Docker Insight workshop @ IT Aveiro 19/11/14. Insight about docker technology with advanced concepts, scenarios (yeoman in docker, Netbeans in docker, Eclipse in docker).
7. What is Docker? Why bother?
● Containers are “lighweight VMs”
○ Own process space, network interface, /sbin/init
● Container = isolated process(es)
● Share kernel with host
● No device emulation
4
8. What is Docker? Why bother?
● Dev env (Linux, OS X, Windows)
○ boot2docker (OS X, Windows)
○ Natively (Linux)
● Linux Servers (Ubuntu, Debian, Fedora, Gentoo, Arch…)
○ Single binary install
○ Easy provisioning on Rackspace, Digital Ocean, EC2, GCE ...
6
11. Security
● Don’t run your containers as root.
● Don’t enable SSH unless it’s a SSH server.
● Configure TLS for API access.
● If possible, use SELinux / AppArmor / GRSEC, etc… !
● Make use of capabilities (CAP_CHOWN, CAP_MKNOD,
CAP_NET_ADMIN …)
7
12. Advanced Concepts
● Naming: each container should have a unique name.
● Links: connect containers.
● Volumes: separate code and data / share data between containers.
● Network: None, Bridge, Container, Host.
8
13. Advanced Concepts
8
● Logs
○ Create “data container” to hold logs
$ docker run --name logs -v /var/log busybox true
○ Start app container with shared volume
$ docker run --volumes-from logs app
○ Digging into logs
$ docker run -it --volumes-from logs -w /var/log ubuntu bash
14. Advanced Concepts
8
● Backups
○ Create “data container” to hold files to back up
$ docker run --name mysqldata -v /var/lib/mysql busybox true
○ Start app container with shared volume
$ docker run --volumes-from mysqldata mysql
○ Create a separate image with backup tools
- Dockerfile with “apt-get install rsync, s3cmd…”
15. Advanced Concepts
8
● Network debugging
○ Create a image with backup tcpdump, ngrep...
Dockerfile with “apt-get install tcpdump ngrep”
○ Run it in the namespace of the app container
$ docker run -it --net container:<app_cid> netdebug bash
○ You can now run tcpdump, etc or copy a dump to visualise with
Wireshark.
$ docker run -it --net container:<app_cid> -v /tmp:/tmp netdebug
tcpdump -s0 -peni eth0 -w /tmp/myapp.pcap
16. Advanced Concepts
● Naming: each container should have a unique name.
● Links: connect containers.
● Volumes: separate code and data / share data between containers.
● Network: None, Bridge, Container, Host.
8
● Capabilities: don’t use privileged! Instead use --cap-add / --cap-drop.
17. Advanced Concepts
8
● Capabilities
○ Change the status of the container’s interfaces.
$ docker run --cap-add=NET_ADMIN ubuntu sh -c “ip link eth0 down”
○ Prevent any `chown` in the container.
$ docker run --cap-drop=CHOWN ubuntu ...
○ Allow all capabilities except `mknod`.
$ docker run --cap-add=ALL --cap-drop=MKNOD ubuntu ...