Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DCSF19 Tips and Tricks of the Docker Captains

147 views

Published on

Brandon Mitchell, BoxBoat

Docker Captain Brandon Mitchell will help you accelerate your adoption of Docker containers by delivering tips and tricks on getting the most out of Docker. Topics include managing disk usage, preventing subnet collisions, debugging container networking, understanding image layers, getting more value out of the default volume driver, and solving the UID/GID permission issues with volumes in a way that allows images to be portable from any developer laptop and to production.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DCSF19 Tips and Tricks of the Docker Captains

  1. 1. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 1/74 Pruning Cleaning Logs Network Address Pools Netshoot Layers BuildKit Local Volume Driver Fixing Permissions Agenda Tips and Tricks of the Docker Captains - @sudo_bmitch1 / 74
  2. 2. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 2/74 Brandon Mitchell Twitter: @sudo_bmitch GitHub: sudo-bmitch Tips and Tricks Of The Docker Captains 2 / 74
  3. 3. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 3/74 Pruning Cleaning Logs Network Address Pools Netshoot Layers BuildKit Local Volume Driver Fixing Permissions Agenda Tips and Tricks of the Docker Captains - @sudo_bmitch3 / 74
  4. 4. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 4/74 $ whoami Brandon Mitchell aka bmitch - Solutions Architect @ BoxBoat - Docker Captain - Frequenter of StackOverflow Tips and Tricks of the Docker Captains - @sudo_bmitch4 / 74
  5. 5. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 5/74 Who is a Developer?Who is a Developer? Tips and Tricks of the Docker Captains - @sudo_bmitchTips and Tricks of the Docker Captains - @sudo_bmitch5 / 745 / 74
  6. 6. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 6/74 Disk Usage Tips and Tricks of the Docker Captains - @sudo_bmitch6 / 74
  7. 7. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 7/74 Prune $ docker system prune WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all dangling images - all build cache Tips and Tricks of the Docker Captains - @sudo_bmitch7 / 74
  8. 8. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 8/74 Prune $ docker system prune WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all dangling images - all build cache What this doesn't clean by default: Running containers (and their logs) Tagged images Volumes Tips and Tricks of the Docker Captains - @sudo_bmitch8 / 74
  9. 9. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 9/74 Prune ­ YOLO $ docker run -d --restart=unless-stopped --name cleanup -v /var/run/docker.sock:/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" Tips and Tricks of the Docker Captains - @sudo_bmitch9 / 74
  10. 10. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 10/74 Prune ­ YOLO $ docker run -d --restart=unless-stopped --name cleanup -v /var/run/docker.sock:/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" $ docker service create --mode global --name cleanup --mount type=bind,src=/var/run/docker.sock, dst=/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" Tips and Tricks of the Docker Captains - @sudo_bmitch10 / 74
  11. 11. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 11/74 Container Logs Tips and Tricks of the Docker Captains - @sudo_bmitch11 / 74
  12. 12. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 12/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 12 / 74
  13. 13. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 13/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 13 / 74
  14. 14. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 14/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 14 / 74
  15. 15. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 15/74 Clean Your Logs $ cat docker-compose.yml version: '3.7' services: app: image: sudobmitch/loggen command: [ "150", "180" ] logging: options: max-size: "10m" max-file: "3" Tips and Tricks of the Docker Captains - @sudo_bmitch15 / 74
