Docker Learning Tutorial Notes integration (complete)

Docker Learning Tutorial Notes integration (complete)

This article is mainly to organize the Dockerone organization translation Flux7 Docker Introductory tutorial, through Markdown Records, convenient offline learning. The original address, http://dockone.io/article/101.

Some of the links may be redirected to foreign sites, if there is no plugin or open a VPN friend, you can try to modify the Hosts file, how to modify the Hosts file. or using the Xxnet plugin, how to use Xxnet

Introduced

Docker is a new containerized technology, it is lightweight and portable, known as "build once, configure once and run Anywhere" (Translator Note: This is not translated, the taste is not translated) ". This article is the first part of the FLUX7 Docker series tutorial. Learn and understand the advantages of Docker with this tutorial, and how to use it better.

Let's study Docker together.

This article focuses on the basics of Docker: Docker features, ideas, and how to install and use Docker.

Docker features

Docker has a lot of interesting features that you will be able to understand better through this tutorial.

The features of Docker mainly include the following points:

• Fast and elegant isolation frame
• Cheap
• cpu/low consumption of memory
• Quick turn on/off
• Cross-Cloud infrastructure

Docker Components and elements

Docker has three components and three basic elements, and the reader can quickly navigate through the following video to see what these builds and elements are and how they relate to each other.
Each of the three components is:

* Docker Client是用户界面，它支持用户与Docker Daemon之间通信。* Docker Daemon运行于主机上，处理服务请求。* Docker Index是中央registry，支持拥有公有与私有访问权限的Docker容器镜像的备份。

The three basic elements are:

• Docker Containers is responsible for the operation of the application, including the operating system, user-added files, and meta-data.
• Docker images is a read-only template used to run Docker containers.
• Dockerfile is a file instruction set that shows how to create a docker image automatically.

Before discussing how Docker components interact with basic features, let's talk about the pillars of Docker. Docker uses the following operating system features to improve container technology efficiency:

• Namespaces acts as the first level of isolation. Ensure that a process is running in one container and cannot see or affect other processes outside the container.

• Control groups is an important part of LXC and has the key function of resource accounting and limitation.

• UnionFS (file system) as a building block for a container. To support the lightweight and fast nature of Docker, it creates a user layer.

How to put them together

There are two basic steps required to run any application:

1.构建一个镜像。2.运行容器。

These steps start with the Docker client command. The Docker client uses a Docker binary file. At the base level, the Docker client tells the Docker daemon which image to create and which commands to run within the container. When the daemon receives a signal to create the image, the following actions are performed:

1th Step: Build the image

As mentioned earlier, Docker image is a read-only template for a build container that contains all the information needed to start a container, including running programs and configuration data.
Each image originates from a basic image and then creates a template based on the instructions in Dockerfile. For each instruction, create a new layer on the mirror.

Once the mirrors have been created, they can be pushed to the central Registry:docker Index for others to use. However, Docker index provides two levels of access to mirroring: Public access and private access. You can store the images in a private warehouse, and the Docker website has a private warehouse package for you to choose from. In summary, public warehouses are searchable and reusable, and private warehouses can only be used by members with access rights. The Docker client can be used for mirror searches within Docker index.

2nd step: Run the container

The run container originates from the image we created in the first step. When the container is started, a read-write layer is added to the top layer of the mirror. When the appropriate network and IP addresses are assigned, the required applications can be run in the container.

If you still do not understand, do not worry, in the next content we will share with you a lot of practical cases.

So far, we've introduced the basic concept of Docker, and next, let's install Docker together.

Docker Installation Tutorials

Command

Detailed links

We will learn 15 Docker commands and learn how it works through practice.

First, let's check to see if Docker is installed correctly with the following command:

*docker Info

If this command is not found, the Docker installation is incorrect. If the installation is correct, it will output something like the following:

There is no mirror or container in the Docker at this stage. So let's create one by using a pre-built image of the command:

• sudo docker pull BusyBox

BusyBox is a minimal Linux system that provides the main features of the system and does not include some GNU-related features and options.

Next we will run a "Hello World" example, let's call it "Hello Docker".

• Docker Run Busybox/bin/echo Hello Docker
  

Now let's run the Hello Docker as a background process

• sample_job=$ (Docker run-d busybox/bin/sh-c "while true; do Echo Docker; Sleep 1; Done
  

The sample_job command prints Docker every second, using Docker logs to see the results of the output. If you do not name the job, the job will be assigned an ID, and later use of commands such as Docker logs to view the log will become more cumbersome.

Run the Docker logs command to see the current status of the job:

• Docker logs $sample _job

All Docker commands can be viewed with the following commands:

• Docker Help

A container named Sample_job, you can use the following command to stop:

• Docker Stop $sample _job

Use the following command to restart the container:

• Docker Restart $sample _job

If you want to completely remove a container, you need to stop the container before removing it. Like this:

• Docker Stop $sample _job
• Docker RM $sample _job

To save the state of the container as a mirror, use the following command:

• Docker commit $sample _job job1

Note that the image name can only take characters [A-z] and number [0-9].

Now you can use the following command to view a list of all mirrors:

• Docker images

In our previous Docker tutorial, we learned that mirroring is stored in Docker registry. The image in registry can be found by using the following command:

• Docker Search (Image-name)

To view the historical version of the image, you can execute the following command:

• Docker history (Image_name)

Finally, push the image to registry using the following command:

• Docker push (Image_name)

It is very important that you have to know that the repository is not the root repository and that it should use this format (user)/(repo_name).

These are some very basic Docker commands. In the sixth chapter of our Docker Tutorial series, we will discuss how to use Docker to run Python's web application, as well as some advanced Docker commands.

Dockerfile

Above, we introduced 15 Docker commands, you should have a general understanding of Docker. The 15 commands are used when creating images manually, and they cover the creation, submission, search, pull, and push functions of the mirror.

Now that's the problem, since Docker can create mirrors automatically, why choose a time-consuming and tedious way to create mirrors?

Docker provides us with the dockerfile to solve automation problems. In this article, we will discuss what is dockerfile, what it can do, and some of the basic syntax of Dockerfile.

Easy to automate commands

The dockerfile contains all the instructions needed to create the image. Based on the instructions in Dockerfile, we can use the Docker build command to create a mirror. Simplifies deployment by reducing the creation process of mirrors and containers.

The syntax commands supported by Dockerfile support are as follows:

• Instruction argument

Directives are case-insensitive. However, the naming convention is all uppercase.

All Dockerfile must start with the FROM command. The FROM command specifies which base image the image is based on, and the next command is based on the underlying image (the translator notes: Some commands for CentOS and Ubuntu are different). The FROM command can be used multiple times, indicating that multiple mirrors are created. The specific syntax is as follows:

• From

For example:

• From Ubuntu.

The above designation tells us that the new image will be built based on the Ubuntu image

Following the FROM command, Dockeffile also provides some additional commands for automation. The order of these commands in a text file or in a Dockerfile file is the order in which they are executed.

Let's take a look at these interesting dockerfile commands.

2. Maintainer: Sets the author of the image. The syntax is as follows:

   • Maintainer

4. Run: a command executed in the shell or exec environment. The Run command adds a new dimension to the newly created image, and the result of the submission is then used in the next instruction in Dockerfile. The syntax is as follows:

   • RUN "Command"

6. ADD: Copy file directive, it has two parameters source and destination. Destination is the path within the container. Source can be a URL or a file in the context of a startup configuration. The syntax is as follows:

   • ADD "src" "Destination"

8. CMD: Provides the container's default execution command. The Dockerfile only allows the use of a cmd command once. Using multiple cmd offsets all previous instructions, and only the last command takes effect. There are three forms of cmd:

