Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tips and tricks of the docker captains

1,973 views

Published on

Docker Captain Adrian Mouat will present a grab bag of tips and tricks for getting the most out of Docker. These tips are aimed at avoiding common pitfalls, addressing common misunderstandings and making common operations easier.

Topics covered will include:
- Build Processes
- Security
- Volumes
- Databases
- Orchestration
- Debugging and Maintenance
- Calling Docker from Docker

Whilst aimed primarily at new and intermediate users, even advanced users should pick up some new information. This talk will make your daily life with Docker easier!

  • Login to see the comments

Tips and tricks of the docker captains

  1. 1. Tips and Tricks of the Docker Captains
  2. 2. ● ● Tricks of the Captains
  3. 3. Daily Development
  4. 4. docker ps docker container ls $ docker ps CONTAINER ID IMAGE COMMAND ... 0f1f72c9aac0 nginx "nginx -g 'daemon ... Configure docker ps Output
  5. 5. --format $ docker ps --format "table {{.Names}}t{{.Image}}t{{.Status}}" NAMES IMAGE STATUS web nginx Up 25 minutes Configure docker ps Output
  6. 6. config.json $ cat ~/.docker/config.json {... "psFormat": "table {{.ID}}t{{.Names}}t{{.Image}}t{{.Status}}"} Configure docker ps Output
  7. 7. $ kubectl completion --help $ source <(kubectl completion bash) $ kubectl g<TAB> de<TAB> Getting Started with kubectl
  8. 8. $ cat index.html Moby Rules! $ docker run -d -p 8000:80 -v $PWD/index.html:/usr/share/nginx/html/index.html nginx 0cdacef2cbaea960f710d90900b23c57550aaf626ccd2752f3a9287b7e5 $ curl localhost:8000 Moby Rules! File Mounting Gotcha
  9. 9. $ vi index.html ... $ cat index.html Gordon the Turtle Rules! $ curl localhost:8000 Moby Rules! File Mounting Gotcha ?
  10. 10. ● ○ -v $PWD:/usr/share/nginx/html ● ○ cp new.html index.html ● ○ echo “bla” > index.html File Mounting Gotcha
  11. 11. <none> $ docker image prune WARNING! This will remove all dangling images. Are you sure you want to continue? [y/N] y Deleted Images: deleted: sha256:708624719836212ccb681d5898a64ebfcc4569f3746053766db6 … Total reclaimed space: 3.677 GB Cleaning Up
  12. 12. $ docker container prune WARNING! This will remove all stopped containers. Are you sure you want to continue? [y/N] y Deleted Containers: 6e5033be3e106d04912fb91b966abc693b77ae47d85946190bdbe73c4811 … Total reclaimed space: 304.6 MB Cleaning Up
  13. 13. $ docker volume prune WARNING! This will remove all volumes not used by at least one container. … Total reclaimed space: 3.494 GB $ docker network prune WARNING! This will remove all networks not used by at least one container. Are you sure you want to continue? [y/N] y Deleted Networks: ... Cleaning Up
  14. 14. $ docker system prune WARNING! This will remove: - all stopped containers - all volumes not used by at least one container - all networks not used by at least one container - all dangling images Cleaning Up
  15. 15. Building Images
  16. 16. $ docker build -t myimage . ● ● ~/ Downloads ● .dockerignore The Build Context
  17. 17. Don’t Bust the Build Cache ... COPY ./ /usr/src/ RUN npm install ... ... COPY package.json /usr/src/ RUN npm install COPY ./ /usr/src/ ...
  18. 18. ● ○ ● ○ Minimal Images
  19. 19. ● ○ ○ ● ○ Minimal Images
  20. 20. FROM rust:1.20 as builder … RUN cargo build --release --target x86_64-unknown-linux-musl FROM scratch COPY --from=builder /.../release/mybin /mybin USER 65534 CMD ["/mybin"] Minimal Images
