the host’s networking directly (swarm services) overlay distributed network among multiple Docker daemon hosts Links Legacy container links
- 31. Portainer Docker UI „The easiest way to manage docker” https://www.portainer.io/
- 32. Portainer https://portainer.io/overview.html Detailed overview Containers (List, Details, Stats, Logs, Console, Creation) Images (List, Details) Network (List) Volumes (List) Container Templates Cluster overview Services Management Endpoint Management User Management and User Access Control
- 33. Portainer
- 34. Portainer docker volume create portainer_data docker run –name=portainer -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer
- 35. Kitematic Visual Docker Container Management on Mac & Windows Run containers through a simple, yet powerful graphical user interface. https://kitematic.com/
- 36. Kitematic Fast and Easy Setup Docker Hub Integration Seamless Experience Between CLI and GUI Advantaged Features Automatically map ports Configuring volumes Change environment variables Streamline logs CLI access to containers
- 37. Kitematic
- 38. Docker Desktop for Windows Docker Desktop for Windows is the best way to get started with Docker on Windows https://docs.docker.com/docker-for-windows/ Auto update capability No additional software required, e.g. Virtualbox Windows: Hyper-V VM Better networking and filesystem mounting/notification Requires Windows 10 64-bit (Yosemite 10.10+) Legacy desktop solution boundled with Docker Toolbox.
- 39. Docker for AWS/Azure Amazon Web Services Amazon CloudFormation templates Integrated with Autoscaling, ELB, EBS Azure Integrated with VM Scale Sets for autoscaling, Azure Load Balancer, Azure Storage
- 40. Dockerfile FROM – Docker base FROM alpine:latest LABEL – extra information LABEL maintainer = ‘”Andrzej Sydor” COPY/ADD COPY build/app.jar /etc/app.jar ADD http://resource/files/html.tar.gz /usr/share/nginx/ RUN – commands to install software and run scripts RUN mkdir –p /tmp/myapp/ EXPOSE – the port and the protocol exposed in runtime EXPOSE 80/tcp ENTRYPOINT/CMD USER / WORKDIR / ENV
- 41. Dockerfile FROM ubuntu:18.04 COPY . /app RUN make /app CMD python /app/app.py
- 42. Docker Build docker image build –file <Dockerfile> --tag <REPO>:<TAG> <REPO> - typically username on Docker Hub <TAG> - unique container value docker image build --tag local:dockerfile-example . .(dot) – current folder
- 43. Docker – Environmental variables ARG <key>[=<default value>] Build time arguments ( --build-arg <key>=<value> ) ENV <key> <value> ENV <key>=<value> Environmental variables
- 44. Dockerfile FROM alpine ARG var="Default Hello World!" ENV ENV1=$var RUN echo "Build value: $ENV1" ENTRYPOINT echo "Runtime value: $ENV1"
- 45. Docker env docker build -t env-image . docker run -d --name env-app env-image docker logs env-app docker run -d --name env-app2 -e ENV1=‘cmd env' env-image docker logs env-app2
- 47. Multi-stage Dockerfile # first stage FROM node:10 AS builder WORKDIR /app RUN npm install -g @angular/cli RUN ng new my-app --routing=true --style=css --skipGit=true --minimal=true WORKDIR /app/my-app RUN ng build --prod # second stage FROM nginx COPY --from=builder /app/my-app/dist/my-app/ /usr/share/nginx/html
- 49. Docker Compose Tool for defining and running multi-container Docker applications YAML configuration (docker-compose.yml) Features: Multiple isolated environments on a single host Preserve volume data when containers are created Only recreate containers that have changed Variables and moving a composition between environments
- 50. Docker Compose version: ‘3' services: web: build: . ports: - "5000:5000" volumes: - .:/code redis: image: redis
- 51. Docker Compose docker-compose up –d --build docker-compose stop docker-compose rm -f
- 52. Demo version: '3' services: web1: ... web2: ... networks: - net1 curl: ... networks: - net1 networks: net1: curl web1 web2
