Creating & Using Containers

이 포스트는 udemy: Docker Mastery: with Kubernetes +Swarm from a Docker Captain를 배우며 쓰는 글입니다

---

Image vs. Container

• Image is the applicaiton we want to run
• A Container is an instance of that image running as a process

VM vs. Container

• Containers are just processes
• Limited to what resources they can access
• Exit when process stops

---

Commands

docker version shows verfied cli and talk to engine
docker info showsmost config values of engine

Docker CLI structure

• old : docker <command> (options)
• new : docker <command> <sub-command> (options)

docker container run --publish 80:80 --detach(or -d) nginx
run container in the background instead of the foreground and returns a unique container ID and unique random names (from open source notable hackers scientists LOL).

What happens in docker container run in the background

1. Looks for that image locally in image cache, doesn't find anything
2. Then looks in remote image repo (defaults to Docker Hub)
3. Downloads the latest version unless specified
4. Creates new container based on that image and prepares to start
5. Gives it a virtual IP on a private network inside docker engine
6. Opens up port 80 on host and forwards to port 80 in container if 80:80 was specified. Won't open up any ports if --publish is not specified.
7. Starts container by using the CMD in the image Docker file

---

docker container +

ls shows running containers.
stop stops a container with the id
start starts an existing stopped one
logs show logs for the container
top show processes running within the container.
rm delete specified stopped container(s).
inspect show details(or metadata) of one container config
--format A common option for formatting the output of commands using "Go templates"
Ex.docker container inspect --format '{{ .NetworkSettings.IPAddress }}' Address

stats show (live) performance stats for all containers
exec run additional process in running container
port which port is forwarding traffic to the container

run starts a new container
-i keep seesion open to receive terminal input
-t simulates a real terminal, like what SSH does
run -it start new container interactively
-p (--publish) HOST:CONTAINER format
-rm
-network set network
exec -it run additional command in existing container
--network-alias=[] Add network-scoped alias for the container
-rm cleanup upon container exit

Add --help to see more options

---

Alpine Linux

A small security-focused linux distribution. Only few megabytes.

---

Docker Networks Defaults

• Each container connected to a private virtual network bridge

• Each virtual network routes through NAT firewall on host IP

• All containers on a virtual network can talk to each other without -p if they share a bridge.

• Best practice is to create a new virtual network bridge for each app:
  - network "my_web_app" for my sql and php/apache containers
  - network "my_api" for mongo and nodejs containers

• Batteries Included, But Removable
  - Defaults work well in many cases, but easy to swap out parts to customize it.

• Make new virtual networks

• Attach containers to more than one virtual network (or none)

• Skip virtual networks and use host IP(--net=host)

• use different Docker network drivers to gain new abilities

Traffic Flow and Firewalls

How Docker networks move packets in & out

그림 너무 못그리는데...?

---

docker network +
ls show network
inspect inspect entwork
create Spawns a new virtual network for you to attach a container to
connect attach a network to container. Dynamically creates a NIC in a container on an existing virtual network
disconnect detach a network from container. Dynamically removes a NIC from a container on a specific virtual network

--network bridge Default Docker virtual network, which is NAT'ed behind the Host IP

--network host It gains performance by skipping virtual networks but sacrifices security of container model

--none removes eth0 and only leaves you with localhost interface in container

network driver Built-in or 3rd party extensions that give you virtual network features. Default is --network bridge

---

Docker Networks: Default Security

• Create your apps so FE/BE sit on same Docker network
• Their inter-communication never leaves host
• All externally exposed ports closed by default
• You must manually expose via -p which is better default security!
• This gets even better later with Swarm and Overlay networks

---

Docker Networks: DNS

Forget IP's Static IP's and using IP's for talking to containers is an anti-pattern. Do your best to avoid it!!

Docker DNS Docker daemon has a built-in DNS server that containers use by default
DNS Default Names Docker defaults the hostname to the container's name, but you can also set aliases

Always create custom network :)