Agenda
Troubleshooting Containers
Overview of Security Practices
Private Registry
Intro to Docker Machine
Intro to Docker Swarm
Intro to Docker Compose
Building micro service applications with Docker

Container logging
View the output of the containers PID 1 process: docker logs <container name>
View and follow the output: docker logs -f <container name>
Limit the output: docker logs -f —tail 5 <container name>

Container application logs
Typically, apps have a well defined log location
Map a host folder to the application’s application log folder in the container
In this way, you can view the log generated in the container from your host folder
Run a container using nginx image and mount a volume to map the /nginxlogs folder in the host to the /var/log/nginx folder in the container: docker run -d -P -v /nginxlogs:/var/log/nginx nginx

Check container logs
Run a new container using the tomcat image: docker run -d -P tomcat
View the container log: docker logs <container id>
On your host machine, create a folder /container/logs/nginx
Run a new container using the NGINX image and mount the /container/logs/nginx folder into /var/log/nginx: docker run -d -P -v /container/logs/nginx:/var/log/nginx nginx
Look inside your /container/logs/nginx folder and notice the new log files from the container

Inspecting a container
docker inspect command displays all the details about a container
Outputs details in JSON array
Use grep to find a specific property
Display all details of the specified container: docker inspect <container name>
Display the IP address of the specified container: docker inspect <container name> | grep IPAddress
Format: docker inspect —format [{.NetworkSettings.IPAddress}] <container name>

Starting and Stoping Decker daemon
If you started Docker as a service, use service command to stop, start and restart the Docker daemon
sudo service docker stop
sudo service docker start
sudo service docker restart
If not running as a service, run Docker executable in daemon mode to start the daemon: sudo docker -d &
If not running as a service, send a SIGTERM to the Docker process to stop it
Run ‘pidof docker’ to find the Docker process PID
sudo kill $(pid of docker)

Docker daemon upstart configuration file
Located in /etc/default/docker
Use DOCKER_OPTS to control the startup options for the daemon when running as a service
Restart the service for changes to take effect: sudo service docker restart
Start daemon with log level of debug and allow connections to an insecure registry at the domain of my_server.org : DOCKER_OPTS=“—log-level debug —insecure-registry my_server.org:5000”

Docker daemon logging
Start the docker daemon with —log-level parameter and specify the logging level
Levels are (in order from most verbose to least):
Debug
Info
Warn
Error
Fatal
Run docker daemon with debug log level (log written on terminal): sudo docker -d —log-level=debug
Configuring in DOCKER_OPS (log output will be written to /var/log/upstart/docker.log): DOCKER_OPTS=“—log-level debug”

Linux containers and security
Docker helps make applications safer as it provides a reduced set of default privileges and capabilities
Namespaces provide an isolated view of the system. Each container has its own
IPC, network stack, root file system etc…
Processes running in one container cannot see and effect processes in another container
Control groups (Cgroups) isolate resource usage per container
Ensures that a compromised container won’t bring down the entire host by exhausting resources

Quick security considerations
Docker daemon needs to run as root
Only ensure that trusted users can control the Docker daemon
Watch who you add to docker group
If binding the daemon to a TCP socket, secure it with TLS
Use Linux hardening solution
Apparmor
SELinux
GRSEC

Private Registry
Allows you to run your own registry instead of using Docker Hub
Multiple options
Run registry server using container
Docker Hub Enterprise
Two versions:
Registry v1.0 for Docker 1.5 and below
Registry v2.0 for Docker 1.6

Setting up a private registry
Run the registry server inside a container
Use the registry image at https://registry.hub.docker.com/u/library/registry
Image contains a preconfigured version of registry v2.0
Run a new container using the registry image: docker run -d -p 5000:5000 registry:2.0

Push and pull from private registry
First tag the image with host IP or domain of the registry server, then run docker push
Tag image and specify the registry host: docker tag <image id> my_server.net:5000/my-app:1.0
Push image to registry: docker push my_server.net:5000/my-app:1.0
Pull image from registry: docker pull my_server.net:5000/my-app:1.0
List tags: curl -v -X GET http://localhost:5000/v2/mynginx/tags/list

Docker machine overview
Docker machine is a tool that automatically provisions Docker hosts and installs the Docker Engine on them
Create additional hosts on your own computer
Create hosts on cloud providers(e.g. Amazon AWS, DigitalOcean etc…)
Machine creates the server, installs Docker and configures the Docker client

Installing Machine
Download the binary for the operating system at https://github.com/docker/machine/releases/tag/v0.2.0
Place the binary into a folder of your choice
Add the folder to your system environment PATH

