Systematization of docker knowledge points

Time:2020-10-27

1. Introduction to docker

1.1 what is docker

Docker is an open source application container engine, which allows developers to package their applications and dependency packages into a portable container, and then publish them to other machines. A container can be simply understood as a modified runtime environment that isolates all resources (unless explicitly allowed). UNIX has been using containers to isolate resources for a long time, but it is difficult to use containers directly, configuration is complex and error prone. Docker uses the existing container technology and provides consistent docker construction scheme according to the best practices, so that we can easily use the container to isolate resources and provide stronger security. At present, docker can run on Linux natively, and can also run through a separate virtual machine in OS X and windows environments.

1.2 running software in isolated containers

The container structure of docker running on Linux is shown in the following figure:

  Systematization of docker knowledge points

Command line tools or cli run in memory called user space, just like other programs running on the operating system. The docker cli is running in the space of docker, and the other is the docker. The above figure also shows three running containers, each running as a child process of the docker daemons and encapsulated in the container. Programs running in a container can only access the memory space and resources inside the container (unless it is specified that it can access resources outside the container).

1.3 distribution containers

   docker can execute, copy and easily distribute containers. Docker completes the encapsulation of traditional containers through a package and distribution software. This component used to act as the container distribution role is calledImageThe relationship between image and container is similar to the relationship between class and instance. Multiple instances can be created based on a class, and each instance has its own resources. However, multiple containers can be created based on one image, and each container does not interfere with each other (if special cases such as container connection are not considered)

2. Docker image

2.1 introduction to docker image

   docker image is an entity existing on the system. Inside the image, there is a simplified operating system, files and all dependencies required by the operation of the application(The image does not contain the kernel, and the container is the kernel shared by the docker host)。 Image repository is a named image bucket, which is used to store images. The centralized storage of images is to facilitate people to obtain the required images. The image warehouse is managed by an image registry. The image warehouse service of the docker client is configurable, and the default is docker hub. In each image warehouse, label is the only important way to specify the image, and it is also a traversal method to create useful aliases. A label can only be applied to a single image in a warehouse, but one image can have multiple labels. The following figure shows the relationship among the image warehouse service, the image warehouse, and the images: the image warehouse service manages multiple image warehouses, and each image warehouse can contain multiple images.

      Systematization of docker knowledge points

2.2 common operations of docker image

2.2.1 search pull image

   docker image is stored in the image warehouse, from which you can search and pull the image.
   the following is an example of a search image, and its parameters are described:

  • Name: the name of the mirror warehouse source
  • Description: the description of the image
  • Official: is it officially released by docker
  • Stars: similar to star in GitHub, which means like and like.
  • Automated: automatic build.
$ docker search ubuntu
NAME                                                      DESCRIPTION                                     STARS               OFFICIAL            AUTOMATED
ubuntu                                                    Ubuntu is a Debian-based Linux operating sys…   10873               [OK]                
dorowu/ubuntu-desktop-lxde-vnc                            Docker image to provide HTML5 VNC interface …   422                                     [OK]
rastasheep/ubuntu-sshd                                    Dockerized SSH service, built on top of offi…   244                                     [OK]
consol/ubuntu-xfce-vnc                                    Ubuntu container with "headless" VNC session…   217                                     [OK]
ubuntu-upstart                                            Upstart is an event-based replacement for th…   108                 [OK]                
...

Pull the image. You can specify the label to pull. If you do not specify the image label, the image with the last label will be pulled by default

$ docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
d51af753c3d3: Downloading [========================================>          ]  23.13MB/28.56MB
fc878cd0a91c: Download complete 
6154df8ff988: Download complete 
fee5db0ff82f: Waiting 
latest: Pulling from library/ubuntu
d51af753c3d3: Pull complete 
fc878cd0a91c: Pull complete 
6154df8ff988: Pull complete 
fee5db0ff82f: Pull complete 
Digest: sha256:747d2dbbaaee995098c9792d99bd333c6783ce56150d1b11e333bbceed5c54d7
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest

Specify label pull image:

$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
23884877105a: Pull complete 
bc38caa0f5b9: Pull complete 
2910811b6c42: Pull complete 
36505266dcc6: Pull complete 
Digest: sha256:3235326357dfb65f1781dbc4df3b834546d8bf914e82cce58e6e6b676e23ce8f
Status: Downloaded newer image for ubuntu:18.04
docker.io/library/ubuntu:18.04

2.2.2 view image

To see which images are available:

$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              1d622ef86b13        2 weeks ago         73.9MB
ubuntu              18.04               c3c304cb4f22        2 weeks ago         64.2MB

To view image details:

$ docker inspect ubuntu:18.04
[
    {
        "Id": "sha256:c3c304cb4f22ceb8a6fcc29a0cd6d3e4383ba9eb9b5fb552f87de7c0ba99edac",
        "RepoTags": [
            "ubuntu:18.04"
        ],
        "RepoDigests": [
            "[email protected]:3235326357dfb65f1781dbc4df3b834546d8bf914e82cce58e6e6b676e23ce8f"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2020-04-24T01:07:05.743682549Z",
        "Container": "f607979929fd999f71996754275dc5058e7345748f52d58ba72b6baf449c1fb2",
        The content is long, which is omitted here
    }
]

2.2.3 making images

There are two ways to create an image: one is to generate an image from a local container and the other is to use dockerfile to generate an image. See section 6 for details.

2.2.4 mirror label

#Here you are ubuntu:18.04 Add a new tag ubuntu:v18
$ docker tag ubuntu:18.04 ubuntu:v18

#View the image and find the new label ubuntu:v18 and ubuntu:18.04 In fact, the docker tag just creates a label, which points to the same image as the original tag.
$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              1d622ef86b13        2 weeks ago         73.9MB
ubuntu              18.04               c3c304cb4f22        2 weeks ago         64.2MB
ubuntu              v18                 c3c304cb4f22        2 weeks ago         64.2MB

2.2.5 delete image

To delete an image, it should be noted that the image cannot be deleted until all containers started based on the image are stopped.

#To delete an image, specify a label. Otherwise, the image with the label of latest will be deleted by default. You can specify the image ID to delete.
$ docker image rm ubuntu:18.04
Untagged: ubuntu:18.04

#The view image is indeed deleted
$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              1d622ef86b13        2 weeks ago         73.9MB
ubuntu              v18                 c3c304cb4f22        2 weeks ago         64.2MB

2.3 image distribution

2.3.1 distribution through mirror warehouse

Upload the image to the image warehouse, and the user pulls the image from the image warehouse.

Usage:    docker push [OPTIONS] NAME[:TAG]

Push an image or a repository to a registry

Options:
      --disable-content-trust   Skip image signing (default true)

2.3.2 manual distribution

An image is an entity that can be stored on a disk and transmitted through a USB flash disk.

$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              1d622ef86b13        2 weeks ago         73.9MB

#Will be mirrored ubuntu:latest Save as ubuntu.tar 。 So you can pass it on ubuntu.tar To distribute the images.
$ docker save -o ubuntu.tar ubuntu:latest

#Delete mirror image ubuntu:lastest
$ docker image rm ubuntu:latest
Untagged: ubuntu:latest
Untagged: [email protected]:747d2dbbaaee995098c9792d99bd333c6783ce56150d1b11e333bbceed5c54d7
Deleted: sha256:1d622ef86b138c7e96d4f797bf5e4baca3249f030c575b9337638594f2b63f01
Deleted: sha256:279e836b58d9996b5715e82a97b024563f2b175e86a53176846684f0717661c3
Deleted: sha256:39865913f677c50ea236b68d81560d8fefe491661ce6e668fd331b4b680b1d47
Deleted: sha256:cac81188485e011e56459f1d9fc9936625a1b62cacdb4fcd3526e5f32e280387
Deleted: sha256:7789f1a3d4e9258fbe5469a8d657deb6aba168d86967063e9b80ac3e1154333f
$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

#From ubuntu.tar Load image
$ docker load -i ubuntu.tar
7789f1a3d4e9: Loading layer [==================================================>]  75.22MB/75.22MB
9e53fd489559: Loading layer [==================================================>]  1.011MB/1.011MB
2a19bd70fcd4: Loading layer [==================================================>]  15.36kB/15.36kB
8891751e0a17: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: ubuntu:latest
$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              1d622ef86b13        2 weeks ago         73.9MB

2.4 image layering

   docker image is composed of some loosely coupled read-only image layers. Docker is responsible for stacking these image layers and representing them as a single unified object. All docker images start from a basic image layer. When modifying or adding new content, a new image layer will be created on top of the current image layer. When additional mirror layers are added, the mirror always remains the combination of all the current mirror layers. For example, if an image consists of two layers, the first layer contains files 1, 2, 3, and the second layer contains files 4, 5, and 6, then from a system perspective, this image contains six files 1, 2, 3, 4, 5, and 6. The figure below shows a slightly more complex three-tier image, where file 7 is an updated version of file 5. In this case, the files in the upper mirror layer cover the files in the lower mirror layer. In this way, the updated version of the file is added to the image as a new mirror layer(I feel that the bottom layer of the image layer is a basic layer, and then each layer above is like a step. Each step is executed from bottom to top, and the final result is the information displayed by the whole image)。

        Systematization of docker knowledge points

      Systematization of docker knowledge points

Always remember that the mirror layer is read-only. In this way, the image layer can be shared among multiple mirrors, which can save space and improve performance. The most intuitive is that when pulling an image, if some image layers contained in the image already exist, they will not be pulled again.
   the image itself is a configuration object, which contains the list of image layers and some metadata information. The image layer is the place where the actual data is stored (for example, files, etc., the image layers are completely independent, and there is no concept of belonging to a certain image collection). The unique identity of the mirror is an encrypted ID, which is a hash value of the configuration object itself. Each mirror layer also has an encryption ID distinction, whose value is a hash value of the content of the mirror layer itself. This means that modifying the contents of the mirror or any of its mirror layers will result in changes in the encrypted hash value. Therefore, the image and its mirror layer are immutable, and any changes can be easily identified (this is called content hashing).

2.5 multi architecture image

The purpose of multi architecture image is to solve the problem that image supports different architectures (Linux, windows, arm, etc.). To implement this feature, the mirror repository service API supports two important structures: manifest list and manifest. Manifest list refers to the list of architectures supported by a certain image tag. Each architecture it supports has its own manifest definition, which lists the composition of the image. As shown in the figure below, on the left is a list of manifest, which contains each architecture supported by the image. Each item in the manifest list has an arrow pointing to the specific manifest, which contains the image configuration and image layer data.

      Systematization of docker knowledge points

Multi architecture image principle: when pulling the image, the docker client will call the API of the docker image warehouse service to complete the pull. If the image has a manifest list, the docker client will find the manifest corresponding to the current host architecture, resolve the encryption ID of the image layer that constitutes the image, and then pull each image layer from the image warehouse. Some software can’t cross platform (maybe others don’t need it), so the manifest list is optional. If there is no manifest list, the image warehouse service will return a normal manifest.

3. Docker container

3.1 introduction to docker container

   a container is a runtime instance of a mirror, and you can start one or more containers from a single mirror. Compared with virtual machines, containers are lightweight and start up very fast — compared with virtual machines running on a complete operating system,The container shares the operating system / kernel of its host(a very simple method is to check the process inside the container. The process running inside the container can also be found on the operating system of the host where the container is located (because the container has an isolated PID, the process number will be different, but the process is the same). When creating containers, docker will assign a unique identifier to each container, as well as a personalized name (if the user does not specify a name). The docker container has four states: up, suspended, exited, and restarting. The state transition diagram is as follows:
      Systematization of docker knowledge points

3.2 common operations of docker container

3.2.1 start and stop docker container

   introduction to common options when starting a container:-i: keep standard input on;-t: assign a TTY terminal;-d: background running container;-e MYENV=123: inject environment variables;-p 9000:80: requests published to port 9000 of the host will be mapped to port 80 of the container;-v /opt/soft:/soft: mount the host’s / opt / soft directory to the / soft directory of the container file system (detailed in Section 5).Here’s a tip: if it’s a foreground started container, pressing the ctrl-pq key combination will exit the container, but not terminate the container.

#Docker container running, stop / start, pause / restart
docker container run
docker container stop
docker container start
docker container pause
docker container restart

3.2.2 view docker container

#List running containers
docker container ls
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
b601d970cd1d        web:v1              "node app.js"       4 seconds ago       Up 2 seconds                            zealous_leakey

#List all containers
$ docker container ls -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                        PORTS               NAMES
b601d970cd1d        web:v1              "node app.js"            27 seconds ago      Up 26 seconds                                     zealous_leakey
9e3328fa1308        ubuntu:latest       "/bin/bash"              16 minutes ago      Exited (0) 16 minutes ago                         silly_nash
3e45ce78a31d        ubuntu:latest       "/bin/bash"              17 minutes ago      Exited (130) 16 minutes ago                       beautiful_easle

#View container configuration details and runtime information
docker inspect zealous_leakey
[
    {
        "Id": "b601d970cd1d051df92f8dcb2f8b9acd39d0a1e9a0138db6e597b690f134b57b",
        "Created": "2020-05-11T03:01:21.064780355Z",
        "Path": "node",
        "Args": [
            "app.js"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 23692,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2020-05-11T03:01:22.4655386Z",
            "FinishedAt": "0001-01-01T00:00:00Z"
        },
        "Image": "sha256:84f04d8b5d32a6d5b6dee7a67d2b25dcf9e12a5c6e36039353baf75d551c4dd1",
        ...
    }
]

3.2.3 shell connected to container

   docker container exec allows the user to start a new process in a running container. This command is useful when connecting the docker host shell to a running container terminal.docker container exec -it <container-name or container-id> bashThe command starts a bash shell process inside the container and connects to the shell. For this command to work, the image used to create the container must contain a bash shell.

$ docker container ls
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
b601d970cd1d        web:v1              "node app.js"       2 minutes ago       Up 2 minutes                            zealous_leakey
$ docker container exec -it zealous_leakey bash
[email protected]:/# 

3.2.4 deleting containers

#The container needs to be stopped before it can be deleted
docker rm 
#If you add - F to kill the container and delete it
docker rm -f

3.3 restart strategy of docker container

3.3.1 automatic restart strategy of docker container

   it is generally recommended that you configure the restart policy when you run the container. This is a self-healing capability of the container, which can be restarted after a specified event or error to complete self-healing. The restart policy applies to each container and is passed in when the container is started--Restart < restart policy >That’s fine. There are three common container restart strategies:alwaysunless-stoppedon-failure。 The always policy is a simple way to always try to restart the container in the stopped state unless the container is explicitly stopped (for example, through the docker container stop command). When using the always policy, it should be noted that when the docker daemon is restarted, the stopped container will also be restarted. The biggest difference between always and unless stopped is that containers that use the unless stopped policy and are in the exited state will not be restarted when the docker daemon is restarted. The on failure policy will restart the container when it exits the container and the return value is not 0. Even if the container is in the exited state, the container will be restarted when the docker daemon restarts.

3.3.2 use init / systemctl and supervisor to monitor the process in the container

Use the daemons (service, systemctl, etc.) or the third-party process monitoring software (supervisor) to monitor the process in the container. When creating the image, configure these services. When starting the container, you only need to start the monitoring program, which is responsible for starting the application.

4. Docker network

4.1 introduction to docker network container model (CNM)

   docker has four network container models: closed container, bridged container (default), joined container and open container. All docker containers must conform to one of the four models. These models define how a container communicates with other local containers and host networks. The following figure vividly depicts each model, with the strongest (most isolated) on the far left and the most vulnerable on the far right:
   Systematization of docker knowledge points

4.2 closed container

   add when starting container--network noneA closed container is created. The closed container does not allow any network traffic, and processes running in this container can only access the local loopback interface.

#As you can see, the closed container has only one loopback interface
$ docker run --name closed-container --network none node:7 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

4.3 bridged container

   bridged container is the default network container model when docker runs the container. It can also be added when the container is started--network bridgeExplicitly create a closed container. The bridged container has two interfaces, one is the local loopback interface, and the other is connected to the host network through the bridge. The bridged container can access any external network that any host network can access through the host network.

#A local loopback interface, a bridge to the host network interface
$ docker run --network bridge node:7 ip addr; ping -c 2 www.baidu.com
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
255: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
PING www.a.shifen.com (180.101.49.12) 56(84) bytes of data.
64 bytes from 180.101.49.12 (180.101.49.12): icmp_seq=1 ttl=50 time=29.0 ms
64 bytes from 180.101.49.12 (180.101.49.12): icmp_seq=2 ttl=50 time=28.4 ms

--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 28.441/28.761/29.082/0.362 ms

4.4 joined container

   add when starting container--Network container: < containers that need to share networks >A joined container is created.Notice here--networkYou need to add one after the optioncontainer:Represents the creation of a joined container from an existing container, if not addedcontainer:Then the docker daemons think that thenetworkCreating containers, aboutnetworkAt present, it is not used much, and will not be introduced here。 In this case, none of the network containers are shared between these containers. The joined container is built by providing access to one container interface to another new container.