  21. 21. ● ● ● docker push/pull/build myimage == docker push/pull/build myimage:latest Beware of “latest”
  22. 22. ● ○ docker build -t myimage:1.2.1 . ● ○ docker tag myimage:1.2.1 myimage:$(git rev-parse --short HEAD) Use Meaningful Tags
  23. 23. $ docker build --label org.opencontainers.image.created= "$(date --rfc-3339=s)" -t myimage . ... $ docker inspect -f "{{json .ContainerConfig.Labels}}" myimage {"org.opencontainers.image.created":"2017-10-05 16:21:00+01:00"} And Labels for the Rest
  24. 24. Container Lifecycle
  25. 25. ● ● ○ ○ ● ○ Start Up Dependably
  26. 26. ● SIGTERM ● ● SIGKILL Shutdown Gracefully
  27. 27. SIGTERM ● ○ ○ ○ ● Shutdown Gracefully
  28. 28. ● ○ exec ● ○ ● ○ Shutdown Gracefully
  29. 29. ● ● ● ○ Use Healthchecks
  30. 30. FROM nginx RUN apt-get update && apt-get install -y curl HEALTHCHECK --interval=10s --timeout=3s CMD curl -f http://localhost/ || exit 1 Swarm Mode Healthchecks
  31. 31. ● ○ ● ○ ○ ○ ● Swarm Mode Healthchecks
  32. 32. ● ○ ○ ○ ● ○ Kubernetes Healthchecks
  33. 33. ... containers: - name: example image: myapp livenessProbe: httpGet: path: /healthz port: 8080 Kubernetes Healthchecks
  34. 34. Security
  35. 35. $ docker run -d --name n1 --read-only -p 8000:80 --tmpfs /var/run --tmpfs /var/cache/nginx nginx c1da395bec73ef7933fecb6d8d821140ce203c426c433e5102d25e46cdb66 $ docker exec n1 /bin/bash -c 'echo "HACKED" > /usr/share/nginx/html/index.html' /bin/bash: /usr/share/nginx/html/index.html: Read-only file system Read Only Filesystem
  36. 36. USER FROM debian RUN groupadd -r mygroup && useradd -r -g mygroup myuser … USER myuser nobody Don’t Run as Root
  37. 37. $ docker run debian-with-sudo sudo -u nobody ps ax PID TTY STAT TIME COMMAND 1 ? Rs 0:00 sudo -u nobody ps ax 7 ? R 0:00 ps ax Don’t Run as Root
  38. 38. $ docker run debian-with-gosu gosu nobody ps ax PID TTY STAT TIME COMMAND 1 ? Rs 0:00 ps ax Don’t Run as Root
  39. 39. Other Stuff
  40. 40. ● ○ ● ○ ○ Docker in Docker
  41. 41. $ docker run -v /var/run/docker.sock:/var/run/docker.sock docker docker ps CONTAINER ID IMAGE COMMAND ... 8bdba5bc5c7a docker "docker-entrypoint.sh" ... Docker in Docker
  42. 42. $ docker run --privileged --name dind -d docker:dind 4b78ae49d77dcf3c2e169c9e4440ace0813676f76e998f0aea2ef065a4b $ docker exec dind docker run -d nginx Unable to find image 'nginx:latest' locally latest: Pulling from library/nginx ... $ docker exec dind docker ps CONTAINER ID IMAGE COMMAND ... 983cd6cb5a82 nginx "nginx -g 'daemon off" ... Docker in Docker
  43. 43. $ docker run -d -v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=unix$DISPLAY --device /dev/snd:/dev/snd --name spotify jess/spotify Docker and GUIs
  44. 44. Thanks For Listening! @adrianmouat
  45. 45. Good Defaults for Node and Docker - Bret Fisher 12 Fractured Apps - Kelsey Hightower Least Privilege Containers - Nathan McCauley and Diogo Monica Gosu - sudo for containers by Tianon Gravi tini - minimal init system for containers by Thomas Orozco Docker Containers on the Desktop - Jessie Frazelle Frequently Asked Queries from StackOverflow - Brandon Mitchell References
  46. 46. Docker Features for Handling Container Death and Resurrection by Sreenivas Makam Creating Effective Docker Images - Abby Fuller Multi-stage builds - Alex Ellis Do Not Use DinD For CI - Jérôme Petazzoni Docker Healthchecks - Elton Stoneman Annotations in the OCI image spec Thanks to all the captains for discussions! References

×