Notes on docker deep dive (1)



Installation under Linux system

wget -qO- | sh

If you need to use nonrootUser management docker (best practice), users need to be added todockerGroup A: control group

sudo usermod -aG docker your-user
#To view user groups:
# cat /etc/group | grep docker

After adding, please log out before logging in.

  • View version information:docker --version
  • Upgrade docker engine (operation under Ubuntu system)
    #1. Stop docker daemon and update the installation package list
    apt-get update 
    #2. Uninstall docker (docker may have different names, list possible names as far as possible)
    apt-get remove docker docker-engine docker-ce -y
    #3. Install the new version
    wget -qO- | sh 
    #4. Set the auto start mode
    systemctl enable docker 
    #5. Check the docker status
    systemctl is-enabled docker 
    #6. Ensure that the container and service have been restarted
    docker container ls
    docker service ls
  • Docker and storage driver
    There are four kinds of docker storage drivers in Linux system
    • aufs (the original and oldest)
    • overlay2 (probably the best choice for the future)
    • devicemapper
    • btrfs
    • zfs
    #Note: only windows filter driver is supported in windows

    A docker host can only have one storage driver (not one for each container)docker infoView the current storage driver.

    Installation under Windows 10

  • Settings > programs and features > enable or disable windows featuresOpen in WindowsContainersHyper-V
  • reach…Download docker for windows for installation
  • Note that after installation, you will be asked to choose the native windows container or the Linux container, that is, the running host environment of the container. Generally, you choose the Linux container (you can switch freely). Run Linux container under windows byHyper-VVirtual technology. (no native MAC container yet)
  • Docker for windows includes: docker engine (client and daemon), docker
    Compose, docker machine and the docker nominal command line


If mirror image is compared to class in programming language, then container is equivalent to instance of class.

  • Basic operation of image
    • Pull:docker image pull <repository>/<name>:<tag>, the default is mirroredlatestTag, add-aOption will pull all tags of the image. For official images, there is no need to declarerepository
    • see:docker image ls, plus--digestsOutput summary information, add--filterFilter output results
    • Output details:docker image inspect xxx
    • Delete:docker image rm xxx
    • Delete all:docker image rm $(docker image ls -q) -fOf whichimage ls -qReturns all image IDs
    • Search:docker search xxx
  • The image is composed of a group of loose read-only layers. The upper layer can cover the lower layer, and multiple images can share one layer

Notes on docker deep dive (1)

  • Multi architecture images: an image may need to support multiple architectures, such as windows and arm. In this case, you can use multi architecture images (record the supported architecture information in the manifest list).


A container is a runtime instance of a mirror.

Notes on docker deep dive (1)

  • Docker version information:docker versionIf the user account does not have permission, remember to add it to the docker group
  • Check docker status:service docker statusperhapssystemctl is-active docker
  • Basic operation of container
    • Open a container:docker container run
      • -it: refers to the shell that connects the current terminal to the container, for example:docker container run -it ubuntu /bin/bash, will start an Ubuntu container and then run its bash shell. Window container example:docker container run -it microsoft/powershell:nanoserver pwsh.exe
      • After starting and connecting to bash, you canps -elfView process details. inputexitExit bash. The container cannot run without process. If there is no process in the container, it will exit automatically
      • PressCtrl+PQKey to exit bash without terminating the container.
      • --name: set the container name. If it is not specified, it will generate one automatically
    • see:docker container ls, plus-aOutput all containers at the same time
    • PressCtrl+PQKey to exit and return to bash of container:docker container exec -it 3027eb644874 bashIn which the container ID value can bedocker container lsobtain
    • stop it:docker container stop xxx
    • Restart:docker container start xxx
    • Delete:docker container rm xxx
  • Delete container gracefully: stop and delete
  • Container restart policy
    • alwaysAlways restart a stopped container unless the container is explicitly stopped (for example, bydocker container stop), example:docker container run --name neversaydie -it --restart always alpine sh
    • unless-stoppedAfter explicitly stopping, the docker service will not restart again
    • on-failedWhen the container exits with a non-zero exit code, or the docker service is restarted
  • Specify the restart policy in docker compose or docker stacks, for example:
    version: "3"
    condition: always | unless-stopped | on-failure
  • Web server example
    • functiondocker container run -d --name webserver -p 80:8080 nigelpoulton/pluralsight-docker-ci
      • -dRepresents the background operation, and the foreground operation (entering the container interactive environment) is used-it
      • -p 80:8080Map host port 80 to container port 8080
    • Then the browser can access the host IP or curl IP to open the web page
    • View image details:docker image inspect nigelpoulton/pluralsight-docker-ci
  • Clean all containers:docker container rm $(docker container ls -aq) -f

