Docker for DevOps

References
● Docker Documentaton htps://docs.docker.com/
● Mastering Docker Second Editon - Russ
McKendrick, Scot Gallagher – Packt Publishing –
July 2017
Containers & VMs
Containers
“a lightweight, stand-alone, executable package of a
piece of sofwaae that includes eveaything needed to
aun it: code, auntme, system tools, system libaaaies,
setngs.“
Why Containers? Lightweight
● Containers running on a single machine share
that machine's operatng system kernel; they
start instantly and use less compute and RAM.
● Images are constructed from flesystem layers
and share common fles. his minimizes disk
usage and image downloads are much faster.
Why Containers? Standard
● Containers are based on open standards and run
on all major Linux distributons, Microsof
Windows, and on any infrastructure including
VMs, bare-metal and in the cloud.
Why Containers? Secure
● Docker containers isolate applicatons from one
another and from the underlying infrastructure.
Docker provides the strongest default isolaton to
limit app issues to a single container instead of
the entre machine.
Comparing Containers & VMs (1)
Comparing Containers & VMs (2)
● Containers are an abstracton at the app layer that
packages code and dependencies together. Multple
containers can run on the same machine and share
the OS kernel with other containers, each running as
isolated processes in user space. Containers take up
less space than VMs (container images are typically
tens of MBs in size), and start almost instantly.
● Virtual machines (VMs) are an abstracton of physical
hardware turning one server into many servers. he
hypervisor allows multple VMs to run on a single
machine. Each VM includes a full copy of an
operatng system, one or more apps, necessary
binaries and libraries - taking up tens of GBs. VMs
can also be slow to boot.
Containers & VMs Together
Install Docker
Docker Release Schedule
Startng with Docker 17.03, Docker uses a tme-
based release schedule.
● Docker CE Stable releases generally happen

quarterly, with patch releases as needed.

● Docker EE releases generally happen twice per

year, with patch releases as needed.

Updates, and patches
● A given Docker EE release receives patches and

updates for at least one year afer it is released.

● A given Docker CE Stable release receives patches

and updates for one month afer the next Docker

CE Stable release.
Docker OS
Install Docker
● CentOS
yum -y install docker
● Ubuntu
apt -y install docker.io
First Docker Commands
Images
Dockerfle
A Dockerfle is a text document that contains all the
commands a user could call on the command line to
assemble an image. Using docker build users can
create an automated build that executes several
command-line instructons in succession.
Dockerfle instructons (1)
● FROM, initalizes a new build stage and sets the
Base Image for subsequent instructons.
● RUN, execute any commands in a new layer on
top of the current image and commit the results.
● CMD, provide defaults for an executng container.
● LABEL, adds metadata to an image.
● EXPOSE, informs Docker that the container
listens on the specifed network ports at runtme.
● ENV, sets the environment variable <key> to the
value <value>.
Dockerfle instructons (2)
● ADD, copies new fles, directories or remote fle
URLs from <src> and adds them to the flesystem
of the image at the path <dest>.
● COPY, copies new fles or directories from <src>
and adds them to the flesystem of the container
at the path <dest>.
● ENTRYPOINT, confgure a container that will run
as an executable.
● VOLUME, creates a mount point with the
specifed name and marks it as holding externally
mounted volumes from natve host or other
containers.
Dockerfle instructons (3)
● USER, sets the user name (or UID) and optonally
the user group (or GID) to use when running the
image and for any RUN, CMD and EN RYPOIN
instructons that follow it in the Dockerfle.
● WORKDIR, sets the working directory for any
RUN, CMD, EN RYPOIN , COPY and ADD
instructons that follow it in the Dockerfle.
● ARG, defnes a variable that users can pass at
build-tme to the builder with the docker build
command using the --build-arg
<varname>=<value> fag.
● ONBUILD, adds to the image a trigger instructon
to be executed at a later tme, when the image is
used as the base for another build.
Dockerfle instructons (4)
● STOPSIGNAL. sets the system call signal that will
be sent to the container to exit.
● HEALTHCHECK, tells Docker how to test a
container to check that it is stll working.
● SHELL, allows the default shell used for the shell
form of commands to be overridden.
Dockerfle Example
Docker Hub
Image Repositories
Docker Contnous
Integraton (CI)
CI Using Docker
Docker Hub Automated Build
Build images automatcally from a build context
stored in a repository. A build context is a Dockerfle
and any fles at a specifc locaton.
Automated Builds have several advantages:
● Images built in this way are built exactly as

specifed.
● he Dockerfle is available to anyone with access
to your Docker Hub repository.
● Your repository is kept up-to-date with code

changes automatcally.
Automated Builds are supported for both public and
private repositories on both GitHub and Bitbucket.
Build Statuses
● Queued: in line for image to be built.
● Building: he image is building.
● Success: he image has been built with no issues.
● Error: here was an issue with your image.
Volumes
Bind Mounts & Volumes
Share Data Among Machines
Networking
Network Drivers
● Bridge, uses a sofware bridge which allows
containers connected to the same bridge
network to communicate.
● Host, use the host’s networking directly.
● Overlay, creates a distributed network among
multple Docker daemon hosts.
● Macvlan, assign a MAC address to a container,
making it appear as a physical device on your
network.
● Network Plugins, third-party network plugins
with Docker.
Bridge Network
Overlay Network
Compose
Compose
“Compose is a tool foa defning and aunning mult-
containea Dockea applicatons. With Compose, you
use a YAML fle to confguae youa applicaton’s
seavices. Then, with a single command, you caeate
and staat all the seavices faom youa confguaaton. “
File Format Compatbility
docker-compose.yml
Swarm
Swarm
“The clustea management and oachestaaton
featuaes embedded in the Dockea Engine aae built
using swaamkit. Swaamkit is a sepaaate paoject
which implements Dockea’s oachestaaton layea and
is used diaectly within Dockea.”
Swarm Features
● Cluster management integrated with Docker Engine
● Decentralized design
● Declaratve service model
● Scaling
● Desired state reconciliaton
● Mult-host networking
● Service discovery
● Load balancing
● Secure by default
● Rolling updates
Swarm Architecture
Services and Tasks
● Service, defniton of the tasks to execute on the
manager or worker nodes.
● Replicated services, the swarm manager distributes
a specifc number of replica tasks among the nodes
based upon the scale you set in the desired state.
● Global services, the swarm runs one task for the
service on every available node in the cluster.
● Task, carries a Docker container and the commands
to run inside the container.
Load Balancing
● Ingress load balancing is used by swarm manager
to expose the services you want to make available
externally to the swarm.
● PublishedPort, service port assigned automatcally
by swarm manager (port 30000-32767) or
assisgned manually.
● Internal load balancing is used by swarm manager
to distribute requests among services within the
cluster based upon the DNS name of the service.
PublishedPort
dockea seavice caeate --name my-web --publish
published=8080,taaget=80 --aeplicas 2 nginx
ELB With Routng Mesh (1)
ELB With Routng Mesh (2)
Secrets
Secret
“A secaet is a blob of data that should not be
taansmited ovea a netwoak oa stoaed unencaypted in
a Dockeafle oa in youa applicaton’s souace code. “
Data such as:
● Usernames and passwords

● LS certfcates and keys

● SSH keys

● Other important data such as the name of a

database or internal server

● Generic strings or binary content (up to 500 kb in

size)
Secret in Compose