Tricks of the Captains. Adrian Mouat. Chief Scientist Container Solutions

Similar documents
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

Best Practices for Developing & Deploying Java Applications with Docker

Arup Nanda VP, Data Services Priceline.com

Introduction to Containers

Follow me!

Network softwarization Lab session 2: OS Virtualization Networking

Red Hat Containers Cheat Sheet

Docker Cheat Sheet. Introduction

Docker & why we should use it

An introduction to Docker

Dockerfile & docker CLI Cheat Sheet

Technical Manual. Software Quality Analysis as a Service (SQUAAD) Team No.1. Implementers: Aleksandr Chernousov Chris Harman Supicha Phadungslip

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

How to run NoMachine server inside Docker

Linux Kung Fu. Ross Ventresca UBNetDef, Fall 2017

OPERATING SYSTEMS LINUX

A Hands on Introduction to Docker

Containers. Pablo F. Ordóñez. October 18, 2018

More Raspian. An editor Configuration files Shell scripts Shell variables System admin

/ Cloud Computing. Recitation 5 September 27 th, 2016

Be smart. Think open source.

Dockerfile Best Practices

Linux Kung Fu. Stephen James UBNetDef, Spring 2017

Introduction. What is Linux? What is the difference between a client and a server?

/ Cloud Computing. Recitation 5 September 26 th, 2017

Formatting 1. Commands starting with $ are Linux console commands on the host PC:

Lab 8: Building Microservices on Oracle Autonomous Transaction Processing Service

Singularity: container formats

The Galaxy Docker Project. our hands-on tutorial

/ Cloud Computing. Recitation 5 February 14th, 2017

Linux Essentials Objectives Topics:

Travis Cardwell Technical Meeting

Docker Security. Mika Vatanen

It s probably the most popular containerization technology on Linux these days

Linux Command Line Interface. December 27, 2017

Course 144 Supplementary Materials. UNIX Fundamentals

Docker Cheat Sheet. Table of Contents. Why Docker

Unix Processes. What is a Process?

Contents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...

Install the Marionnet network simulator on Kali Linux Light vbox-i686

DGX-1 DOCKER USER GUIDE Josh Park Senior Solutions Architect Contents created by Jack Han Solutions Architect

The kernel is the low-level software that manages hardware, multitasks programs, etc.

Linux Kung-Fu. James Droste UBNetDef Fall 2016

Introduction to the shell Part II

ENGR 3950U / CSCI 3020U Midterm Exam SOLUTIONS, Fall 2012 SOLUTIONS

EKI-1500 Trouble Shooting when using Linux VCOM driver

FUJITSU Cloud Service S5 Installation and Configuration of MySQL on a CentOS VM

Seccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it>

Downloading and installing Db2 Developer Community Edition on Ubuntu Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

Platform Migrator Technical Report TR

Linux crash lecture by Andrey Lukyanenko

The Unix Shell & Shell Scripts

INTRODUCTION TO LINUX

Investigating Containers for Future Services and User Application Support

Lab 2: Linux/Unix shell

Open up a terminal, make sure you are in your home directory, and run the command.

SUDO(8) System Manager s Manual SUDO(8)

Operating Systems Lab 1 (Users, Groups, and Security)

SUDO(8) System Manager s Manual SUDO(8)

LAB #7 Linux Tutorial

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

Shell and Utility Commands

How to Implement a Web-based Terminal with Docker

Support for Vanilla Universe Checkpointing. Thomas Downes University of Wisconsin-Milwaukee (LIGO)

Who is Docker and how he can help us? Heino Talvik

Installing Open Project on Ubuntu AWS with Apache and Postgesql

Introduction to Linux

Optimizing Docker Images

Shell. SSE2034: System Software Experiment 3, Fall 2018, Jinkyu Jeong

Programs. Program: Set of commands stored in a file Stored on disk Starting a program creates a process static Process: Program loaded in RAM dynamic

Manual Shell Script Linux If File Exists And

Unix/Linux Basics. Cpt S 223, Fall 2007 Copyright: Washington State University

Linux. An introduction. Aurélien Villani 01/2018

Please choose the best answer. More than one answer might be true, but choose the one that is best.

Roll No. :... Invigilator's Signature : UNIX AND SHELL PROGRAMMING. Time Allotted : 3 Hours Full Marks : 70

The Wonderful World of Services VINCE

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

Rootless Containers with runc. Aleksa Sarai Software Engineer

Process Management forks, bombs, zombies, and daemons! Lecture 5, Hands-On Unix System Administration DeCal

Filesystem and common commands

Network Monitoring & Management. A few Linux basics

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

Managing Processes Process: A running program

MODULE 5. PROCESS AND SYSTEM ADMINISTRATION

bash Args, Signals, Functions Administrative Shell Scripting COMP2101 Fall 2017

CS 0449 Project 4: /dev/rps Due: Friday, December 8, 2017, at 11:59pm

Connecting to a Tactical Subject Using The F-Response Accelerator on Linux

Docker task in HPC Pack

Infrastructure Security 2.0

Dockerize Your IT! Centrale Nantes Information Technology Department Yoann Juet Dec, 2018

APPLIED INFORMATICS Processes. Bash characteristics. Command type. Aliases.

Recap From Last Time:

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

If you had a freshly generated image from an LCI instructor, make sure to set the hostnames again:

Docker und IBM Digital Experience in Docker Container

Online Backup Client User Manual

BGGN 213 Working with UNIX Barry Grant

Unix Basics. Systems Programming Concepts

Self-test Linux/UNIX fundamentals

Configuring and Running CD Tools

Transcription:

Tricks of the Captains Adrian Mouat Chief Scientist Container Solutions

Tricks of the Captains A hodgepodge of tips for Docker nirvana compiled from the brains in the Docker Captains program. And me.

