Professional Documents
Culture Documents
Hussein Galal
• Senior Software Engineer / Rancher Labs
• Remote worker
• @galal-hussein on github
Day 1
Content
● Why Containers?
● Containers Under the hood
○ Process Groups
○ Sessions
○ Cgroups
○ Namespaces
● Getting started with Docker
● LAB #1
Why Containers?
- Let’s Install Wordpress →
https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lamp-on-ubuntu-18-04
- Alternative:
- Run Anywhere
- Isolation
- Low overhead
- Namespaces
- Union Filesystems
- Container Format
Process Group
signal
of p1 p2
processes p3 p4
setsid()
Cgroups
Control groups is a linux kernel feature that
limits or allocates the resources of the
controlling hosts (cpu, memory, disk I/O,
etc.) to the process groups
fork()
Vs
The isolation namespaces includes PID ,
IPC, mount, UTS, and network clone()
namespaces.
Namespaces
Demo..
UTC NS
OCI
● OCI is a industry standards specs for creating containers in the cloud:
○ Runtime-spec
○ Image-spec
● Each Container engine runs containers and develop images according to the OCI
standards
Container Engines
● A container engine is a piece of software that accepts user requests, including
command line options, pulls images, and from the end user’s perspective runs the
container
● Major Players:
○ Docker
○ LXD
○ RKT
○ CRI-O
● Going one layer deeper, most container engines don’t actually run the containers,
they rely on an OCI compliant runtime like runc
Enters Docker
Solomon Hykes
- Founder and CTO of Docker
Docker
● open source project to pack, ship and run any application as a
lightweight container
● You might create your own images or you might only use those created
by others and published in a registry.
● To build your own image, you create a Dockerfile with a simple syntax
for defining the steps needed to create the image and run it.
Docker - Images
Container Layer
Images
COW
/var/lib/docker
Docker - Images
Sharing Images
Docker - Containers
● You can create, start, stop, move, or delete a container using the Docker
API or CLI
….
c57b6bcc83e3: Pull complete
8978f6879e2f: Pull complete
8eed3712d2cf: Pull complete
Digest: sha256:178598e51a26abbc958b8a2e48825c90bc22e641de3d31e18aaf55f3258ba93b Image Layer 8
Status: Downloaded newer image for docker/whalesay:latest
______________
< ITI_SYSADMIN >
--------------
\
\
\
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
LAB #1
● Download and install docker on your machine
● Pull nginx:alpine image on your machine
● Explore “docker run” command and run nginx:alpine image on your machine in the
background and specify the name of the container to name-ITI-<NO>
● After creating the container make sure to get the path of the cgroups created for this
container
Day 2
Docker - Images
Dockerfile
Docker - Images
LABEL SHELL
Docker - Images
Docker HUB
Docker Hub is a cloud-based registry service which allows you to link to code
repositories, build your images and test them, stores manually pushed
images, and links to Docker Cloud so you can deploy images to your hosts.
Docker - Images
Docker HUB
- Create Account
- Build your Image
- Push Image
Docker - Networking
● Docker’s networking subsystem is pluggable, using drivers. Several
drivers exist by default, and provide core networking functionality:
○ bridge: The default network driver. If you don’t specify a driver, this is the type of network you are creating. Bridge
networks are usually used when your applications run in standalone containers that need to communicate.
○ host: For standalone containers, remove network isolation between the container and the Docker host, and use the
host’s networking directly.
○ overlay: Overlay networks connect multiple Docker daemons together and enable swarm services to communicate
with each other.
○ none: For this container, disable all networking. Usually used in conjunction with a custom network driver.
Docker - Networking
● User can define their own network
$ docker network ls
● This creates a firewall rule which maps a container port to a port on the Docker host.
-p 8080:80
-p 192.168.1.100:8080:80
-p 8080:80/udp
-p 8080:80/tcp -p 8080:80/udp
Docker - Volumes
● Docker has two options for containers to store files in the host machine: volumes and
bind mounts
● Volumes are stored in a part of the host filesystem which is managed by Docker
(/var/lib/docker/volumes/ on Linux). Non-Docker processes should not modify this
part of the filesystem. Volumes are the best way to persist data in Docker.
● Bind mounts may be stored anywhere on the host system. They may even be
important system files or directories.
● tmpfs mounts are stored in the host system’s memory only, and are never written to
the host system’s filesystem.
Docker - Volumes
Docker - Volumes
$ docker volume create my-vol
$ docker volume ls
PART - 2
● The files won’t be persisted after the container is deleted, and both read and write speeds
are lower than native file system performance.
● Copy-on-write is a strategy of sharing and copying files for maximum efficiency. If a file or
directory exists in a lower layer within the image.
○ Search through the image layers for the file to update. The process starts at the
newest layer and works down to the base layer one layer at a time. When results are
found, they are added to a cache to speed future operations.
○ Perform a copy_up operation on the first copy of the file that is found, to copy the file
to the container’s writable layer.
○ Any modifications are made to this copy of the file, and the container cannot see the
read-only copy of the file that exists in the lower layer.
Docker - Compose
● Compose is a tool for defining and running multi-container Docker applications
● With Compose, you use a YAML file to configure your application’s services. Then, with a
single command, you create and start all the services from your configuration
●
● Example for docker-compose.yml
version: '3'
services:
web:
build: .
ports:
- "5000:5000"
volumes:
- .:/code
- logvolume01:/var/log
links:
- redis
redis:
image: redis
volumes:
logvolume01: {}
Docker - Compose
● YAML Reference Version (3):
○ build
○ command
○ configs
○ container_name
○ depends_on
○ entrypoint
○ env_file
○ environment
○ ports
○ image
○ volumes
Docker - Registries
● The Registry is a stateless, highly scalable server side application that stores and lets you
distribute Docker images.
● The simplest way to achieve access restriction is through basic authentication (this is very
similar to other web servers’ basic authentication mechanism).
Containerd
● containerd is an industry-standard core container runtime with an emphasis on simplicity,
robustness and portability.
● containerd can manage the complete container lifecycle of its host system: image transfer
and storage, container execution and supervision, low-level storage and network
attachments.