#Create a closed container and look at its internal network status. You can see that the container is listening to port 39439
$ docker run --name join-base-container --network none -d alpine:latest nc -l 8000
e2907c7a889d209734f63309a5351687ac2761489e129cd6a7d6a392234a3cde
$ docker exec join-base-container netstat -al
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:39439           0.0.0.0:*               LISTEN      
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path

#Create a joined container based on the above container and find that it shares the network in the closed container above
$ docker run --network container:join-base-container alpine:latest netstat -al
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:39439           0.0.0.0:*               LISTEN      
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path

4.5 open container

   add when starting container--network hostAn open container is created. The open container has no network container, shares the host network, and has full access to the host network. As follows, start an open container, in which you can see all the network interfaces of the host.

#Let's first see what network interfaces the host has
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 8c:ec:4b:ab:6d:38 brd ff:ff:ff:ff:ff:ff
    inet 10.55.2.40/24 brd 10.55.2.255 scope global dynamic noprefixroute eno1
       valid_lft 522699sec preferred_lft 522699sec
    inet6 fe80::7b57:66c8:6d06:833d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:cc:a9:3a:68 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea9:3a68/64 scope link 
       valid_lft forever preferred_lft forever
4: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.99.1/24 brd 192.168.99.255 scope global vboxnet0
       valid_lft forever preferred_lft forever
    inet6 fe80::800:27ff:fe00:0/64 scope link 
       valid_lft forever preferred_lft forever

#It is found that all network interfaces of the host can be accessed in the open container
$ docker run --network host node:7 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 8c:ec:4b:ab:6d:38 brd ff:ff:ff:ff:ff:ff
    inet 10.55.2.40/24 brd 10.55.2.255 scope global noprefixroute dynamic eno1
       valid_lft 522693sec preferred_lft 522693sec
    inet6 fe80::7b57:66c8:6d06:833d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:cc:a9:3a:68 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea9:3a68/64 scope link 
       valid_lft forever preferred_lft forever
4: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.99.1/24 brd 192.168.99.255 scope global vboxnet0
       valid_lft forever preferred_lft forever
    inet6 fe80::800:27ff:fe00:0/64 scope link 
       valid_lft forever preferred_lft forever

5. Volume and persistent data

5.1 introduction to storage volume

    a directory tree for a host or container is created by a set of mount points that describe how one or more file systems can be built. Storage volume is the mount point on the container directory tree. Storage volume provides container independent data management mode.The explanation of terms in the book is vague. I understand it as follows: mount a directory of the host disk to the file system of the container (the directory on the host is called the storage volume), then the operation on the mount point in the container is actually the operation on that directory on the host. For example, if the host directory / opt / soft is mounted to the / soft directory of the container, all operations on / soft in the container are actually operations on the host directory / opt / soft.

5.2 storage volume type

   there are two types of storage volumes: bound mounted storage volumes and managed storage volumes. The binding mount storage volume uses the host directory or file provided by the user, and the option needs to be added when starting the container-V < host location >: < container mount point >。 The management storage volume uses the location controlled by the docker daemons, which is called the docker management space. Commands need to be added when starting the container-V < container mount point >The docker daemon will automatically create a directory in the host file system to mount to the mount drop point specified in the container. The storage volume types are as follows:
  Systematization of docker knowledge points

5.3 shared storage volume

   there are two ways for multiple containers to share the same storage volume. The first method is to mount to the same host directory when the container is started. The second way to start a new container is the join option--Volume from < other container name or ID >The following is a demonstration of this method:

$ docker run --name fowler -v ~/example-books:/library/PoEAA -v /library/DSL alpine:latest echo "OK"
OK
$ docker run --name knuth -v /library/test1 -v /library/test2 -v /library/test3 alpine:latest echo "OK"
OK

#Next, use -- volumes from to create a new container based on container Fowler and container Knuth. You can access the storage volume inside the container Fowler and container Knuth
$ docker run --volumes-from fowler --volumes-from knuth alpine:latest  ls -l /library
total 20
drwxr-xr-x    2 root     root          4096 May 11 03:41 DSL
drwxr-xr-x    2 root     root          4096 May  7 02:18 PoEAA
drwxr-xr-x    2 root     root          4096 May 11 03:43 test1
drwxr-xr-x    2 root     root          4096 May 11 03:43 test2
drwxr-xr-x    2 root     root          4096 May 11 03:43 test3

5.4 managing volume deletion

   add when deleting a container-vOption to delete the management volume.The bound storage volume cannot be deleted by using the docker command, because the bound storage volume is not under the management of the docker daemons.