  16. 16. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 16/74 Clean Your Logs version: '3.7' x-defaults: service: &default-svc image: sudobmitch/loggen logging: { options: { max-size: "10m", max-file: "3" } } services: cat: <<: *default-svc command: [ "300", "120" ] environment: { pet: "cat" } turtle: <<: *default-svc labels: { name: "gordon", levels: "all the way down" } Tips and Tricks of the Docker Captains - @sudo_bmitch16 / 74
  17. 17. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 17/74 Clean Your Logs Best option to prevent container logs from filling disk space $ cat /etc/docker/daemon.json { "log-driver": "local", "log-opts": {"max-size": "10m", "max-file": "3"} } $ systemctl reload docker Tips and Tricks of the Docker Captains - @sudo_bmitch17 / 74
  18. 18. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 18/74 Tips and Tricks of the Docker Captains - @sudo_bmitch18 / 74
  19. 19. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 19/74 Tips and Tricks of the Docker Captains - @sudo_bmitch19 / 74
  20. 20. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 20/74 Networking Tips and Tricks of the Docker Captains - @sudo_bmitch20 / 74
  21. 21. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 21/74 Subnet Collisions Docker networks sometimes conflict with other networks Tips and Tricks of the Docker Captains - @sudo_bmitch21 / 74
  22. 22. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 22/74 Subnet Collisions Docker networks sometimes conflict with other networks BIP, bridge network named "bridge" $ cat /etc/docker/daemon.json { "bip": "10.15.0.1/24" } Tips and Tricks of the Docker Captains - @sudo_bmitch22 / 74
  23. 23. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 23/74 Subnet Collisions Default address poll added in 18.06 $ cat /etc/docker/daemon.json { "bip": "10.15.0.1/24", "default-address-pools": [ {"base": "10.20.0.0/16", "size": 24}, {"base": "10.40.0.0/16", "size": 24} ] } Tips and Tricks of the Docker Captains - @sudo_bmitch23 / 74
  24. 24. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 24/74 Subnet Collisions $ docker swarm init --help ... --default-addr-pool ipNetSlice --default-addr-pool-mask-length uint32 Tips and Tricks of the Docker Captains - @sudo_bmitch24 / 74
  25. 25. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 25/74 Subnet Collisions $ docker swarm init --help ... --default-addr-pool ipNetSlice --default-addr-pool-mask-length uint32 $ docker swarm init --default-addr-pool 10.20.0.0/16 --default-addr-pool 10.40.0.0/16 --default-addr-pool-mask-length 24 Tips and Tricks of the Docker Captains - @sudo_bmitch25 / 74
  26. 26. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 26/74 Network Debugging Debugging networks from the host doesn't see inside the container namespace Debugging inside the container means installing tools inside that container Tips and Tricks of the Docker Captains - @sudo_bmitch26 / 74
  27. 27. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 27/74 Network Debugging Debugging networks from the host doesn't see inside the container namespace Debugging inside the container means installing tools inside that container Sidecars aren't just for Kubernetes Tips and Tricks of the Docker Captains - @sudo_bmitch27 / 74
  28. 28. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 28/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 28 / 74
  29. 29. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 29/74 Network Debugging $ docker run --name web -p 9999:80 -d nginx $ docker run -it --rm --net container:web nicolaka/netshoot ss -lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* Tips and Tricks of the Docker Captains - @sudo_bmitch29 / 74
  30. 30. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 30/74 Layered Filesystem Tips and Tricks of the Docker Captains - @sudo_bmitch30 / 74
  31. 31. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 31/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 31 / 74
  32. 32. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 32/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 32 / 74
  33. 33. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 33/74 Understanding Layers $ docker image build --rm=false --no-cache . $ docker container diff ... Tips and Tricks of the Docker Captains - @sudo_bmitch33 / 74