Containerization application

Containerization of a single container application

  • Download application code:git clone
  • Check the dockerfile file. The code and comments are as follows:
    #  All Dockerfiles start with the FROM instruction. This will be the base layer of the image
    FROM alpine
    #Metadata, not layer
    LABEL maintainer="[email protected]"
    # Alpine apk package manager to install nodejs and nodejs-npm into the image.
    RUN apk add --update nodejs nodejs-npm
    # copies in the app files from the build context 
    COPY . /src
    #Metadata, not layer
    WORKDIR /src
    RUN npm install
    # exposes a web service on TCP port 8080
    #Metadata, not layer
    EXPOSE 8080
    # set the main application that the image(container) should run
    ENTRYPOINT ["node", "./app.js"]

    The above code can generate the image diagram:
    Notes on docker deep dive (1)

  • Build the image:docker image build -t web:latest .(the last (.) sign indicates that the construction context is the current directory)
  • see:docker image ls
  • Push to docker hub
    • Sign in:docker login(you need to register an account first)
    • Label the image:docker image tag web:latest nigelpoulton/web:latestThe following parameters are:<current-tag> <new-tag>
    • Push:docker image push nigelpoulton/web:latest
  • Running application:
    docker container run -d --name c1 \
    -p 80:8080 \
  • View apps:docker container ls
  • Test application: access the corresponding address
  • To view the construction history of the image:docker image history web:latest

Deploy to production using multi-phase build

The construction process is divided into multiple images, and the latter image can copy the necessary files from the former image to avoid too large image size.


Compose is used to deploy and manage multi container applications in single engine mode (single node).

  • Installation under Linux system: Reference
  • View version:docker-compose --version
  • Use yaml format configuration file, the default file name isdocker-compose.yml-fYou can specify a custom file
  • Configuration file example
    #Version, reference:
    version: "3.5"
    #The following configuration includes services (containers): Web Fe, redis
                #Use the dockerfile of the current directory to build the image
                build: .
                #Run when container starts (this sentence can be omitted because dockerfile has been defined)
                command: python
                #Map port 5000 in the container to port 5000 of the host
                    - target: 5000
                    published: 5000
                #Indicates which network to add to
                    - counter-net
                #Mount the volume counter Vol to the / code directory of the container
                    - type: volume
                    source: counter-vol
                    target: /code
                #From redis:alpine  Building a mirror image
                image: "redis:alpine"

    The above configuration can be divided into four parts: version, services, networks and volumes

  • Deploy with compose
    • Download code: git clone…
    • Switch to the counter app directory and start the application:docker-compose up &(add&(output log)
      • The default name of the compose configuration file isdockercompose.ymlordocker-compose.yaml
      • If not, you can-fappoint
      • -dBackground operation
  • Managing containers with compose
    • View service (container)docker-compose ps
    • List the processes for each service:docker-compose top
    • Stop application:docker-compose stop
    • Stop and delete:docker-compose down
    • Restart:docker-compose restart
    • Delete:docker-compose rm

Docker Swarm

It consists of two parts

  • Secure cluster: organize docker nodes to become clusters
  • Choreography engine: API for deployment and management

Composition diagram:

Notes on docker deep dive (1)

Create a secure swarm cluster

Notes on docker deep dive (1)

  • Open port
    • 2377/tcp: for secure client-to-swarm communication
    • 7946/tcp and 7946/udp: for control plane gossip
    • 4789/udp: for VXLAN-based overlay networks
  • Swarm mode and single engine mode

Notes on docker deep dive (1)

  • Run on a single engine mode docker host:docker swarm init, the node will be converted to swarm mode, and a new swarm will be created, which will become the first manager
  • Other nodes can join as workers or managers
  • Example (create a swarm, manager: mgr1-mgr3, worker: wrk1-wrk3)

    • Log in to mgr1 host and initialize a swarm:

      docker swarm init \
      --Ad vertise addr other nodes connect the IP and port of the manager node
      --Listen addr the IP and port to be monitored are generally the same as above
    • View node:docker node ls

    • staymgr1function:docker swarm join-token managerGenerate command to add manager node (including token)
      The output is like this:

      To add a manager to this swarm, run the following command:
      docker swarm join \
      --token SWMTKN-1-0uahebax...ue4hv6ps3p \

      Similarly, themanagerreplace withworkerTo generate a command to add a worker node

    • Add a worker node: log in to wkr1 and run:

      docker swarm join \
      --token SWMTKN-1-0uahebax...c87tu8dx2c \ \
      --advertise-addr \

      This node will be added to swarm as a worker

    • Similarly, wrk2 and wrk3 nodes can be added

    • Add a manager node: log in to mgr2 and run:

      docker swarm join \
      --token SWMTKN-1-0uahebax...ue4hv6ps3p \ \
      --advertise-addr \

      Similarly, mgr3 management node can be added

    • Check again

      0g4rl...babl8 * mgr2 Ready Active Reachable
      2xlti...l0nyp mgr3 Ready Active Reachable
      8yv0b...wmr67 wrk1 Ready Active
      9mzwf...e4m4n wrk3 Ready Active
      d21ly...9qzkx mgr1 Ready Active Leader
      e62gf...l5wt6 wrk2 Ready Active
      • The (*) represents the node where the command is currently running

Swarm manager high availability

  • Swarm manager native support high availability
  • A manager in active state is called a leader, which is responsible for distributing tasks and forwarding tasks of other managers

Notes on docker deep dive (1)

  • RAF consensus algorithm is used in the internal management coordination between the management node clusters, which ensures the high availability (HA) of the management nodes
  • Best practices:
    • Deploy odd number of managers (reduce split brain)
    • Don’t deploy too many managers (3-5 is better)
  • Built in security protection of Swarm: CA settings, join tokens, mutual TLS, encrypted cluster store, encrypted networks, cryptographic node ID’s, etc
  • Lock swarm
    • Restart the old manager, restore the old backup and other operations may cause security problems or erase the current configuration
    • Add on initialization--autolock=true
    • Or for an existing swarm update:docker swarm update --autolock=trueNote to save the generated key and use it to unlock when manager restarts
    • Restart one of the docker nodes:service docker restartTo see if it can be automatically added to the cluster
    • To view the nodes in the cluster:docker node ls(there will be an error and prompt to unlock)
    • docker swarm unlockUnlock and enter key

Swarm services

  • Create, example:docker service create --name web-fe -p 8080:8080 --replicas 5 nigelpoulton/pluralsight-docker-ci
    • Declare a service namedweb-fe
    • The 8080 port of each swarm node is mapped to the 8080 port of the service replica
    • --replicas 5Represents the creation of five service replicas
    • After pressing enter, the manager initializes five copies as the leader, and each manager and worker pulls the image and starts a container running on port 8080. The leader also ensures that the required state of the service is saved on the cluster and copied to each manager of swarm.
    • All services will be monitored by swarm. If it does not meet the required status, swarm will take action to restore the required status.
    • For example, if a copy fails, docker will restart a copy to restore it to the required state
  • View services:docker service ls(if you view the service immediately after creating it, you may not be able to view it. You need to wait until the deployment is completed.)
  • To view a list of service replicas:docker service ps <service-name or serviceid>
  • Details:docker service inspect xxx
  • There are two modes of service
    • Replicated (default): Specifies the number of replicas and distributes them as evenly as possible on the cluster
    • Global: start a replica on each eligible node, and the creation is a plus--mode global
  • One service
    • For example, if the traffic is increasing sharply, you need to add a service replicadocker service scale web-fe=10, up to 10 copies
    • docker service lsView services,docker service psView all copies
    • docker service scale web-fe=5Change the number of copies back to 5
  • Remove service:docker service rm web-fe
  • Rollover
    • Suppose that the image needs to be updated from V1 to v2
      docker service update \
      --image nigelpoulton/tu-demo:v2 \
      --Update parallelism 2 # update two copies at a time
      --Update delay 20s Uber SVC # 20s delay
  • Troubleshooting
    • View swarm service log:docker service logs <service-name>, the default log driver isjson-filejson-fileandjournaldBoth support this command
  • reference material

This work adoptsCC agreementReprint must indicate the author and the link of this article

Was mich nicht umbringt, macht mich stärker

Recommended Today

Practice of query operation of database table (Experiment 3)

Following the previous two experiments, this experiment is to master the use of select statements for various query operations: single table query, multi table connection and query, nested query, set query, to consolidate the database query operation.Now follow Xiaobian to practice together!Based on the data table (student, course, SC, teacher, TC) created and inserted in […]