6. Containerization of application

6.1 creating images from local containers

   creating images from local containers is relatively simple, using the command directlyDocker commit < container name or ID > < name of generated image >。 But be careful,The command that comes with starting the original container is committed to the new imageThis sentence will be explained below. First, we pull the image of Ubuntu, and then execute thedocker run -it --name git-container ubuntu:latest /bin/bashRun the container, install git in the container, exit the container, and then execute image generation.

$ docker commit git-container ubuntu-git:v1
sha256:c1f13209eb865c7b726a80cc570e13cf1ad2e37b6d614b54b21017ecb3881920
$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu-git          v1                  c1f13209eb86        14 seconds ago      197MB

Then we ran the container with the new image of Ubuntu GIT and found that nothing seemed to have happened.

$ docker run --rm ubuntu-git:v1
$ 

The above phenomenon occurs because the command attached when starting the original container will be submitted to the new image, while the command attached when starting the container to create the new image is / bin / bash. So when you start a container from a new image using this default command, it starts a shell and stops it immediately.
   we can set the entry point when creating a new image. To set the entry point, we need to use the--Entrypoint < entry point command >Create a new container and rerun from the new container.

#Based on Ubuntu- git:v1 Mirror starts a container with an entry point
$ docker run --name base-entrypoint --entrypoint git ubuntu-git:v1
usage: git [--version] [--help] [-C <path>] [-c <name>=<value>]
           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
           [-p | --paginate | -P | --no-pager] [--no-replace-objects] [--bare]
           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
           <command> [<args>]
           ...

#Create the image based on the container with the storage point, and keep the image name unchanged
$ docker commit base-entrypoint ubuntu-git:v1
sha256:7ab43fc4a1c911f4f2eeeb62f5a946f2b687303a423ae64451a7a846db7cf036

#Clear the container
$ docker rm base-entrypoint
base-entrypoint

#Starting the container from the new image, you can see that it has its own entry point
$ docker run --rm ubuntu-git:v1 version
git version 2.25.1

6.2 create image by dockerfile

6.2.1 usage of dockerfile

   let’s first introduce how to use dockerfile to create git images created from local containers in the previous section. Create aDockerfileCopy the following code to the file to save:

FROM ubuntu:latest
RUN apt-get update \
    && apt-get install -y git
ENTRYPOINT ["git"]

Execute the orderdocker build -t ubuntu-git:auto .Create a new image, and thendocker image lsYou can see the image you just created. Start the container to verify the new mirror:

$ docker build  -t ubuntu-git:auto .
Sending build context to Docker daemon  2.048kB
Step 1/3 : FROM ubuntu:latest
 ---> 1d622ef86b13
Step 2/3 : RUN apt-get update     && apt-get install -y git
 ---> Running in 24ca27336db7
Removing intermediate container 24ca27336db7
 ---> 6e0f2d7b38e1
Step 3/3 : ENTRYPOINT ["git"]
 ---> Running in bd1435f0e46d
Removing intermediate container bd1435f0e46d
 ---> 88475690ecbc
Successfully built 88475690ecbc
Successfully tagged ubuntu-git:auto

$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu-git          auto                88475690ecbc        3 minutes ago       197MB
ubuntu              latest              1d622ef86b13        2 weeks ago         73.9MB

$ docker run --rm ubuntu-git:auto version
git version 2.25.1

6.2.2 common dockerfile instructions

   note when using dockerfile:Each dockerfile instruction causes a new mirror layer to be created, so instructions should be merged as much as possible. The creation of the image is done by the docker daemons, not by the docker client. The docker client will send the context to the docker daemon, which is responsible for creating the image. Therefore, do not add irrelevant data to the image when writing the dockerfile.
Some instructions such as run, entrypoint and CMD have two formats: shell format and exec format. The shell format is similar to a shell command, for example, the entry point is set toENTRYPOINT pyhon /app/run.py, where the parameters are separated by spaces. The exec format is an array of strings, where the first value is the command to execute, and the rest are parameters. The command specified in the shell format will be executed as an argument to the default shell. Specifically, the specified command will run with the/bin/sh -c "python /app/run.py"In the form of execution. Most importantly, if entrypoint uses the shell format, all parameters provided by the CMD instruction and additional parameters specified when running the container are ignored. It is a best practice to use the exec format whenever possible.