  34. 34. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 34/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 34 / 74
  35. 35. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 35/74 Understanding Layers Delete temporary file in the same step where they are created Small changes to big files are big changes Merge your RUN commands together Tips and Tricks of the Docker Captains - @sudo_bmitch35 / 74
  36. 36. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 36/74 From Bad ... FROM golang:1.11 RUN adduser --disabled-password --gecos appuser appuser WORKDIR /src COPY . /src/ RUN go build -o app . WORKDIR / RUN cp /src/app /app RUN chown appuser /app RUN chmod 755 /app RUN rm -r /src USER appuser CMD /app Tips and Tricks of the Docker Captains - @sudo_bmitch36 / 74
  37. 37. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 37/74 ... to Okay FROM golang:1.11 RUN adduser --disabled-password --gecos appuser appuser COPY . /src/ RUN cd /src && go build -o app . && cd / && cp /src/app /app && chown appuser /app && chmod 755 /app && rm -r /go/pkg /root/.cache/go-build /src USER appuser CMD /app Tips and Tricks of the Docker Captains - @sudo_bmitch37 / 74
  38. 38. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 38/74 Multi­stage Builds Everything we learned about making efficient images is now wrong Build stage splits RUN lines to maximize caching Only the released stage needs to be layer efficient Tips and Tricks of the Docker Captains - @sudo_bmitch38 / 74
  39. 39. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 39/74 FROM golang:1.11-alpine as build RUN apk add --no-cache git ca-certificates RUN adduser -D appuser WORKDIR /src COPY . /src/ RUN CGO_ENABLED=0 go build -o app . FROM scratch as release COPY --from=build /etc/passwd /etc/group /etc/ COPY --from=build /src/app /app USER appuser CMD [ "/app" ] FROM alpine as dev COPY --from=build /src/app /app CMD [ "/app" ] FROM release Tips and Tricks of the Docker Captains - @sudo_bmitch39 / 74
  40. 40. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 40/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 40 / 74
  41. 41. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 41/74 "Hold my beer.""Hold my beer." ­­BuildKit­­BuildKit Tips and Tricks of the Docker Captains - @sudo_bmitchTips and Tricks of the Docker Captains - @sudo_bmitch41 / 7441 / 74
  42. 42. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 42/74 BuildKit Features For Everyone GA in Docker 18.09 Context only pulls needed files Multi-stage builds use a dependency graph Cache from a remote registry Pruning has options for cache age and size to keep Tips and Tricks of the Docker Captains - @sudo_bmitch42 / 74
  43. 43. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 43/74 BuildKit Cache Pruning $ docker builder prune --keep-storage=1GB --filter until=72h Tips and Tricks of the Docker Captains - @sudo_bmitch43 / 74
  44. 44. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 44/74 BuildKit Cache Pruning $ docker builder prune --keep-storage=1GB --filter until=72h $ cat /etc/docker/daemon.json { "builder": { "gc": { "enabled": true, "policy": [ {"keepStorage": "512MB", "filter": ["unused-for=168h"]]}, {"keepStorage": "30GB", "all": true} ] } } } Tips and Tricks of the Docker Captains - @sudo_bmitch44 / 74
  45. 45. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 45/74 BuildKit Experimental Features Frontend parser can be changed Bind Mounts, from build context or another image Cache Mounts, similar to a named volume Tmpfs Mounts Build Secrets, file never written to image filesystem SSH Agent, private Git repos Tips and Tricks of the Docker Captains - @sudo_bmitch45 / 74
  46. 46. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 46/74 # syntax=docker/dockerfile:experimental FROM golang:1.11-alpine as build RUN apk add --no-cache git ca-certificates tzdata RUN adduser -D appuser WORKDIR /src COPY . /src/ RUN --mount=type=cache,id=gomod,target=/go/pkg/mod/cache --mount=type=cache,id=goroot,target=/root/.cache/go-build CGO_ENABLED=0 go build -o app . USER appuser CMD ./app Tips and Tricks of the Docker Captains - @sudo_bmitch46 / 74