Who am I? Chief Scientist @ Container Solutions Author of Using Docker published by O Reilly @adrianmouat

Daily Development

Configure docker ps output Default output of docker ps (or docker container ls) $ docker ps CONTAINER ID IMAGE COMMAND... 0f1f72c9aac0 nginx "nginx -g 'daemon... Annoyingly takes up far too much screen width, difficult to read.

Configure docker ps output Solution is to use the --format argument $ docker ps --format \ "table {{.Names}}\\t{{.Image}}\\t{{.Status}}" NAMES IMAGE STATUS web nginx Up 25 minutes https://docs.docker.com/engine/reference/commandline/ps/#formatting

Configure docker ps output Make it a permanent default by adding to config.json $ cat ~/.docker/config.json {... "psformat": "table {{.ID}}\\t{{.Names}}\\t{{.Image}}\\t{{.Status}}"} https://docs.docker.com/engine/reference/commandline/cli/#configuration-files

Don t bust the build cache To keep builds fast, add dependencies before source code in Dockerfiles... COPY./ /usr/src/ RUN npm install...... COPY package.json /usr/src/ RUN npm install COPY./ /usr/src/...

File mounting gotcha Mounting a file as volume might not work as expected $ cat index.html Moby Rules! $ docker run -d -p 8000:80 \ -v $PWD/index.html:/usr/share/nginx/html/index.html nginx 0cdacef2cbaea960f710d90900b23c57550aaf626ccd2752f3a9287b7e51022b $ curl localhost:8000 Moby Rules! $ vi index.html $ cat index.html Gordon Rules! $ curl localhost:8000 Moby Rules!

File mounting gotcha Volumes are mounted at the inode level Text editors save to a new inode Solutions: mount parent directory (-v $PWD:/usr/share/nginx/html) copy modified file (cp new.html index.html) overwrite with > (echo bla > index.html)

Cleaning Up Delete dangling images (<none> images) $ docker image prune WARNING! This will remove all dangling images. Are you sure you want to continue? [y/n] y Deleted Images: deleted: sha256:708624719836212ccb681d5898a64ebfcc4569f37460537609f6db6 Total reclaimed space: 3.677 GB

Cleaning Up Delete stopped containers $ docker container prune WARNING! This will remove all stopped containers. Are you sure you want to continue? [y/n] y Deleted Containers: 6e5033be3e106d04912fb91b966abc693b77ae47d85946190bdbe73c48112959 Total reclaimed space: 304.6 MB

Cleaning Up $ docker volume prune WARNING! This will remove all volumes not used by at least one container. Total reclaimed space: 3.494 GB $ docker system prune WARNING! This will remove: - all stopped containers - all volumes not used by at least one container - all networks not used by at least one container - all dangling images

Container Lifecycle

Start-up Dependably Do not require containers to start in sequence If a container depends on another service: It should wait for that service Do not crash - back off Do this in application code or start-up script if you can t See 12 Fractured Apps by Kelsey Hightower

Shutdown Gracefully When Docker stops a container, it will Send the container a SIGTERM signal Wait 10s for the container to stop Hard kill the container with a SIGKILL

Shutdown Gracefully Proper handling of SIGTERM will mean: The application gets a chance to tidy up close network connections, sockets, handles write data to file or database output to log Faster shutdown of the container

Shutdown Gracefully To ensure your application receives signals either Run it as PID 1 Use exec in any start-up scripts Or forward signals to it tini can help https://github.com/krallin/tini And prefer node to npm for starting node.js apps see Bret Fisher s Node and Docker Good Defaults

Use Healthchecks Used by Docker to determine health of container FROM nginx RUN apt-get update && apt-get install -y curl HEALTHCHECK --interval=10s --timeout=3s \ CMD curl -f http://localhost/ exit 1

Use Healthchecks Used by Docker to determine health of container $ docker ps CONTAINER ID... STATUS 79616fdd4308 Up 3 seconds (health: starting) $ docker ps CONTAINER ID... STATUS 79616fdd4308 Up 16 seconds (healthy)

Security

Read-only FS An easy way to improve security $ docker run -d --name n1 --read-only -p 8000:80 \ --tmpfs /var/run --tmpfs /var/cache/nginx nginx c1da395bec73ef7933fecb6d8d821140ce203c426c433e5102d25e46cdb66537 $ docker exec n1 /bin/bash -c \ 'echo "HACKED" > /usr/share/nginx/html/index.html' /bin/bash: /usr/share/nginx/html/index.html: Read-only file system

Don t run as root Set a USER in Dockerfiles e.g: FROM debian RUN groupadd -r mygroup && useradd -r -g mygroup myuser USER myuser Or use the nobody user

Don t run as root Sometimes need to change user at run-time sudo works, but has a drawback: $ docker run debian-with-sudo sudo -u nobody ps ax PID TTY STAT TIME COMMAND 1? Rs 0:00 sudo -u nobody ps ax 7? R 0:00 ps ax

Don t run as root Instead use gosu by Tianon Gravi $ docker run debian-with-gosu gosu nobody ps ax PID TTY STAT TIME COMMAND 1? Rs 0:00 ps ax https://github.com/tianon/gosu

Thanks for Listening! @docker #dockercon

References Good Defaults for Node and Docker - Bret Fisher https://github.com/bretfisher/node-docker-good-defaults 12 Fractured Apps - Kelsey Hightower https://medium.com/@kelseyhightower/12-fractured-apps-1080c73d481c Least Privilege Containers - Nathan McCauley and Diogo Monica gosu - https://github.com/tianon/gosu tini - https://github.com/krallin/tini Thanks to the captains for discussion, particularly Bret, Laura, Marcos and Antonis

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback