Overview of how containers are implemented with cgroups, namespaces and UnionFS, how images are created, how images and containers are related to one another, and how to build effective images
2. OVERVIEW
● What is Docker?
● What are … ?
○ Images
○ Layers
○ Dockerfiles
○ Containers
○ Registries
● How do I build effective images?
● How do I deploy containers?
3. WHAT IS DOCKER
“an open platform for developing, shipping and running applications”
7. Dockerfile // Part 1
list of directives that provide instructions on how to build an image;
each directive creates a unionFS layer
https://docs.docker.com/engine/reference/builder/
8. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
9. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
10. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
11. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
12. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
13. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
14. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
15. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
16. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
17. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
18. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
19. Dockerfile // Part 2
FROM LABEL
RUN CMD
EXPOSE ENV
ADD or COPY ENTRYPOINT
VOLUME USER
WORKDIR ONBUILD
20. Dockerfile // Part 2
● Order matters
○ Every diff is unique
● Size matters
○ large docker images == bad docker images
● Put least likely to change directives at top of file
● Clean up after commands
○ e.g., `rm -rf /var/lib/apt/lists/*`
● Combine similar commands
○ e.g., `RUN yum install epel; RUN yum install docker -> RUN yum install epel docker`
● Layer “state” resets at each new layer
● Use least privilege
○ Root by default
30. Containers
“runnable instance of an image”
or, programmatically created isolated environments that allow you to easily create
and reproduce the same functionality across multiple systems and platforms
32. docker run
docker run --name docker-demo-app -d -p 127.0.0.1:3000:3000
docker-demo-app
33. Layers
● Each layer is an instruction in a Dockerfile
● Each layer is only a diff of the layer before it
● All layers except last are read-only
○ Last layer is copy on write
36. Layers
“When you create a new container, you add a new writable
layer on top of the underlying layers. ... All changes made to the
running container, such as writing new files, modifying existing
files, and deleting files, are written to this thin writable container
layer”
39. Containers
● “runnable instance of an image”
○ or, programmatically created isolated environments that allow you to easily
create and reproduce the same functionality across multiple systems and
platforms
● 3 main components
○ Namespaces
○ Control groups
○ Union filesystems
40. Containers - UnionFS
“a union mount for other file systems [that] allows files and directories of
separate file systems, known as branches, to be transparently overlaid, forming
a single coherent file system”
42. Containers - namespaces
“wraps a global system resource in an abstraction that makes it appear to the
processes within the namespace that they have their own isolated instance of
the global resource”
46. Containers - cgroups
“a Linux kernel feature that allows processes to be organized into hierarchical
groups whose usage of various types of resources can then be limited and
monitored”