  47. 47. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 47/74 Tips and Tricks of the Docker Captains - @sudo_bmitch 00:00 47 / 74
  48. 48. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 48/74 Enable BuildKit $ export DOCKER_BUILDKIT=1 $ docker build -t your_image . Tips and Tricks of the Docker Captains - @sudo_bmitch48 / 74
  49. 49. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 49/74 Enable BuildKit $ export DOCKER_BUILDKIT=1 $ docker build -t your_image . $ cat /etc/docker/daemon.json { "features": {"buildkit": true} } Tips and Tricks of the Docker Captains - @sudo_bmitch49 / 74
  50. 50. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 50/74 Volumes Tips and Tricks of the Docker Captains - @sudo_bmitch50 / 74
  51. 51. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 51/74 Local Volume Driver Tips and Tricks of the Docker Captains - @sudo_bmitch51 / 74
  52. 52. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 52/74 NFS Mounts $ docker volume create --driver local --opt type=nfs --opt o=nfsvers=4,addr=nfs.example.com,rw --opt device=:/path/on/server foo Tips and Tricks of the Docker Captains - @sudo_bmitch52 / 74
  53. 53. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 53/74 NFS Mounts version: '3.7' volumes: nfs-data: driver: local driver_opts: type: nfs o: nfsvers=4,addr=nfs.example.com,rw device: ":/path/to/dir" services: app: volumes: - nfs-data:/data ... Tips and Tricks of the Docker Captains - @sudo_bmitch53 / 74
  54. 54. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 54/74 Other Filesystem Mounts version: '3.7' volumes: ext-data: driver: local driver_opts: type: ext4 o: ro device: "/dev/sdb1" services: app: volumes: - ext-data:/data ... Tips and Tricks of the Docker Captains - @sudo_bmitch54 / 74
  55. 55. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 55/74 Overlay Filesystem as a Volume version: '3.7' volumes: overlay-data: driver: local driver_opts: type: overlay device: overlay o: lowerdir=${PWD}/data2:${PWD}/data1, upperdir=${PWD}/upper,workdir=${PWD}/workdir services: app: volumes: - overlay-data:/data ... Tips and Tricks of the Docker Captains - @sudo_bmitch55 / 74
  56. 56. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 56/74 Named Bind Mount version: '3.7' volumes: bind-vol: driver: local driver_opts: type: none o: bind device: /home/user/host-dir services: app: volumes: - "bind-vol:/container-dir" - "./code:/code" ... Tips and Tricks of the Docker Captains - @sudo_bmitch56 / 74
  57. 57. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 57/74 That's nice, but I just use:That's nice, but I just use: $(pwd)/code:/code$(pwd)/code:/code Tips and Tricks of the Docker Captains - @sudo_bmitchTips and Tricks of the Docker Captains - @sudo_bmitch57 / 7457 / 74
  58. 58. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 58/74 That's nice, but I just use:That's nice, but I just use: $(pwd)/code:/code$(pwd)/code:/code "$(pwd)/code:/code""$(pwd)/code:/code" Tips and Tricks of the Docker Captains - @sudo_bmitchTips and Tricks of the Docker Captains - @sudo_bmitch58 / 7458 / 74
  59. 59. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 59/74 Dockerfile for Java FROM openjdk:jdk as build RUN apt-get update && apt-get install -y maven && useradd -m app COPY code /code RUN mvn build CMD ["java", "-jar", "/code/app.jar"] USER app FROM openjdk:jre as release RUN useradd -m app COPY --from=build /code/app.jar /app.jar CMD ["java", "-jar", "/app.jar"] USER app Tips and Tricks of the Docker Captains - @sudo_bmitch59 / 74
  60. 60. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 60/74 Developer Compose File version: '3.7' volumes: m2: services: app: build: context: . target: build image: registry:5000/app/app:dev command: "/bin/sh -c 'mvn build && java -jar /code/app.jar'" volumes: - m2:/home/app/.m2 - ./code:/code Tips and Tricks of the Docker Captains - @sudo_bmitch60 / 74
  61. 61. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 61/74 Problem with the Developer Workflow Error accessing /code: permission denied Tips and Tricks of the Docker Captains - @sudo_bmitch61 / 74