  • FROM

The   from instruction specifies the underlying mirror layer.
   format:FROM [--platform=<platform>] <image>[:<tag>] [AS <name>]
   example:FROM ubuntu:latest

  • RUN

    creates a new mirror layer above the current mirror layer and executes commands in the new layer.
   format:RUN <command>orRUN ["executable", "param1", "param2"]
   example:RUN apt-get update && install -y git

  • CMD

    provides default parameters when running the container.
   format:CMD ["param1","param2"]orCMD command param1 param2
   example:CMD ["/usr/bin/wc","--help"]

  • LABEL

    is used to define key value pairs, which are recorded as metadata of mirror or container. This is the same function as the — label option when starting the container.
   formatLABEL <key>=<value> <key>=<value> <key>=<value> ...
   example:LABEL multi.label1="value1" multi.label2="value2" other="value3"

  • Maintainer (not recommended)

   maintainer information.
   format:MAINTAINER <name>
   example:LABEL maintainer="[email protected]"

  • EXPOSE

    notifies the docker container to listen on the specified network port when it starts. You can use the-pOption to override the setting.
   format:EXPOSE <port> [<port>/<protocol>...]
   example:EXPOSE 80/udp

  • ENV

    sets the environment variable for the mirror, similar to the – E (- – Env) option when starting the container.
   format:ENV <key> <value>orENV <key>=<value> ...
   example:ENV myName="John Doe" myDog=Rex\ The\ Dog myCat=fluffy

  • ADD

    copies the file to the image.
   format:ADD [--chown=<user>:<group>] <src>... <dest>orADD [--chown=<user>:<group>] ["<src>",... "<dest>"]
   example:ADD test.txt relativeDir/

  • COPY

    copies the file to the image.
   format:COPY [--chown=<user>:<group>] <src>... <dest>orCOPY [--chown=<user>:<group>] ["<src>",... "<dest>"]
   example:COPY test.txt relativeDir/

  • ENTRYPOINT

    sets the entry point and specifies the executable program to be run when the container starts.
   format:ENTRYPOINT ["executable", "param1", "param2"]
   example:ENTRYPOINT ["top", "-b"]

  • VOLUME

    create a docker management volume.
   format:VOLUME ["/data"]
   example:VOLUME ["/data"]

  • USER

    specifies the user when the container is started.
   format:USER <user>[:<group>]
   example:USER patrick

  • WORKDIR

    specifies the default working directory, which is created if the specified directory does not exist.
   format:WORKDIR /app
   example:WORKDIR /app

6.2.3. Introduction to dockerignore

Before the docker client sends the context to the docker daemon, it looks for a file named. Dockerignore in the root directory of the context. If this file exists, the client modifies the context to exclude files and directories that match the patterns in it. This helps to avoid sending unnecessary large files or sensitive files and directories to daemons, and to avoid adding them to the image using add or copy. The pattern matching behavior of. Dockerignore is as follows:

rule behavior
#comment Comments, ignored
* Matches any number of non separators, such as/tempIndicates that the directory or file starting with temp in the first level subdirectory is excluded,//Temp * means excluding directories or files that start with temp in secondary subdirectories
? Matches any single non separator
! A line beginning with an exclamation point! Indicates that the line is not controlled by the. Dockeignore pattern matching and can be added to the image by add

For example, we only add the necessary files to the image. The following example shows that only the app (whether it is a file or a directory) will be added to the image app.py , requirements.txt Add to image

#Exclude everything first
*

#Add the required file or directory
!app
!app.py
!requirements.txt

7. Docker others

   docker can limit the access of CPU, memory and device used by container when running container, and can also run privileged container(docker container run --privileged)。In the process of using docker, you can use theDocker help < command >perhapsDocker < command > -- helpTo see help

docker run --help

Usage:    docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

Run a command in a new container

Options:
      --add-host list                  Add a custom host-to-IP mapping
                                       (host:ip)
  -a, --attach list                    Attach to STDIN, STDOUT or STDERR
  ...

8. References

  1. Docker in simple language
  2. Docker practice
  3. https://docs.docker.com/engin…