September 22, 2015 at 13:17Docker Myths and Recipes
Around constantly talking about Docker. I know that you answer: “This is something about containers, virtualization, clouds”, “Everything works for us like that”, “This is all pampering”, “It will not start on our old Linux kernel”, “In the same way prepare the image for the cloud and run it ”,“ You can just configure LXC, chroot or AppArmor ”. You know that you do not need him. Another fashionable thing. In the end, just too lazy to understand. But curious! Then read. This is a series of six notes.
If you have not heard about containers in Linux, here is a list of pages that you need to read to understand what it is about:
Put Docker, it's small. For Windows and Mac, you can simply install the Toolbox: www.docker.com/toolbox . It is better to create a virtual machine and configure it from the command line, and not through a graphical wrapper. Read some lessons from the manual. Here I am writing about what is not in the documentation.
Here is my Linux:
I launch CentOS:
Docker is not a chroot, their functionality partially coincides. It is not a security system like AppArmor. Docker uses the same containers as LXC, but it is interesting not for containers. Docker is nothing that I thought about it before I read the documentation.
The same kernel, memory, file system, and distributions, libraries, and users are different.
The question regularly arises whether nginx configuration is part of the web application. System administrators argue with developers. But recently devops appeared in the world and instead of invoking the sequentially procedural invocation of commands from bash, they wanted to think of the familiar OOP. Docker provides encapsulation, inheritance, and polymorphism for system components such as database and data. This means that you can decompose the entire information system, allocate the application, web server, database, system libraries, working data into independent components, inject dependencies from configs, and make it all work in one group, the same on different computers.
This approach can be used to reduce the loss of working time of expensive front-end developers to configure the database and Nginx. To get away from vendor lock-in. Do not break off when openssl on the server does not support the cipher used in the government agency API. To make the application work regardless of the version of PHP or Python on the customer’s server. Create open source not only in the form of code, but also by configuring packages from several applications written in different languages, working on different OSI layers.
So, I opened docs.docker.com/mac/started , installed Docker, performed several exercises, and felt that I was being held for a fool who is afraid to overload with information. The first question is: where the hell was the docker installed, where are its files, in what format, how is it all arranged? The answers are here: blog.thoward37.me/articles/where-are-docker-images-stored
In short, Docker uses one of the drivers to work with the file system, it is usually AUFS , and all container files are in / var / lib / docker / aufs / diff /. In / var / lib / docker / containers / service information, not the container files themselves.
Images are like classes in code. Containers are like objects created from classes. The main difference is that you can make a container and make an image out of it. Images consist of so-called layers, layers are folders that are in / var / lib / docker / aufs / diff /. Typically, application images inherit some kind of off-the-shelf official system images. When Docker downloads an image, it only needs layers that it does not have.
For example, I download the official nginx image: hub.docker.com/r/library/nginx/tags
They write that the image of nginx 1.9.4 is 52 mb in size, but in fact, I only download 3 mb. This is because nginx is built on the debian: jessie image , which I have "Already exists". There are many images based on Ubuntu. Of course, it is worth assembling your system from images with one ancestor.
Containers are executed by a kernel engine called Cgroups . The docker service starts the container by a command received from a client application (for example, docker ) and stops it when the standard I / O stream is released in the container. Therefore, in the Nginx configuration for Docker they write:
When the operation of the container ends, it is not deleted, unless specifically indicated. Each $ start of the container with the docker run image_name command without the --name or --rm parameters creates a new container with a unique identifier that remains in the system until it is deleted. So Docker is a system prone to litter. The names of the containers in the system are unique. I recommend assigning a name to each created permanent container, and I recommend creating containers in which you do not need to save data with the --rm option . Containers are created with the docker run and docker create commands. You can view a list of all existing containers in the system with the docker ps -a command .
Accordingly, Docker may freeze. If you gave the command to download the image, the only way to interrupt the download process is to restart the service. The authors have long been discussing what to do with it, but things are still there.
For example, in version 1.8.1 there is a reproducible problem:
I press Ctrl-C, then immediately start the download again.
Repin's painting “Sailed”. That is, they hung. You must restart the daemon.
It happens that the docker daemon does not want to die on its own and does not release the port, and the init script does not yet work out border cases. So do not forget to check sudo /etc/init.d/docker status , sudo netstat -ntpl , get a tambourine and dance.
You also need to remember that the order of the statements for the docker command matters. If you write docker create nginx --name = nginx , --name = nginx will be considered a command to be executed in the container, and not the name of the container.
Now it will be easier for you to deal with official documentation.
Continuation: habrahabr.ru/post/267451 and habrahabr.ru/post/267455
If you have not heard about containers in Linux, here is a list of pages that you need to read to understand what it is about:
- en.wikipedia.org/wiki/LXC
- en.wikipedia.org/wiki/UnionFS
- habrahabr.ru/post/253877
- www.docker.com/whatisdocker
Put Docker, it's small. For Windows and Mac, you can simply install the Toolbox: www.docker.com/toolbox . It is better to create a virtual machine and configure it from the command line, and not through a graphical wrapper. Read some lessons from the manual. Here I am writing about what is not in the documentation.
Docker is not virtualization.
Here is my Linux:
Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64)
Last login: Tue Aug 18 00:43:50 2015 from 192.168.48.1
gri@ubuntu:~$ uname -a
Linux ubuntu 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:37 UTC 2015 x86_64 x86_64 x86_64 GNU/ Linux
gri@ubuntu:~$ free -h
total used free shared buffers cached
Mem: 976M 866M 109M 11M 110M 514M
-/+ buffers/cache: 241M 735M
Swap: 1.0G 1.0M 1.0G
I launch CentOS:
gri@ubuntu:~$ docker run -ti centos
[root@301fc721eeb9 /]# uname -a
Linux 301fc721eeb9 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@301fc721eeb9 /]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
[root@301fc721eeb9 /]# free -h
total used free shared buff/cache available
Mem: 976M 85M 100M 12M 790M 677M
Swap: 1.0G 1.0M 1.0G
Docker is not a chroot, their functionality partially coincides. It is not a security system like AppArmor. Docker uses the same containers as LXC, but it is interesting not for containers. Docker is nothing that I thought about it before I read the documentation.
The same kernel, memory, file system, and distributions, libraries, and users are different.
Docker is an Object Oriented Design Tool
The question regularly arises whether nginx configuration is part of the web application. System administrators argue with developers. But recently devops appeared in the world and instead of invoking the sequentially procedural invocation of commands from bash, they wanted to think of the familiar OOP. Docker provides encapsulation, inheritance, and polymorphism for system components such as database and data. This means that you can decompose the entire information system, allocate the application, web server, database, system libraries, working data into independent components, inject dependencies from configs, and make it all work in one group, the same on different computers.
This approach can be used to reduce the loss of working time of expensive front-end developers to configure the database and Nginx. To get away from vendor lock-in. Do not break off when openssl on the server does not support the cipher used in the government agency API. To make the application work regardless of the version of PHP or Python on the customer’s server. Create open source not only in the form of code, but also by configuring packages from several applications written in different languages, working on different OSI layers.
Start
So, I opened docs.docker.com/mac/started , installed Docker, performed several exercises, and felt that I was being held for a fool who is afraid to overload with information. The first question is: where the hell was the docker installed, where are its files, in what format, how is it all arranged? The answers are here: blog.thoward37.me/articles/where-are-docker-images-stored
In short, Docker uses one of the drivers to work with the file system, it is usually AUFS , and all container files are in / var / lib / docker / aufs / diff /. In / var / lib / docker / containers / service information, not the container files themselves.
Images are like classes in code. Containers are like objects created from classes. The main difference is that you can make a container and make an image out of it. Images consist of so-called layers, layers are folders that are in / var / lib / docker / aufs / diff /. Typically, application images inherit some kind of off-the-shelf official system images. When Docker downloads an image, it only needs layers that it does not have.
For example, I download the official nginx image: hub.docker.com/r/library/nginx/tags
docker@dev:~$ docker pull nginx
latest: Pulling from nginx
aface2a79f55: Pull complete
72b67c8ad0ca: Downloading [=============> ] 883.6 kB/3.386 MB
9108e25be489: Download complete
902b87aaaec9: Already exists
9a61b6b1315e: Already exists
They write that the image of nginx 1.9.4 is 52 mb in size, but in fact, I only download 3 mb. This is because nginx is built on the debian: jessie image , which I have "Already exists". There are many images based on Ubuntu. Of course, it is worth assembling your system from images with one ancestor.
Docker does not execute containers, but manages them
Containers are executed by a kernel engine called Cgroups . The docker service starts the container by a command received from a client application (for example, docker ) and stops it when the standard I / O stream is released in the container. Therefore, in the Nginx configuration for Docker they write:
Be sure to include daemon off; in your custom configuration to ensure that Nginx stays in the foreground so that Docker can track the process properly (otherwise your container will stop immediately after
starting)!
When the operation of the container ends, it is not deleted, unless specifically indicated. Each $ start of the container with the docker run image_name command without the --name or --rm parameters creates a new container with a unique identifier that remains in the system until it is deleted. So Docker is a system prone to litter. The names of the containers in the system are unique. I recommend assigning a name to each created permanent container, and I recommend creating containers in which you do not need to save data with the --rm option . Containers are created with the docker run and docker create commands. You can view a list of all existing containers in the system with the docker ps -a command .
Docker is a client-server system service
Accordingly, Docker may freeze. If you gave the command to download the image, the only way to interrupt the download process is to restart the service. The authors have long been discussing what to do with it, but things are still there.
For example, in version 1.8.1 there is a reproducible problem:
docker@dev:~$ docker pull debian
Using default tag: latest
latest: Pulling from library/debian
2c49f83e0b13: Downloading [===================> ] 19.89 MB/51.37 MB
I press Ctrl-C, then immediately start the download again.
docker@dev:~$ docker pull debian
Using default tag: latest
Repin's painting “Sailed”. That is, they hung. You must restart the daemon.
docker@dev:~$ sudo /etc/init.d/docker restart
Need TLS certs for dev,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
docker@dev:~$ sudo /etc/init.d/docker status
Docker daemon is running
docker@dev:~$ docker pull debian
Using default tag: latest
latest: Pulling from library/debian
...
Status: Downloaded newer image for debian:latest
It happens that the docker daemon does not want to die on its own and does not release the port, and the init script does not yet work out border cases. So do not forget to check sudo /etc/init.d/docker status , sudo netstat -ntpl , get a tambourine and dance.
You also need to remember that the order of the statements for the docker command matters. If you write docker create nginx --name = nginx , --name = nginx will be considered a command to be executed in the container, and not the name of the container.
Now it will be easier for you to deal with official documentation.
Continuation: habrahabr.ru/post/267451 and habrahabr.ru/post/267455