Dockerfile Best Practices

Similar documents
Be smart. Think open source.

Docker & why we should use it

Containers. Pablo F. Ordóñez. October 18, 2018

How to run NoMachine server inside Docker

GitLab-CI and Docker Registry

Singularity: container formats

Dockerfile Documentation

Dockerfile Documentation

Think Small to Scale Big

Network softwarization Lab session 2: OS Virtualization Networking

Optimizing Docker Images

Arup Nanda VP, Data Services Priceline.com

Investigating Containers for Future Services and User Application Support

An introduction to Docker

Who is Docker and how he can help us? Heino Talvik

Running Splunk Enterprise within Docker

Containers: Exploits, Surprises, And Security

Index. Bessel function, 51 Big data, 1. Cloud-based version-control system, 226 Containerization, 30 application, 32 virtualize processes, 30 31

OpenShift Online 3 Creating Images

Getting Started With Containers

I hate money. Release 1.0

Follow me!

Red Hat Containers Cheat Sheet

Linux Essentials Objectives Topics:

Linux Kung Fu. Stephen James UBNetDef, Spring 2017

Midterm Presentation Schedule

Docker und IBM Digital Experience in Docker Container

docker & HEP: containerization of applications for development, distribution and preservation

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

Infoblox Kubernetes1.0.0 IPAM Plugin

USING DOCKER FOR MXCUBE DEVELOPMENT AT MAX IV

Introduction. What is Linux? What is the difference between a client and a server?

Application Management

Travis Cardwell Technical Meeting

Engineering Robust Server Software

Dockerfile & docker CLI Cheat Sheet

Deploying Rails with Kubernetes

Container-based virtualization: Docker

It s probably the most popular containerization technology on Linux these days

The instructions in this document are applicable to personal computers running the following Operating Systems:

Docker Cheat Sheet. Introduction

Downloading and installing Db2 Developer Community Edition on Ubuntu Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

Introduction to remote command line Linux. Research Computing Team University of Birmingham

GNU/Linux: An Essential Guide for Students Undertaking BLOSSOM

Run containerized applications from pre-existing images stored in a centralized registry

Introduction to Containers

"Charting the Course... MOC B: Linux System Administration. Course Summary

INFRASTRUCTURE AS CODE

Red Hat Quay 2.9 Deploy Red Hat Quay - Basic

Welcome to getting started with Ubuntu Server. This System Administrator Manual. guide to be simple to follow, with step by step instructions

Commands are in black

How Docker Compose Changed My Life

swiftenv Documentation

CS197U: A Hands on Introduction to Unix

Course 55187B Linux System Administration

TangeloHub Documentation

Technical Manual. Software Quality Analysis as a Service (SQUAAD) Team No.1. Implementers: Aleksandr Chernousov Chris Harman Supicha Phadungslip

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

DGX-1 DOCKER USER GUIDE Josh Park Senior Solutions Architect Contents created by Jack Han Solutions Architect

Administration Dashboard Installation Guide SQream Technologies

Singularity CRI User Documentation

A Brief Introduction to Unix

Centreon SSH Connector Documentation

Tricks of the Captains. Adrian Mouat. Chief Scientist Container Solutions

How to Restrict a Login Shell Using Linux Namespaces

Drupal Command Line Instructions Windows 7 List All Files >>>CLICK HERE<<<

3 Installation from sources

Linux Administration

Stephan Hochdörfer //

Introduction to Linux (Part I) BUPT/QMUL 2018/03/14

Developing and Testing Java Microservices on Docker. Todd Fasullo Dir. Engineering

Nexus Application Development - SDK

Build, test and release your python packages

If you re the administrator on any network,

Working with Ubuntu Linux. Track 2 Workshop June 2010 Pago Pago, American Samoa

FEniCS Containers Documentation

Bitnami Pimcore for Huawei Enterprise Cloud

Best Practices for Developing & Deploying Java Applications with Docker

containerization: more than the new virtualization

diskimage-builder: Building Linux Images for Cloud / Virtualization / Container

3 Installation from sources

Ubuntu LTS Install Guide

Integration of UNICORE Components into Linux Systems

Red Hat OpenShift Application Runtimes 1

Scratchbox Remote Shell

APEX Installation Guide. Sven van der Meer, Liam Fallon, John Keeney. Version SNAPSHOT, T16:01:13Z

BEST PRACTICES FOR DOCKER

Software Development I

SAP Business One Components High Availability Guide, Version for SAP HANA

Architecture. Steven M. Bellovin October 31,

CS197U: A Hands on Introduction to Unix

BEST PRACTICES FOR DOCKER

Installing SmartSense on HDP

Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

Docker Swarm installation Guide

NetBackup Deployment Template User Guide for Chef

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

The Galaxy Docker Project. our hands-on tutorial

Bitnami Ruby for Huawei Enterprise Cloud

Docker. Master the execution environment of your applications. Aurélien Dumez. Inria Bordeaux - Sud-Ouest. Tuesday, March 24th 2015

Transcription:

Dockerfile Best Practices OpenRheinRuhr 2015 November 07th, 2015 1

Dockerfile Best Practices Outline About Dockerfile Best Practices Building Images This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/. 2

Dockerfile Best Practices: About About 3

Dockerfile Best Practices: About About me masters student in Information Engineering at University of Konstanz working as e-mail / groupware administrator strong believe in free software self hosting services since years running everything in Docker containers 4

Dockerfile Best Practices: About About this talk This is no introduction to Docker, but gives useful hints for deploying applications with Docker. Goals We want Docker images providing isolation in-between services, maintainability for developers and administrators, small size 5

Dockerfile Best Practices: About Docker Figure 1:Containers on base system 1 1 From: https://www.docker.com/what-docker 6

Dockerfile Best Practices: Dockerfile Best Practices Dockerfile Best Practices 7

Dockerfile Best Practices: Dockerfile Best Practices Sources Dockerfile reference https://docs.docker.com/reference/builder/ Dockerfile best practices https: //docs.docker.com/articles/dockerfile_best-practices/ Guidelines for Creating Official Repositories https://docs.docker.com/articles/dockerfile_ best-practices/#examples-for-official-repositories Docker newsletter 8

Building Images 9

FROM debian:8 Distribution Size alpine 5,028,556 centos 215,676,104 debian 114,995,306 fedora 241,316,031 opensuse 256,224,454 oraclelinux 198,964,416 ubuntu 188,268,233 ubuntu-debootstrap 87,019,347 10

FROM debian:8 Figure 2:Debian Swirl small image stable commonly used minimal set of necessary components Docker-recommended lots of official PPAs/repositories for Ubuntu! 11

FROM php,... base images for most important software stacks mostly Debian-based don t reinvent the wheel Figure 3:Official base images 12

FROM php,... COPY into image: sources base configuration add documentation (required database links, setup,... ) Dockerfile directly in your source repository?.dockerignore (don t need git history in containers) 13

RUN each RUN statement adds another layer image grows overhead (container startup/image creation) keep number of RUN statements minimal by grouping them clean up after large operations (software installation,... ) 14

RUN Figure 4:layers of docker container 15

RUN apt-get (update upgrade install) Preparing base images bring sources.list, but no packages, thus RUN apt-get update before installing packages don t apt-get upgrade, instead docker pull new image rely on vendor packages if available 16

RUN apt-get (update upgrade install) Install software unattended installation: apt-get install -y foo keep things minimal: --no-install-recommends no useful admin tools: text editors, ping, rsync,... bloats size & possible attack vector keep image minimal install in container if really required 17

RUN apt-get (update upgrade install) Fixed versions Fix main product version to be installed, cache buster ENV NGINX_VERSION 1.9.0-1~ jessie RUN apt - get update && \ apt - get install -y ca - certificates nginx =${ NGINX_VERSION } DEBIAN_FRONTEND=noninteractive Prevents interactive sessions (database configuration,... ). Now included in base image! 18

RUN apt-get (update upgrade install) Clean up Remove package lists (outdated anyway). temporary files RUN apt - get clean && rm - rf \ / var / lib / apt / lists /* \ / tmp /* \ / var / tmp /* 19

apt-get example: nginx RUN apt - key adv -- keyserver hkp :// pgp. mit. edu :80 --recv - keys 573 BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 RUN echo " deb http :// nginx. org / packages / mainline / debian / jessie nginx " >> / etc / apt / sources. list ENV NGINX_VERSION 1.9.0-1~ jessie RUN apt - get update && \ apt - get install -y ca - certificates nginx =${ NGINX_VERSION } && \ rm -rf / var / lib / apt / lists /* 20

apt-get example: prosody ENV PROSODY_VERSION 0.9.8-1~ jessie2 RUN apt - key adv -- keyserver pool.sks - keyservers. net --recv - keys 107 D65A0A148C237FDF00AB47393D7E674D9DBB5 && \ echo deb http :// packages. prosody. im/ debian jessie main >>/ etc / apt / sources. list && \ apt - get update && \ apt - get install -y --no - install - recommends \ lua -dbi - mysql \ lua -dbi - postgresql \ lua -dbi - sqlite3 \ lua - event \ lua - sec \ lua - zlib \ prosody =${ PROSODY_VERSION } && \ apt - get clean && rm -rf \ / var / lib / apt / lists /* \ / tmp /* \ / var / tmp /* 21

Installing from sources, binaries verify signatures/hashes reference specific versions, not latest.tgz (cache buster!) clean up after installing/compiling uninstall build chain when finished or use language base image 22

Build example: redis https://github.com/docker-library/redis Fetch and verify ENV REDIS_VERSION 3.0.0 ENV REDIS_DOWNLOAD_URL http :// download. redis. io/ releases / redis -3.0.0. tar. gz ENV REDIS_DOWNLOAD_SHA1 c75fd32900187a7c9f9d07c412ea3b3315691c65 RUN builddeps =' gcc libc6 - dev make '; \ set -x \ && apt - get update && apt - get install -y $builddeps --no - install - recommends \ && rm -rf / var / lib / apt / lists /* \ && mkdir -p / usr / src / redis \ && curl - ssl " $REDIS_DOWNLOAD_URL " -o redis. tar. gz \ && echo " $REDIS_DOWNLOAD_SHA1 * redis. tar. gz" sha1sum -c - \ 23