  62. 62. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 62/74 Problem with the Developer Workflow Error accessing /code: permission denied UID for app inside the container doesn't match our UID on the host Tips and Tricks of the Docker Captains - @sudo_bmitch62 / 74
  63. 63. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 63/74 Problem with the Developer Workflow Error accessing /code: permission denied UID for app inside the container doesn't match our UID on the host Unless you're on MacOS or VirtualBox Tips and Tricks of the Docker Captains - @sudo_bmitch63 / 74
  64. 64. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 64/74 Fixing UID/GID Possible solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose Tips and Tricks of the Docker Captains - @sudo_bmitch64 / 74
  65. 65. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 65/74 Fixing UID/GID Possible bad solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose Tips and Tricks of the Docker Captains - @sudo_bmitch65 / 74
  66. 66. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 66/74 Fixing UID/GID Possible bad solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose Another solution: "Use a shell script" - Some Ops Guy Tips and Tricks of the Docker Captains - @sudo_bmitch66 / 74
  67. 67. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 67/74 DisclaimerDisclaimer The following slide may not be suitable for all audiencesThe following slide may not be suitable for all audiences Tips and Tricks of the Docker Captains - @sudo_bmitchTips and Tricks of the Docker Captains - @sudo_bmitch67 / 7467 / 74
  68. 68. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 68/74 Fixing UID/GID: fix­perms # update the uid if [ -n "$opt_u" ]; then OLD_UID=$(getent passwd "${opt_u}" | cut -f3 -d:) NEW_UID=$(stat -c "%u" "$1") if [ "$OLD_UID" != "$NEW_UID" ]; then echo "Changing UID of $opt_u from $OLD_UID to $NEW_UID" usermod -u "$NEW_UID" -o "$opt_u" if [ -n "$opt_r" ]; then find / -xdev -user "$OLD_UID" -exec chown -h "$opt_u" {} ; fi fi fi Tips and Tricks of the Docker Captains - @sudo_bmitch68 / 74
  69. 69. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 69/74 Fixing UID/GID: Dockerfile FROM openjdk:jdk as build COPY --from=sudobmitch/base:scratch / / RUN apt-get update && apt-get install -y maven && useradd -m app COPY code /code RUN mvn build COPY entrypoint.sh /usr/bin/ ENTRYPOINT ["/usr/bin/entrypoint.sh"] CMD ["java", "-jar", "/code/app.jar"] USER app Tips and Tricks of the Docker Captains - @sudo_bmitch69 / 74
  70. 70. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 70/74 Fixing UID/GID: entrypoint.sh #!/bin/sh if [ "$(id -u)" = "0" ]; then # running on a developer laptop as root fix-perms -r -u app -g app /code exec gosu app "$@" else # running in production as a user exec "$@" fi Tips and Tricks of the Docker Captains - @sudo_bmitch70 / 74
  71. 71. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 71/74 Fixing UID/GID: Developer Compose File version: '3.7' volumes: m2: services: app: build: context: . target: build image: registry:5000/app/app:dev command: "/bin/sh -c 'mvn build && java -jar /code/app.jar'" user: "0:0" volumes: - m2:/home/app/.m2 - ./code:/code Tips and Tricks of the Docker Captains - @sudo_bmitch71 / 74
  72. 72. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 72/74 Fixing UID/GID: Production Compose File version: '3.7' services: app: image: registry:5000/app/app:${build_num} Tips and Tricks of the Docker Captains - @sudo_bmitch72 / 74
  73. 73. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 73/74 Fixing UID/GID: Recap Developers: Mount code as from the host Container starts entrypoint as root Entrypoint changes uid of app user to match uid of /code Entrypoint switches from root to app Pid 1 is the app with a uid matching the host Reads and writes to /code happen as the developers uid Production: Runs without root or a volume Entrypoint skips fix-perms and gosu Tips and Tricks of the Docker Captains - @sudo_bmitch73 / 74
  74. 74. 5/6/2019 Tips and Tricks From A Docker Captain - Brandon Mitchell https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#28 74/74 Brandon Mitchell Twitter: @sudo_bmitch GitHub: sudo-bmitch Thank You Rate this session in the DockerCon App github.com/sudo-bmitch/presentations github.com/sudo-bmitch/docker-base 74 / 74

×