3. WHAT IS DOCKER?WHAT IS DOCKER?
makes easier to create, build and ship apps in
containers
single build contains only your application,
libs/dependencies
follows Open Container Initiative (part of Linux
Foundation)
5. WHAT IS A CONTAINER?WHAT IS A CONTAINER?
It looks like VM:
own process space
own network
can run things as root
can install packages
can play with system services
6. WHAT IS A CONTAINER?WHAT IS A CONTAINER?
But it's not a VM:
share host's kernel
can't boot different OS
boot much faster
10. VIRTUALIZATION ON OSX AND WINDOWSVIRTUALIZATION ON OSX AND WINDOWS
Requires additional Virtual Machine with Linux
Kernel
Hyper-V on Windows 10
HyperKit on macOS since Yosemite
Docker-machine (based on Virtualbox) on earlier
versions
11. KERNEL NAMESPACES - WHAT'S THEKERNEL NAMESPACES - WHAT'S THE
POINT?POINT?
Each process is associated with a namespace and can
only see or use the resources associated with that
namespace, and descendant namespaces where
applicable.
18. WHAT IS NOT NAMESPACED?WHAT IS NOT NAMESPACED?
time - try to change it inside the container
/ # whoami
root
/ # uname -a
Linux 51a456ca0479 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4
/ # date +%T -s "10:13:13"
date: can't set date: Operation not permitted
kernel keyring - syscalls are also blocked
things under /sys/
19. ONE SERVICE - ONE CONTAINERONE SERVICE - ONE CONTAINER
PHILOSOPHYPHILOSOPHY
easier to scale
easier to maintain
doesn't face first process assassination issue
more effort needed to configure than VM-like
approach
21. WHAT IS AN IMAGE?WHAT IS AN IMAGE?
overlays kernel
can contain libraries/binaries
can define exposed ports, workdir
runs default process in container
22. WHAT'S INSIDE THE IMAGE?WHAT'S INSIDE THE IMAGE?
Linux distro dependencies like in Ubuntu image
Prebuilt dependencies for app useful in containers
Everything is packed up as layers
Images are read-only
24. FOLLOW DOCKERFILE SYNTAXFOLLOW DOCKERFILE SYNTAX
FROM <image>[:<tag>] # base image
RUN <command> # runs command only once during build
CMD command param1 param2 # runs on container boot
EXPOSE <port> [<port>/<protocol>...]
ENV <key> <value> # only inside a container
ADD [--chown=<user>:<group>] <src>... <dest>
COPY <src>... <dest>
ENTRYPOINT command param1 param2 # container will run as an ex
VOLUME ["/data"]
USER <user>[:<group>] # who runs executables
WORKDIR /path # where run executables
HEALTHCHECK [OPTIONS] CMD command
25. $ docker build .
Sending build context to Docker daemon 15.36 kB
Step 1/4 : FROM alpine:3.2
---> 31f630c65071
Step 2/4 : MAINTAINER forest.gump@example.com
---> Using cache
---> 2a1c91448f5f
Step 3/4 : RUN apk update && apk add apache2 && rm -r /var/cac
---> Using cache
---> 21ed6e7fbb73
Step 4/4 : CMD apache2
---> Using cache
---> 7ea8aef582cc
Successfully built 7ea8aef582cc
29. BITBUCKET PIPELINESBITBUCKET PIPELINES
similar syntax to docker-compose.yml
limit of only one container with mounted codebase
codebase can be mounted into different containers
with steps
services are the only way of having multiple
containers
services are reachable through network only
32. GITLAB PIPELINESGITLAB PIPELINES
limit of only one container with mounted codebase
codebase can be mounted into different containers
with jobs
services are the only way of having multiple
containers
services are reachable through network only
34. SECURITY - GET RID OF ROOTSECURITY - GET RID OF ROOT
PRIVILEGESPRIVILEGES
follow the principle of least privilege
Docker requires root privileges to run, containers
themselves do not
process running in a container is no different from
other process
many images just run as root and leave it up to you
35. $ docker run -v /root:/tmp/rootdir alpine:latest ls -la /tmp/r
drwxr-xr-x+ 126 root root 4032 Jun 21 13:43 .
drwxr-xr-x 7 root root 224 Jun 15 12:31 ..
-rw-r--r-- 1 root root 266 Nov 26 2017 secretFile
38. ELASTIC CONTAINERELASTIC CONTAINER
SERVICE (ECS)SERVICE (ECS)
user manages clusters of containers
cluster defines type of underlying EC2 instances
one underlying instance can run many containers
it's still up to user to administrate instances
39. FARGATEFARGATE
user doesn't have to manage cluster and instances
user precises only CPU/memory requirements
containers are created on AWS managed instances
Kubernetes support coming in 2018