Build example: redis Build and install && tar -xzf redis. tar.gz -C / usr / src / redis --strip - components =1 \ && make -C / usr / src / redis \ && make -C / usr / src / redis install \ Cleanup && rm redis. tar.gz \ && rm -r / usr / src / redis \ && apt - get purge -y -- auto - remove $builddeps 24

ADD vs COPY COPY just copies ADD can perform some fetch- and unarchive-magic don t use unless you definitely need it (untar) use curl for remote files, ADDed files are in their own layer (cannot be deleted) 25

ENV, VOLUME, EXPOSE pull together lines (reduce layers) don t: ENV foo bar ENV BATZ 42 EXPOSE 80 EXPOSE 443 EXPOSE 8080 do: ENV foo = bar batz =42 EXPOSE 80 443 8080 26

ENTRYPOINT vs CMD ENTRYPOINT is the binary executed default /bin/sh -c CMD is passed as argument default empty overridden at container startup, eg. docker run - ti debian bash Docker runs $ENTRYPOINT $CMD at startup 27

Startup scripts Do you really need one? write script that starts daemon terminate execution, if any command fails set - euf -o pipefail exec into main process (keep PID, receive signals) Docker recommends gosu for switching users Really need multiple processes? Use supervisord. Consider again if you really need it. Twice. Watch for dumping logfiles to container stdout! Don t apply too much magic. KISS! 28

Startup scripts Do you really need one? write script that starts daemon terminate execution, if any command fails set - euf -o pipefail exec into main process (keep PID, receive signals) Docker recommends gosu for switching users Really need multiple processes? Use supervisord. Consider again if you really need it. Twice. Watch for dumping logfiles to container stdout! Don t apply too much magic. KISS! 28

Startup scripts Do you really need one? write script that starts daemon terminate execution, if any command fails set - euf -o pipefail exec into main process (keep PID, receive signals) Docker recommends gosu for switching users Really need multiple processes? Use supervisord. Consider again if you really need it. Twice. Watch for dumping logfiles to container stdout! Don t apply too much magic. KISS! 28

Startup scripts Do you really need one? write script that starts daemon terminate execution, if any command fails set - euf -o pipefail exec into main process (keep PID, receive signals) Docker recommends gosu for switching users Really need multiple processes? Use supervisord. Consider again if you really need it. Twice. Watch for dumping logfiles to container stdout! Don t apply too much magic. KISS! 28

Persisting data VOLUMEs are mounted overlay directories empty at container creation (no defaults!) can be overridden by --volume and --volumes-from don t install database systems in container all relevant DBMS available as images link against them including memcached et al. lets administrator decide where to put it 29

Persisting data build images to be ephemeral no state in containers no data in containers throw away container, create new one add documentation what to persist! 30

Logs no syslogd, no logrotate inside containers Docker expectations: log to stdout/stderr Docker daemon takes care of output have a look at debug-flags single process, no need for several log files per container Docker 1.6+ can log to host syslogd 31

Logs What if application strictly writes to a file? 2 tail -F monitors for file to be created tail --pid makes tail terminate if process is terminated #! / usr / bin / env bash set - euf -o pipefail rm -rf / var / log /my - application. log tail --pid $$ -F / var / log /my - application. log & exec / path /to/my - application 2 As proposed in http://serverfault.com/a/599209/98727 32

System users don t run daemons as root 3 fixed user ID (reduces permission issues) adduser -- system -- home / srv -- disabled - password -- disabled - login -- uid 1984 basex set user in Dockerfile using USER basex consider unsuiding binaries to reduce possible attack vector RUN for i in `find / - perm +6000 - type f `; do chmod a- s $i; done 3 unless you can argue why / would do so on the host system 33

Documentation Don t just dump a Dockerfile! describe what s... 1. inside the image 2. needed for setup, especially database container links what folders to persist what s listening on which port configuration hickups (logfiles, non-daemonized execution,... ) reverse proxy configuration hints cronjobs (docker exec) 3. required action during upgrades (database maintenance?) explain general hickups for public images/dockerfiles: license of product and Dockerfile YAML file for docker-compose 34

Debugging help don t clean up during development (makes installing vim easier) docker exec -ti [container] /bin/bash start with individual RUN lines, merge later (keep expensive download-operations in cache) Check permissions. Again. Ubuntu-based systems: stuck in app-armor? check host syslog for denied operations inside containers (missing privileges?) UDP ports must be exposed separately trailing / after directories 35

Docker registry If you want to share Docker images, let Docker build ( Trusted Builds ), do not upload images add hook to base image (for automated rebuild) link to GitHub repository directly use official base images instead of intermediate ones 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback