Docker: What Is It?

Tom Most

NBLUG 2019-02-12

Agenda

What is a container? ∙ Docker basics ∙ Use cases

What is a container?

Two Linux features:

namespaces	+	control groups
isolation		resource limits
hostname		CPU
network		memory
processes		I/O
filesystem		…
…

Usually also paired with virtual network devices

LXC: Linux Containers

Containers that resemble a virtual machine

Has a normal init process
Runs system services: cron, gettys, etc.
Linux kernel is shared with the host
Sometimes called “lightweight virtualization” or “OS-level virtualization”
Flexible, low-level tool

Introducing Docker

$ docker run -it ubuntu:xenial bash
Unable to find image 'ubuntu:xenial' locally
xenial: Pulling from library/ubuntu
✂
7ea47a67709e: Pull complete
Digest: sha256:e4a134999bea4abb4a27bc437e6118fdddfb172e1b9d683129b74d254af51675
Status: Downloaded newer image for ubuntu:xenial
root@ef57b341461f:/# hostname
ef57b341461f
root@ef57b341461f:/# ps fax
  PID TTY      STAT   TIME COMMAND
    1 pts/0    Ss     0:00 bash
   17 pts/0    R+     0:00 ps fax

What is a Docker container?

Docker Engine adds some opinions:

Ideally there is only run process inside the container
- No system services like init or cron
Immutability — the software and resources within don’t change at runtime
- Ship an archive of the root filesystem (the “image”)
- No package upgrades — deploy a new image instead
- Store any persistent state in a volume
Configuration comes from environment variables, volumes, or network services

What is Docker Engine?

Docker daemon
- Roughly, it’s like LXC with an API
- HTTP and JSON, of course
- Over /var/lib/docker.sock UNIX socket, accessible to the docker group
- Wraps lower-level tools (once LXC, now containerd/runc)
docker CLI tool
- Build or download images
- Run and monitor containers
Open core licensing: “community” and “enterprise” editions

Docker Basics

Building and running containers

A Simple Dockerfile

FROM ubuntu:bionic

RUN apt-get update -qqq && apt-get install memcached -yqq

EXPOSE 11211/tcp
USER memcache:memcache
CMD ["memcached", "-p", "11211", "--memory-limit", "128"]

Build with docker build

First build

$ docker build -t memcache .
Sending build context to Docker daemon  2.048kB
Step 1/5 : FROM ubuntu:bionic
 ---> 47b19964fb50
Step 2/5 : RUN apt-get update -qqq && apt-get install memcached -yqq
 ---> Running in 9a1269bf9bbf
✂
Unpacking memcached (1.5.6-0ubuntu1) ...
✂
Removing intermediate container 9a1269bf9bbf
 ---> 1ef9a4caf1c1
Step 3/5 : EXPOSE 11211/tcp
 ---> Running in 2070f6abcada
Removing intermediate container 2070f6abcada
 ---> ccc1d5c153a6
Step 4/5 : USER memcache:memcache
 ---> Running in 485ab2cd2c0a
Removing intermediate container 485ab2cd2c0a
 ---> 88bafee3e318
Step 5/5 : CMD ["memcached", "-p", "11211", "--memory-limit", "128"]
 ---> Running in 4e68567f195e
Removing intermediate container 4e68567f195e
 ---> a107a3c11dc3
Successfully built a107a3c11dc3
Successfully tagged memcache:latest

Second build

Caching!

$ docker build -t memcache .
Sending build context to Docker daemon  2.048kB
Step 1/5 : FROM ubuntu:bionic
 ---> 47b19964fb50
Step 2/5 : RUN apt-get update -qqq && apt-get install memcached -yqq
 ---> Using cache
 ---> 1ef9a4caf1c1
Step 3/5 : EXPOSE 11211/tcp
 ---> Using cache
 ---> ccc1d5c153a6
Step 4/5 : USER memcache:memcache
 ---> Using cache
 ---> 88bafee3e318
Step 5/5 : CMD ["memcached", "-p", "11211", "--memory-limit", "128"]
 ---> Using cache
 ---> a107a3c11dc3
Successfully built a107a3c11dc3
Successfully tagged memcache:latest

Run it

$ docker run --publish 11211:11211 --detach memcache:latest
967cfd35f00e3ec2ce42d3d701a6bf08a3886a82ac310c310bb4446ab7fb3cc2

--publish forwards ports from the host

--detach runs in the background

$ docker ps
CONTAINER ID  IMAGE            COMMAND             ✂ NAMES
967cfd35f00e  memcache:latest  "memcached -p 112…" ✂ romantic_jepsen

$ docker exec -it romantic_jepsen bash
memcache@967cfd35f00e:/$ ps fax
  PID TTY      STAT   TIME COMMAND
   18 pts/0    Ss     0:00 bash
   27 pts/0    R+     0:00  \_ ps fax
    1 ?        Ssl    0:00 memcached -p 11211 --memory-limit 128

Dockerfile: Build-Time Commands

FROM ubuntu:bionic

RUN apt-get update -qqq && apt-get install memcached -yqq

EXPOSE 11211/tcp
USER memcache:memcache
CMD ["memcached", "-p", "11211", "--memory-limit", "128"]

FROM — base image
COPY and ADD — add files
RUN — run a command
WORKDIR, ENV, ARG, and SHELL

Dockerfile: Runtime Metadata

FROM ubuntu:bionic

RUN apt-get update -qqq && apt-get install memcached -yqq

EXPOSE 11211/tcp
USER memcache:memcache
CMD ["memcached", "-p", "11211", "--memory-limit", "128"]

CMD and ENTRYPOINT — command to run
USER — user/group when container is run
EXPOSE — port numbers
LABEL — key/value metadata
VOLUME, STOPSIGNAL, HEALTHCHECK

Container Use Cases

Running Picky Software ∙ Building ∙ Testing ∙ Distribution ∙ Deployment

Running Picky Software

Like a VM, you can use a container to run software that is particular about its environment
- Use old libraries without holding back everything else
Unlike a VM the container uses the host’s kernel
- So you aren’t running an unsafe old kernel (but you’re still running unsafe everything else)
- This works because the Linux kernel is strict about backwards compatibility

Building software

Buiding in a container can improve repeatability of builds

No accidental dependencies
Easy to switch between environments
Can use weird environments
- Python manylinux1 wheels: CentOS 5
Great for continuous integration

Testing software

Similar benefits to building:

A clean environment, every run
- Can run services (databases, etc.)
- Faster to start than VMs
Everyone has an identical environment
Tests can’t pollute your desktop

Distributing Software

You can distribute software as a Docker image

Resource bundling solves the dependency compatibility problem!
- …but creates size and license compliance problems
Mostly see this used for Go apps
- Grafana
Docker Hub — hub.docker.com — a public registry

Similar to systemd’s portable services concept

Deploying Software?

Reduced delta between development and production
Pairs well with:
- Stateless services
- Continuous deployment
- Microservice architecture*
Danger zones:
- Security updates
- Stateful services — databases
- Networking
- Ecosystem churn (e.g., Docker Swarm vs. Kubernetes)

* Normal microservice caveats apply

So What Is Docker?

namespaces + control groups
+ layered filesystem
+ HTTP API
+ CLI tool
+ Dockerfiles
+ image registry

Docker Disambiguation

Docker Engine and docker CLI tool — the software we’re discussing.

Moby — open source project, basis of the above. Formerly called “Docker”.

Docker, Inc. — a San Francisco startup, owner of docker.com and the Docker trademarks. Formerly called dotCloud.

Docker Hub — hub.docker.com, a software repository run by Docker, Inc.

Docker Swarm, Docker Enterprise, Docker Desktop — other Docker, Inc. products, not discussed here.