Creating a host
Use 'docker-machine create’ command and specify the driver to use
Use virtual box driver if creating hosts on a Windows or Mac
Need to have Virtual Box installed (https://www.virtualbox.org/)
Create a host named “testiest” on the current machine, using Virtual Box: docker-machine create —driver virtual box testhost

Provisioning hosts in the cloud
Each cloud provider has different options on the docker-machine create command
See https://docs.docker.com/machine/#drivers as reference
Example with DigitalOcean
docker-machine create —driver digitalocean —digitalocean-access-token <your access token> —digitalocean-size 2gb testhost
List machines: docker-machine ls

Docker machine SSH
Allows us to connect to a provisioned host using SSH
Logs in using the SSH key that is created when creating the machine
Connect to host3 using SSH: docker-machine ssh host3

What is Docker Swarm
Docker Swarm is a tool that clusters Docker hosts and schedules containers
Turns a pool of host machines into a single virtual host
Ships with simple scheduling backend
Supports many discovery backends
Hosted discovery
etcd
Consul
ZooKeeper
Static files
https://docs.docker.com/swarm/discovery

Setup process (using hosted discovery)
On the machine that you will use as the Swarm master, run a command to create the cluster
Start Swarm master
For each node with Docker installed, run a command to start the Swarm agent
Note: Agents can be started before or after the master

Installing and running Swarm
Most convenient option is to use the Swarm image on Docker Hub https://registry.hub.docker.com/u/library/swarm/
Swarm container is a convenient packaging mechanism for the Swarm binary
Swarm containers can be run from the image to do the following
Create a cluster
Start the Swarm manager
Join nodes to the cluster
List nodes on a cluster

Create the Swarm cluster
'swarm create’ command will output the cluster token
Token is an alphanumeric sequence of characters that identifies the cluster when using the hosted discovery protocol
Copy this number somewhere

Run a container using the swarm image. We run the create command of the Swarm application inside and get the output on our terminal. —rm means to remove the container once it has finished running.
docker run —rm swarm create

Start the Swarm manager
Run a container that run the ‘swarm manager’
Make sure to map the swarm port in the container to a port on the host: docker run -d -P swarm manage token://<cluster token>

Connect a node to the cluster
Run a container that funs the ‘swarm join’ command
Specify the IP address of the node and the port the Docker daemon is listening on
Note: Your Docker daemon on the machine must be configured to listen on a TCP port instead of just on the unix socket.
docker run -d swarm join —addr=<node ip>:<daemon port> token://<cluster token>

sudo service docker stop
sudo vim /etc/default/docker
sudo service docker start

DOCKER_HOST=localhost:2375
export DOCKER_HOST

Connect the Docker client to Swarm
Point your Docker client to the Swarm manager container
Two methods:
Configuring the DOCKER_HOST variable with the Swarm IP and port
Run docker with -H and specify the Swarm IP and port
Look at the container port mapping to find the Swarm port

Configure the DOCKER_HOST variable
export DOCKER_HOST=127.0.0.1:<swarm port>
Run docker client and specify the daemon to connect to
docker -H tcp://127.0.0.1:<swarm port>

Checking your connected nodes
Run ‘docker info’
Since client is connected to Swarm, it will show the nodes

Run a container in the cluster
Standard ‘docker run’ command
Swarm master decides which node to run the container on based on your scheduling strategy
https://docs.docker.com/swarm/scheduler/strategy
Running ‘docker ps’ will sow which node a container is on

What is Compose
Docker Compose is a tool for creating and managing multi container applications
Containers are all defined in a single file called ‘docker-compose.ml'
Each container runs a particular component / service of your application.
For example:
Web front end
User authentication
Payments
Database
Container links are defined
Compose will spin up all your containers in a single command

Configuring the Compose yml file
Defines the services that make up your application
Each service contains instructions for building and running a container
Example
javaclient:
    build: . (building using Dockerfile in current directory)
    command: java HelloWorld
    links:
        -redis
redis:
    image: redis (Use the latest redis Image from Docker Hub)

Build and image instruction
‘build' defines the path to Dockerfile that will be used to build the image
Container will be run using the image build
‘image’ defines the image that will be used to run the container
All services must have either a build or image instruction

Running your application
Use ‘docker-compose up’
Up command will
Build the image for each service
Create and start the containers

Install docker-compose
https://docs.docker.com/compose/install/
curl -L https://github.com/docker/compose/releases/download/1.2.0/docker-compose- uname -s - uname -m > /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Self-Paced Training (3) - Docker Operations的更多相关文章

  1. Self-Paced Training (2) - Docker Fundamentals

    Agenda- Building Images Dockerfile Managing Images and Containers Distributing Images on Docker Hub ...

  2. 在Docker中运行web应用

    启动一个简单的web 应用 使用社区提供的模板,启动一个简单的web应用,熟悉下各种Docker命令的使用: # docker run -d -P training/webapp python app ...

  3. 在生产环境使用Docker部署应用

    导读 Docker现在越来越流行,但是真正在生产环境部署Docker还是个比较新的概念,还没有一个标准的流程.作者是ROR的程序员,作者结合平时的部署经验,联系Docker的特点,向大家分享了其在生产 ...

  4. Docker快速入门

    Docker已经火了很长一段时间,最近打算在阿里云上好好熟悉一下Docker的相关应用,为今后的工作做准备. 基本概念 Docker是基于Go语言实现的云开源项目,诞生于2013年初,最初发起者是do ...

  5. Docker系统七:Docker数据管理

    Docker的数据管理 I. 基本概念 Docker容器一旦删除,其相关的rootf文件系统就会被删除,其容器内的数据将一并删除,为了保存相关数据,Docker提出了数据卷的概念. II. 数据卷 D ...

  6. Podman and Buildah for Docker users

    转自:https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/ I was asked re ...

  7. Docker:Deploy your app

    Prerequisites Install Docker. Get Docker Compose as described in Part 3 prerequisites. Get Docker Ma ...

  8. Docker技术入门与实战 第二版-学习笔记-7-数据管理(volume)

    Docker 数据管理 为什么要进行数据管理呢?因为当我们在使用container时,可能会在里面创建一些数据或文件,但是当我们停掉或删除这个容器时,这些数据或文件也会同样被删除,这是我们并不想看见的 ...

  9. learning docker steps(8) ----- docker network 初次体验

    参考: docker network 主要是介绍了docker 容器之间的组网模式, 一般来说实像组网主要是依赖于bridge iptalbes vlan来实现,但是附带的如端口转发会降低效率. 新型 ...

随机推荐

  1. Ios8新特性-应用程序扩展

    一.什么是应用程序扩展? 应用程序扩展不是一个应用,它是主体应用程序(containing app)中一个单独的包,并能生成单独的二进制文件供其他应用调用. 个人感觉,类似于WP中的启动器,把系统当个 ...

  2. Spring3+hibernate4+struts2整合的 过程中发生如下错误

    严重: Error configuring application listener of class org.springframework.web.context.ContextLoaderLis ...

  3. JQuery绑定和注销事件

    $('#action_list > li').each(function(){ $(this).unbind('click') .bind('click', function(){ /** so ...

  4. 如果使用得当,MySQL 也可以化身 NoSQL

    [编者按]随着互联网和移动互联网的发展,各个机构都需要支撑远超过以往的数据.而在这个需求的刺激下,IT 领域出现了大量数据处理技术,其中之一就是 NoSQL .灵活的数据类型,高效的处理能力,让 No ...

  5. ZOJ 3778 Talented Chef(找规律,模拟计算,11届ACM省赛,简单)

    题目链接 2014年浙江省赛C题,当时觉得难,现在想想这题真水.. 找规律: 若   最大的那个步骤数*m-总和>=0,那么答案就是 最大的那个步骤数 . 否则  就要另加上不够的数量,具体看代 ...

  6. hdu 4599 Dice 概率DP

    思路: 1.求f[n];dp[i]表示i个连续相同时的期望 则 dp[0]=1+dp[1]     dp[1]=1+(5dp[1]+dp[2])/6     ……     dp[i]=1+(5dp[1 ...

  7. Struts2 SSH整合框架返回json时,要注意懒加载问题

    返回的这个json对象,要保证它里面的所有属性都已经取出来了(即不是proxy或者是懒加载),否则当struts框架将该对象转化成json数据时,会报出一个no session的错误. 因此你要将该懒 ...

  8. 解决NTFS分区上的代码在linux上编译后没有权限执行

    win7下的cpp代码,在ubuntu下编译后,可执行文件不能执行,root也不行. 将代码拷贝到ubuntu上,再编译生成的可执行文件则可以执行.或者将win7分区上的可执行文件拷贝出来,然后chm ...

  9. LintCode 字符串比较

    比较两个字符串A和B,确定A中是否包含B中所有的字符.字符串A和B中的字符都是大写字母: 给出 A = "ABCD" B = "AABC", 返回 false ...

  10. 李洪强漫谈iOS开发[C语言-039]-剪刀石头布

     李洪强漫谈iOS开发[C语言-039]-剪刀石头布