- 53. Storing images Docker Registry Docker Hub Docker Store
- 54. Docker Registry Service that storing your Docker images Open source – Apache license Tightly control where your images are being stored Fully own your images distribution pipeline Integrate image storage and distribution tightly into your in-house development Filesystem /var/lib/registry
- 55. Docker Registry docker run -d -p 5000:5000 --name registry registry:2 docker image tag alpine localhost:5000/myfirstimage docker push localhost:5000/myfirstimage docker pull localhost:5000/myfirstimage docker container stop registry && docker container rm -v registry
- 56. Docker Hub Docker Hub Free for public images Organizations Repository Automated build (GitHub, BitBucket)
- 57. Docker HUB docker login docker build --tag username/my-container:latest . docker image push username/my-container:latest
- 58. Docker Store Docker Store Docker images and plugins Docker Certified
- 59. Third-party registries Red Hat Container Catalog OpenShift Jfrog Quay.io Amazon EC2 Container Registry Others: Microbadger e.g. inspect image
- 60. Java Maven / Gradle plugins Maven plugin https://dmp.fabric8.io/ https://github.com/spotify/docker-maven-plugin Gradle plugin https://bmuschko.github.io/gradle-docker-plugin/
- 61. Docker – CPU/Memory By default, a container can consume all available resources on the host machine if it requires it Limit CPU usage -c / --cpu-shares=1024 --cpu-period=25000 (microseconds) --cpu-quota=25000 (microseconds) Limit memory usage --memory 1024M --memory-swap 1024M By default, when you set --memory, docker will set the --memory-swap size twice --kernel-swap 1024M Java 10
- 62. Docker – CPU/Memory - examples docker container inspect <container> | grep -i memory docker container run -d --name <container> --cpu-shares 512 --memory 128M <image> docker container update --cpu-shares 512 --memory 256M <image> docker container update --cpu-shares 512 --memory 128M --memory-swap 256M <image>
- 63. Docker - best practices One application per container Only install what you need Review who has access to your Docker hosts Use the latest version Use the resources Awesome docker https://awesome-docker.netlify.com/ https://github.com/veggiemonk/awesome-docker
- 64. Look for minimal images !? Image Size openjdk:8 625MB openjdk:8-jre 470MB openjdk:8-jre-slim 204MB openjdk:8-jre-alpine 85MB
- 65. Use Caching Effectively FROM ubuntu COPY . /app RUN apt-get update RUN apt-get -y install openjdk-8-jdk COPY . /app CMD [‘java’, ‘-jar’, ‘/app/target/app.jar’]
- 66. Single / Multi line variables FROM alpine ENV var1=abc ENV var2=def FROM alpine ENV var1=abc var2=def
- 67. Single / Multi line variables FROM ubuntu RUN wget tomcat.zip RUN unzip tomcat.zip RUN rm tomcat.zip FROM alpine RUN wget tomcat.zip unzip tomat.zip rm tomcat.zip 32 MB 21 MB
- 68. Tools cAdvisor https://github.com/google/cadvisor/ Analyzes resource usage and performance characteristics of running containers Node-exporter https://github.com/prometheus/node_exporter/ Exporter for machine metrics http://prometheus.io/ Prometheus https://prometheus.io/ Power your metrics and alerting with a leading open-source monitoring solution Grafana https://grafana.com/ The open platform for beautiful analytics and monitoring
- 69. To Be Continued … - Docker internals cgroups Limiting the resources that can be used by a processes namespaces Isolating filesystem resources unionFS Resource Management / Implicite sharing
- 70. To Be Continued … - Docker Security The Docker Bench Security is a script that checks for dozens of common best- practices around deploying Docker containers in production Docker Security Scanning
- 71. Q/A
Editor's Notes
- #4: Wynalazca branży kontenerowej, lider i innowator Przekształć bezpieczeństwo aplikacji i infrastruktury, przenośność, zwinność i wydajność
- #11: Przemyśleś Docker Swarm czy tutaj ma być?
