Published on

Docker

Authors
  • Name
    Jackson Chen

Reference

https://docs.ansible.com/ansible/latest/

https://docs.ansible.com/ansible/2.9/modules/docker_container_module.html

https://docs.docker.com/

https://docs.docker.com/config/containers/logging/

https://docs.docker.com/engine/reference/builder/


#****************** Docker Container - Ansible ***************
https://docs.ansible.com/ansible/latest/

https://docs.ansible.com/ansible/2.9/modules/docker_container_module.html



#********************* Docker ****************
https://docs.docker.com/


#*** Docker Container Logs
https://docs.docker.com/config/containers/logging/

# command shows information logged by a running container
docker logs
docker service logs


#***************** Docker build *****************
# **** Dockerfile Reference  <---------------------------- Important Read
https://docs.docker.com/engine/reference/builder/


The tag or digest values are optional. If you omit either of them, the builder assumes a latest tag by default. 
The builder returns an error if it cannot find the tag value.


# **** Docker Shell
/bin/sh -c  # default shell form


# ******* RUN
Run has 2 forms:
. RUN <command>     # shell form
. RUN ["executable", "param1", "param2"     # exec form


The default shell for the "shell" form can be changed using the SHELL command

Note:
The "exec form" is parsed as a JSON array, which means that you must use double qoutes ("), around word not singe quote (')


#*** RUN --mount
RUN --mount  # Allows you to create filesystem mounts that the build can access. This can be used to:
. create bind mount to the host filesystem or other build stages
. Access build secret or ssh-agent sockets
. use a persistent package management cache to speed up the build

Syntax:  --mount=[type=<TYPE>][,option=<value>[,option=<value>...]

Mount types
---------------------------------------
  Type        Description
---------------------------------------
  bind (default)  bind-mount context directories (read-only)
  cache           mount a temporary directory to cache directories for compilers and package managers
  secret          all the build container to access secure files such as private keys without baking them into the image
  ssh             all the build container to access SSH keys via SSH agents, with support for passphrases


#********** RUN --network
RUN --network allow control over which network environment the command is run in

symtax:  --network=<TYPE>

Network Type:
-------------------------------------------
  Type                Description
-------------------------------------------
  default (default)   run in the default network
  none                run with no network access
  host                run in the host's network environment

RUN --network=default   # run in the default network for the build
RUN --network=none      # with no network access (lo is still availble, but is isolated to this process)
RUN --network=host      # run in the host's network environment, but on a per-instruction basis


#*********** RUN --security
RUN --security=insurre

With --security=insure, builder runs the command without sandbox in inscure mode, 
which allows to run flows requiring elevated privilges
Equilavent to running "docker run --privileged"

RUN --security=sandbox  # run in sandbox


# ********* CMD
The CMD instruction has three forms
. CMD ["executable", "param1","param2"]     # exec form, the is the preferred form
. CMD ["param1","param2"]                       # as default parameters to ENTRYPOINT
. CMD command param1 param2                     # shell form

Important:
There can only be one CMD instruction in a Dockerfile.
If you have more than one CMD then only the last CMD will take effect.

-------------- Important ----------------
Do not confuse RUN with CMD.
RUN actually runs a commnd and commits the result;
CMD does not execute anything at build time, but specifies the intended command for the image.


#******** LABEL
LABEL <key>=<value> <key>=<value> ...

The LABLE instruction adds metadata to an image. A LABEL is a key-value pair.

To view the image's label, use "docker image inspect" command
docker image inspect --format='{{json .Config.Labels }}'  <image-name>


#********* EXPOSE
EXPOSE <port> [<port>/<protocol>.....]

The EXPOSE instruction informs Docker that the container listens on specified network ports at runtime, default is tcp.

Note:
The EXPOSE instruction does NOT actually publish the port. 
It functions as a type of documentation between the person who builds the image, and the person who runs the container.

To actually publish the port when running the container, use "-p" flag on "docker run"
"-P" publish all exposed ports and map them to high-order ports.

docker run -p 80:80/tcp -p 80:80/udp    # docker run to actually publish the ports

-P  # uppercase "P", publish all exposed ports to the host interfaces
-p=[]   # publish a container's port or a range of ports to the host
        # format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort
          -p 1234-1236:1234-1236/tcp        # hostport in range, and container port in range
          -p 1234-1236:1234/tcp             # hostport in range, container port is a single port

--link=""   # Add link to another container
 

#*********** ENV (Environment variables)
Docker automaticall set some environment variables when creating a Linux container.

Note: Docker does NOT set any envionment variables when creating a Windows container.


Variable            Value
-------------------------------------------------
 Home           set based on the value of USER
 HOSTNAME       The hostname associate with the container 
 PATH           Includes popular directories, such as /usr/local/sbin:/usr/local/bin;/usr/sbin;/usr/bin;/bin
 TERM           xterm  if the container is allocated a pseudo-TTY

Note: The operator can set any environment variable in the container by using one or more "-e" flags, 
even overriding those mentioned above,
or already defined by the developer with a Dockerfile ENV.

#**** HOSTNAME (Linux) or COMPUTERNAME (Windows)  -h
The operator can set the HOSTNAME (Linux) or COMPUTERNAME (Windows) with "-h"


#*************** HEALTHCHECK
--health-cmd        # command to run to check health
--health-interval   # time between running the check
--health-retries    # consecutive failures needed to report unhealthy
--health-timeout    # maximum time to allow one check to run
--health-start-period   # Started period for container to initialized before starting
--no-healthcheck    # disable any container-specified HEALTHCHECK



(% raw %)
$ docker run --name=test -d \
    --health-cmd='stat /etc/passwd || exit 1'  \
    --health-interval=2s


#************** TMPFS  (mount tmpfs)
--tmpfs=[]: Create a tmpfs mount with: 
             container-dir[:<options>]
             where the options are identical to the Linux 'mount -t tmpfs -o'  command

docker run -d --tmpfs /run:rw,noexec,noexec,nosuid,size=655366k  <test-image>


# ************* VOLUME (shared filesystems)
-v,  --volume=[host-src:]container-dest[:<option>]

The comma-delimited 'options' are [rw|ro], [z|Z]

Note: 
The 'host-src' is an absolute path or a name value.

--volumes-from=" ":   # mount all volums from the given continer(s)


***************** USER
root (id=0) is the default user within a container. The developer can create additonal users.
Those users are accessbile by name.

The developer can set a default user to run the first process with the Dockerfile "USER" instruction.
When starting a container, the operator can override the USER instruction by passing the "-u" option.

The following examples are all valid
--user=[ user | user:group | uid | uid:gid | user:gid | uid:group ]

Note:
If you pass a numeric uid, it must be in the range of  0-2147483647. 
If you pass a usename, the user must exist in the container


#*********** WORKDIR
The default working directory for running binaries within a container is the root directory "/".
It is possible to set a different directory with the Dockerfile WORKDIR command.

The operator can override this with:
-w="",  --workdir=""            # Working directory inside the container


#***************** Network Settings
https://docs.docker.com/engine/reference/run/#network-settings

--dns=[]    # set custom dns servers for the container
--network="bridge"  'bridge' 'non' 'container' 'host'
--network-alias=[]     # Add network-scoped alias for the container
--add-host=""          # add a line to /etec/hosts (host:IP)
--mac-address=""       # set the conainter's Ethernet device's MAC address
--ip=""                # set the container's Ethernet device's IPv4 address
--ipv4=""              # set the container's Ethernet device's IPv6 address
--link-local-ip=[]     # Sets one or more container's Ethernet device's link local IPv4 address

docker service

docker service run <container-id>

General docker tips and tricks

https://www.advantch.com/docs/docker-tips-and-tricks/

Designate your Docker Development Server IP

When  DEBUG  is set to  True  , the host is validated against  ['localhost', '127.0.0.1', '[::1]']  . This is adequate for most cases..

For Docker, in the  config.settings.local  , add your host development server IP to  INTERNAL_IPS  or  ALLOWED_HOSTS  if the variable exists.

Activate a Docker Machine

This tells our computer that all future commands are specifically for the dev1 machine. Using the eval command we can switch machines as needed.

eval "$(docker-machine env dev1)"

Debugging

ipdb

# If you are using the following within your code to debug
  import ipdb; ipdb.set_trace()

Then you may need to run the following for it to work as desired

docker-compose -f local.yml run --rm --service-ports django

docker logs

The container_name from the yml file can be used to check on containers with docker commands

docker logs worker
docker top worker
Discuss on TwitterView on GitHub