Introduction to Containers Shawfeng Dong Principal Cyberinfrastructure Engineer University of California, Santa Cruz
What are Containers? Containerization, aka operating-system-level virtualization, refers to an operating system feature in which the kernel allows the existence of multiple isolated user-space instances. Such instances are called containers, or partitions, or jails. Implementations: o chroot (1982) o FreeBSD jail (2000) o Solaris Zones (2004) o OpenVZ (2005) o Docker (2013)
Containers vs. VMs https://docs.docker.com/get-started/
Docker Docker is the most popular container system Uses Linux kernel features, such as cgroups and namespaces, as well as unioncapable file system such as OverlayFS Readily supports DevOps
Benefits of Container-based Solutions Flexible: Even the most complex applications can be containerized. Lightweight: Containers leverage and share the host kernel. Interchangeable: You can deploy updates and upgrades on-the-fly. Portable: You can build locally, deploy to the cloud, and run anywhere. Scalable: You can increase and automatically distribute container replicas. Stackable: You can stack services vertically and on-the-fly. https://docs.docker.com/get-started/
Installing Docker You can install Docker Community Edition (CE) by following the installation instructions. Supported platforms: o Linux Docker's native platform o Docker for Mac (macos) running a custom minimal Linux distro in HyperKit o Docker for Windows (Microsoft Windows 10) running a custom minimal Linux distro in Hyper-V
Post-installation steps for Linux To allow non-root user to run the docker command, create a Unix group called docker and add users to it # create the docker group sudo groupadd docker # add your user to the docker group sudo usermod -ag docker $USER # log out and log back in so that your group membership is re-evaluated Warning: The docker group grants privileges equivalent to the root user! See Docker security. https://docs.docker.com/install/linux/linux-postinstall/
Test Docker version 1. Run docker --version: [dong@hydra ~]$ docker --version Docker version 18.06.0-ce, build 0ffa825 2. Run docker info: [dong@hydra ~]$ docker info Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 18.06.0-ce Storage Driver: overlay
Containers and Images Container: a running instance that encapsulates required software. Containers are always created from images. Image: an executable package that includes everything needed to run an application the code, a runtime, libraries, environment variables, and configuration files.
Basic docker commands Run the simple Docker image hello-world: docker run hello-world Run the more ambitious Docker image ubuntu: docker run -it --rm ubuntu bash List the images: docker image ls List the containers: docker container ls --all docker ps -a
Docker Networking Docker s networking subsystem is pluggable, using drivers: bridge: The default network driver. host: For standalone containers, remove network isolation between the container and the Docker host, and use the host s networking directly. overlay: Overlay networks connect multiple Docker daemons together and enable swarm services to communicate with each other. macvlan: Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on your network. none: For this container, disable all networking. https://docs.docker.com/network/
Docker Networking examples (bridge) List networks: docker network ls Run the Docker image nginx in detached mode: docker run --name nginx1 -p 8080:80 -d nginx Load http://localhost:8080/ in your browser Inspect the bridge network: docker network inspect bridge Inspect the container: docker container inspect nginx1
Docker Networking examples (host) List networks: docker network ls Run the Docker image nginx in detached mode: docker run --network host --name nginx2 -d nginx Load http://localhost:80/ in your browser Inspect the host network: docker network inspect host Inspect the container: docker container inspect nginx2
Docker Storage By default all files created inside a container are stored on a writable container layer. Docker has options for containers to store files in the host machine, so that the files are persisted even after the container stops: o volumes o bind mounts o tmpfs mount https://docs.docker.com/storage/
Choose the right type of mount Volumes are stored in a part of the host filesystem which is managed by Docker (/var/lib/docker/volumes/ on Linux). Non- Docker processes should not modify this part of the filesystem. Volumes are the best way to persist data in Docker. Bind mounts may be stored anywhere on the host system. They may even be important system files or directories! Non-Docker processes on the Docker host or a Docker container can modify them at any time. tmpfs mounts are stored in the host system s memory only, and are never written to the host system s filesystem. https://docs.docker.com/storage/
Docker Storage examples Start an nginx container with a bind mount: docker run --rm --name nginx3 -p 8080:80 \ -v /home/dong/html:/usr/share/nginx/html:ro -d nginx ## or docker run --rm --name nginx3 -p 8080:80 \ --mount type=bind,source=/home/dong/html,target=/usr/share/nginx/html,readonly \ -d nginx Load http://localhost:8080/ in your browser Enter the container: docker exec -it nginx3 bash Inspect the container: docker container inspect -f "{{json.mounts }}" nginx3
Develop with Docker You can create a new Docker image from a container's file changes. Generally, it is better to use Dockerfiles to manage your images in a documented and maintainable way. A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image.
Nginx Dockerfile # Pull base image. FROM dockerfile/ubuntu # Install Nginx. RUN add-apt-repository -y ppa:nginx/stable && apt-get update && apt-get install -y nginx && \ rm -rf /var/lib/apt/lists/* && echo "\ndaemon off;" >> /etc/nginx/nginx.conf && \ chown -R www-data:www-data /var/lib/nginx # Define mountable directories. VOLUME ["/etc/nginx/sites-enabled", "/etc/nginx/certs", "/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"] # Define working directory. WORKDIR /etc/nginx # Define default command. CMD ["nginx"] # Expose ports. EXPOSE 80 EXPOSE 443
A very simple Dockerfile # Pull base image. FROM nginx # Copy static content COPY html /usr/share/nginx/html
Build an Image from a Dockerfile Build an image from a Dockerfile: docker build -t static-nginx. List images: docker images Run the new Docker image static-nginx: docker run --rm --name nginx4 -p 8080:80 -d nginx Load http://localhost:8080/ in your browser Enter the container: docker exec -it nginx4 bash
Manage Docker Images What good is your Docker image if nobody else can use it? There are several ways to get your images out to the work. Docker in Action, by Jeff Nickoloff