Docker Learning notes-re-use the basics

I have been studying Elasticsearch recently, and later colleagues in the Department met with an unauthorized access vulnerability to a Docker cluster, so I took a little look at Docker for a basic primer, this article takes a detailed record of the process of learning Docker, Hopefully you can get a quick introduction to this article, and this article will take you through the most important command categories to get a quick look at Docker for security practitioners who don't understand Docker. the difference between Docker and KVM

　　When it comes to the difference between KVM and Docker, I quote a picture that, because the owner is not working for the Internet company, the KVM and Docker are not well understood about the applicable environment for production, and if there is a chance to get into the Internet work in the future, then put this part up.

But through the architecture we can clearly see that KVM isolation is much better for Docker, because the presence of hypervisor in KVM is much higher than Docker for the hardware level, based on hypervisor we can install a variety of systems, Files in the system are also isolated from the environment. And Docker is not the same. Many of the underlying and compilation environments between applications are shared. This is the Docker and KVM I know but this is not the focus of this article, if there are any errors here also the environment Daniel to correct. access to Docker public images

In Docker we can find a common image using the following command:

Docker search nginx \ \ Searches for public nginx images

　　

To obtain a public image through the Docker pull command:

Docker pull nginx \ \ Get the image named Nginx

Docker Start-stop create container and other common command analysis

This part of the command is very, very easy to confuse, I have a lot of questions when I study this part. If you have a start command, why do you have a run command? Why some parameters can only follow the run and not follow start, as well as some common tricks.

Docker images  \ View Native-owned mirrors

But an image is just a mirror, and he needs to execute it in the container, so we're going to convert the images to a container. To create a new container we typically use the following combination commands:

Docker Run-idt--name newcentos centos haha.sh

parameter explanation :
-it usually appears together (standard input to the container and produces an interactive shell)-
D runs in the background
--name give the container a name for easy management (otherwise you have to manage with the container ID, the mentality will explode)
/bin/bash the command to execute after the container is generated

even to explain:

create a new container to mount the image as CentOS  This container is named Newnetos 
after the creation is complete, execute the haha.sh script to manage the container through bash 
and do not enter the container after the creation is complete (the presence of the-D parameter)

Managing Docker containers I mainly use the following commands to achieve:

Docker ps-a \ \ Show All Docker containers

We can use the Attach command to enter a container for interactive shell management:

Docker start Newcentos \ \ Container must be started to attach
docker attach newcentos \ \ Above We name the image Newcentos, otherwise we want to follow the ID of the mirror

We can start and stop the container by starting and stop commands, and it is important to note that the main problem is before the master is ignorant. Docker run contains two stages of Docker creat and Docker start. So a new image is loaded into the container we use Docker run to solve the two-phase problem once and for all.

The process of deleting a container we need two stages, stop after delete:

Docker stop newcentos \ Stop container run
Docker rm newcentos  \ \ Delete Container

　　 Docker Port Mapping

　　When we run an Apache image, we often want to access the host address 80 or port 443 to reach the Apache process running in the container. At this point we need to map the host's 80 and 443 ports to the 80 and 443 ports in the container, usually using the following command.

Docker Run-idt--name apache-p 80:80 httpd

parameter explanation:

I'm using it as a security officer. The-p parameter is relatively small, mainly to map the host's random port to the container's specific port. Docker Mount disk image

Classic Docker Romote API unauthorized access vulnerability bounce shell generally needs to mount the host root directory to obtain permissions, not detailed here. In general, we can mount the native nginx configuration file to the container and implement the/mnt effect similar to the Linux system.

Docker run-p 80:80--name mynginx-v/www:/www-v/etc/conf/nginx.conf:/etc/nginx/nginx.conf-d nginx 

parameter explanation:-
v Host Machine Files directory: Container directory   

Docker Image Creation (commit and Dockerfile)

　　We may have deployed a variety of environments in a CentOS mirror container like Nginx,redis, and now I want to package this custom CentOS container to form a new image. There are two ways to use commit and dockerfile.

Docker commit-m "Centos-redis"-A "Legwindy" abe40a097f26 legwindy/centos-redis:v1

parameter explanation:-
m: A record-a
: Author name
abe40a097f26: Packaged container ID, such as I have a lot of things in a abe40a097f26 CentOS
                       image, the container ID is abe40a097f26
(legwindy/ CENTOS-REDIS:V1): The image name after packaging, the tag value is V1

Using Dockerfile to build, more complex, I found an instance from the Internet, need to know a lot of grammar, in fact, the core idea is to write each of the above steps to the file, using Docker build directly follow the procedure to execute, the following is a copy of a Dockerfile instance:

Several key fields:

From (image name)
RUN (Execute command)
EXPOSE (the port to be opened by the container)
entrypoint (difficult to understand points): a container can be encapsulated into an application.
CMD (hard to understand point): commands to execute

More difficult to understand is the difference between entrypoint and CMD, entrypoint can be packaged into an application, such as entrypoint after the parameter/usr/local/nginx, after we attach the container, The effect is the same as the return of the Nginx command executed directly under Linux. CMD can be understood as the parameter after entrypoint, when we write such a parameter:--entrypoint/usr/local/bin/nginx. We use the following command to achieve the following effect. Docker run XXXX--entrypoint/usr/local/bin/nginx help. is equal to running the Nginx help command in the physical machine.

The use of Docker, learning is relatively shallow, only at the application level, with their current work is not very relevant, there is a chance to introduce the Docker Remote API Access vulnerability causes and prevention methods.