- #13: https://docs.docker.com/engine/docker-overview/
- #14: https://docs.docker.com/engine/docker-overview/#docker-architecture
- #18: Obrazy składają się z wielu warstw
- #22: save/load -> images Export/import -> container https://tuhrig.de/difference-between-save-and-export-in-docker/ https://docs.docker.com/engine/reference/commandline/save/ https://docs.docker.com/engine/reference/commandline/load/
- #25: Flatten a Docker container So it is only possible to “flatten” a Docker container, not an image. So we need to start a container from an image first. Then we can export and import the container in one line: 1 docker export <CONTAINER ID> | docker import - some-image-name:latest
- #26: Flatten a Docker container So it is only possible to “flatten” a Docker container, not an image. So we need to start a container from an image first. Then we can export and import the container in one line: 1 docker export <CONTAINER ID> | docker import - some-image-name:latest
- #27: -volumes not being used by any container docker volume ls -f dangling=true docker volume prune -volumes-from <containerId> *removing docker rm -v <containerId> docker volume rm <volumeName> volume inspect <volumeName> docker volume create myVolume docker run -dit --name alpine1 -v myVolume:/volume alpine
- #30: docker network create my-network docker network ls docker network inspect mysql_default docker network prune Docker container run … --network my-network
- #31: https://docs.docker.com/network/ Podłączenie kontenera do sieci typu bridge spowoduję, że kontenery będące w tej samej sieci będą się mogły pingować a kontenery będące w innych sieciach już nie. Podłączenie kontenera do sieci none spowoduję, że kontener będzie miał tylko interfejs pętli zwrotnej loopback. Podłączenie kontenera do sieci host powoduję, że będzie on współdzielił porty i adresy IP hosta. https://docs.docker.com/network/bridge/
- #42: FROM <image>:<tag> MAINTAINER WORKDIR ADD <source path or URL> <destination path> (copy the files from the source into the containers) COPY <source path or URL> <destination path> (copy new files of directories> As you can see, the functionality of COPY is almost the same as the ADD instruction, with one difference. COPY supports only the basic copying of local files into the container. On the other hand, ADD gives some more features, such as archive extraction, downloading files through URL, and so on. Docker's best practices say that you should prefer COPY if you do not need those additional features of ADD. The Dockerfile will be cleaner and easier to understand thanks to the transparency of the COPY command. RUN CMD command parameter1 parameterN ENTRYPOINT EXPOSE VOLUME LABEL ENV USER ARG ONBUILD [144] Let's summarize what we have learned about the differences and their cooperation: A Dockerfile should specify at least one CMD or ENTRYPOINT instruction Only the last CMD and ENTRYPOINT in a Dockerfile will be used ENTRYPOINT should be defined when using the container as an executable You should use the CMD instruction as a way of defining default arguments for the command defined as ENTRYPOINT or for executing an ad-hoc command in a container CMD will be overridden when running the container with alternative arguments ENTRYPOINT sets the concrete default application that is used every time a container is created using the image If you couple ENTRYPOINT with CMD, you can remove an executable from CMD and just leave its arguments which will be passed to ENTRYPOINT The best use for ENTRYPOINT is to set the image's main command, allowing that image to be run as though it was that command (and then use CMD as the default flags)
- #43: FROM <image>:<tag> MAINTAINER WORKDIR ADD <source path or URL> <destination path> (copy the files from the source into the containers) COPY <source path or URL> <destination path> (copy new files of directories> As you can see, the functionality of COPY is almost the same as the ADD instruction, with one difference. COPY supports only the basic copying of local files into the container. On the other hand, ADD gives some more features, such as archive extraction, downloading files through URL, and so on. Docker's best practices say that you should prefer COPY if you do not need those additional features of ADD. The Dockerfile will be cleaner and easier to understand thanks to the transparency of the COPY command. RUN CMD command parameter1 parameterN ENTRYPOINT EXPOSE VOLUME LABEL ENV USER ARG ONBUILD [144] Let's summarize what we have learned about the differences and their cooperation: A Dockerfile should specify at least one CMD or ENTRYPOINT instruction Only the last CMD and ENTRYPOINT in a Dockerfile will be used ENTRYPOINT should be defined when using the container as an executable You should use the CMD instruction as a way of defining default arguments for the command defined as ENTRYPOINT or for executing an ad-hoc command in a container CMD will be overridden when running the container with alternative arguments ENTRYPOINT sets the concrete default application that is used every time a container is created using the image If you couple ENTRYPOINT with CMD, you can remove an executable from CMD and just leave its arguments which will be passed to ENTRYPOINT The best use for ENTRYPOINT is to set the image's main command, allowing that image to be run as though it was that command (and then use CMD as the default flags)