Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adrian Mouat - Docker Tips and Tricks

51 views

Published on

A quickfire rundown of concise tips designed to make your daily life with Docker better! There will be something for Docker users of all experience levels.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Adrian Mouat - Docker Tips and Tricks

  1. 1. info@container-solutions.com www.container-solutions.com Tricks of the Captains IGNITE EDITION! @adrianmouat
  2. 2. www.container-solutions.com info@container-solutions.com $ docker ps CONTAINER ID IMAGE COMMAND ... 0f1f72c9aac0 nginx "nginx -g 'daemon ... Configure docker ps Output Default output of docker ps (or docker container ls) Annoyingly takes up far too much screen width, difficult to read.
  3. 3. www.container-solutions.com info@container-solutions.com $ docker ps --format "table {{.Names}}t{{.Image}}t{{.Status}}" NAMES IMAGE STATUS web nginx Up 25 minutes Solution is to use the --format argument https://docs.docker.com/engine/reference/commandline/ps/#formatting Configure docker ps Output
  4. 4. www.container-solutions.com info@container-solutions.com $ cat ~/.docker/config.json {... "psFormat": "table {{.ID}}t{{.Names}}t{{.Image}}t{{.Status}}"} Make it a permanent default by adding to config.json https://docs.docker.com/engine/reference/commandline/cli/#configuration-files Configure docker ps Output
  5. 5. www.container-solutions.com info@container-solutions.com The . in $ docker build -t myimage . ● Tarballed and sent to the Docker Daemon ● Don’t run a build from ~/ or Downloads! ● Use .dockerignore to exclude large directories The Build Context
  6. 6. www.container-solutions.com info@container-solutions.com ... COPY ./ /usr/src/ RUN npm install ... To keep builds fast, add dependencies before source code in Dockerfiles Don’t Bust the Build Cache ... COPY package.json /usr/src/ RUN npm install COPY ./ /usr/src/ ...
  7. 7. www.container-solutions.com info@container-solutions.com ● Good for security ○ Less software that can be exploited ● Good for distribution ○ Faster updates, less network costs Minimal Images
  8. 8. www.container-solutions.com info@container-solutions.com ● Alpine ○ Only ~ 5MB! ○ Uses musl, smaller package manager ● Debian Slim ○ Around 55MB Minimal Images
  9. 9. www.container-solutions.com info@container-solutions.com ● Scratch and static binaries FROM rust:1.20 as builder … RUN cargo build --release --target x86_64-unknown-linux-musl FROM scratch COPY --from=builder /.../release/mybin /mybin USER 65534 CMD ["/mybin"] Minimal Images
  10. 10. www.container-solutions.com info@container-solutions.com ● Nothing special about tag ● Not guaranteed to be “new” ● Not guaranteed to exist Default used when no tag specified docker push/pull/build myimage == docker push/pull/build myimage:latest Beware of “latest”
  11. 11. www.container-solutions.com info@container-solutions.com Delete “dangling” images (<none> images) $ docker image prune WARNING! This will remove all dangling images. Are you sure you want to continue? [y/N] y Deleted Images: deleted: sha256:708624719836212ccb681d5898a64ebfcc4569f37460537609f6db6… … Total reclaimed space: 3.677 GB Cleaning Up
  12. 12. www.container-solutions.com info@container-solutions.com $ docker container prune $ docker volume prune $ docker network prune $ docker system prune WARNING! This will remove: - all stopped containers - all volumes not used by at least one container - all networks not used by at least one container - all dangling images Cleaning Up
  13. 13. www.container-solutions.com info@container-solutions.com Do not require containers to start in sequence If a container depends on another service: • It should wait for that service • Do not crash - back off • Do this in application code ○ or start-up script if you can’t See 12 Fractured Apps by Kelsey Hightower Start-up Dependably
  14. 14. www.container-solutions.com info@container-solutions.com When Docker stops a container, it will • Send the container a SIGTERM signal • Wait 10s for the container to stop • Hard kill the container with a SIGKILL Shutdown Gracefully
  15. 15. www.container-solutions.com info@container-solutions.com Proper handling of SIGTERM will mean: • The application gets a chance to “tidy up” ○ close network connections, sockets, handles ○ write data to file or database ○ output to log • Faster shutdown of the container Shutdown Gracefully
  16. 16. www.container-solutions.com info@container-solutions.com To ensure your application receives signals either • Run it as PID 1 ○ Use exec in any start-up scripts • Or forward signals to it ○ tini can help https://github.com/krallin/tini • And prefer node to npm for starting node.js apps ○ see Bret Fisher’s “Node and Docker Good Defaults” Shutdown Gracefully
  17. 17. www.container-solutions.com info@container-solutions.com An easy way to improve security $ docker run -d --name n1 --read-only -p 8000:80 --tmpfs /var/run --tmpfs /var/cache/nginx nginx c1da395bec73ef7933fecb6d8d821140ce203c426c433e5102d25e46cdb66537 $ docker exec n1 /bin/bash -c 'echo "HACKED" > /usr/share/nginx/html/index.html' /bin/bash: /usr/share/nginx/html/index.html: Read-only file system Read-only FS
  18. 18. www.container-solutions.com info@container-solutions.com Set a USER in Dockerfiles e.g: FROM debian RUN groupadd -r mygroup && useradd -r -g mygroup myuser … USER myuser Or use the nobody user Don’t run as root
  19. 19. www.container-solutions.com info@container-solutions.com Sometimes need to change user at run-time sudo works, but has a drawback: $ docker run debian-with-sudo sudo -u nobody ps ax PID TTY STAT TIME COMMAND 1 ? Rs 0:00 sudo -u nobody ps ax 7 ? R 0:00 ps ax Don’t run as root
  20. 20. www.container-solutions.com info@container-solutions.com Instead use gosu by Tianon Gravi $ docker run debian-with-gosu gosu nobody ps ax PID TTY STAT TIME COMMAND 1 ? Rs 0:00 ps ax https://github.com/tianon/gosu THANKS FOR LISTENING! @adrianmouat Don’t run as root

×