   • CMD ["Executable", "param1", "param2"]
   • CMD ["param1", "param2"]
   • CMD command param1 param2

10. EXPOSE: Specifies the port on which the container listens at run time. The syntax is as follows:

    • EXPOSE;

12. EntryPoint: Configures an executable command for the container, which means that a specific application can be set as the default program each time the container is created with the image. It also means that the image can only run the specified application each time it is called. Similar to Cmd,docker allows only one entrypoint, multiple entrypoint will cancel out all previous instructions and only perform the final entrypoint instruction. The syntax is as follows:

    • entrypoint ["Executable", "param1", "param2"]
    • entrypoint command param1 param2

14. Workdir: Specifies the working directory of the Run, CMD, and entrypoint commands. The syntax is as follows:

    • Workdir/path/to/workdir

16. ENV: Set environment variables. They use key-value pairs to increase the flexibility of running the program. The syntax is as follows:

    • Env

18. USER: A UID is set when mirroring is running. The syntax is as follows:

    • USER

20. VOLUME: Authorizes access to directories from within the container to the host. The syntax is as follows:

    • VOLUME ["/data"]

Dockerfile Best Practices
As with any other application that you use, there are always best practices to follow. You can read more about Dockerfile's best practices.

The following are the basic dockerfile best practices that we have listed:

* 保持常见的指令像MAINTAINER以及从上至下更新Dockerfile命令;* 当构建镜像时使用可理解的标签，以便更好地管理镜像;* 避免在Dockerfile中映射公有端口;* CMD与ENTRYPOINT命令请使用数组语法。

Docker Registry

Above, we discussed the importance of Dockerfile and provided a series of DOCKERFILE commands to make it easier to build images automatically. In this article, we'll cover an important component of Docker: Docker Registry. It is the central registry of all warehouses (both shared and private) as well as workflows. Before going into Docker registry, let's take a look at some common terminology and warehouse-related concepts.

1.Repositories (warehouses) can be labeled like or tagged like bookmarks.
2. Users can comment under the warehouse.
3. A private warehouse is similar to a shared warehouse, except that the former does not appear in the search results and does not have permission to access it. Only users who are set up as collaborators can access the private warehouse.
4. Configure webhooks after successful push.

The Docker Registry has three roles, the index, the registry, and the registry client, respectively.

Character 1–index

Index is responsible for and maintains information about user accounts, mirrored checksums, and public namespaces. It maintains this information using the following components:

Web UI元数据存储认证服务符号化

This also breaks down the longer URLs to facilitate the use and validation of the user repository.

Character 2–registry

Registry is the repository for mirrors and graphs. However, it does not have a local database and does not provide user authentication, which is supported by S3, cloud files, and local file systems. In addition, the identity is authenticated through the token method of the index Auth service. Registries can have different types. Now let's analyze several of these types:

Sponsor Registry：第三方的registry，供客户和Docker社区使用。Mirror Registry：第三方的registry，只让客户使用。Vendor Registry：由发布Docker镜像的供应商提供的registry。Private Registry：通过设有防火墙和额外的安全层的私有实体提供的registry。

Role 3–registry Client

Docker acts as a registry client for the task of maintaining push and pull, as well as the authorization of the client.

Docker Registry Workflow Detailed

Now let's talk about five scenarios to get a better understanding of Docker Registry.

Scenario A: The user wants to get and download the image. The steps involved are as follows:

1. The user sends the request to index to download the image.

2.index responds and returns three related pieces of information:

• The image is located in the registry
• This image includes a checksum for all layers
• Token for authorization > Note: Tokens are returned when a x-docker-token is requested in the header. Private warehouses require Basic authentication, which is not mandatory for public warehouses.

3. The user communicates with the token and registry returned after the response, Registry is solely responsible for mirroring, which is used to store basic images and inherited layers.

4.registry will now confirm with index that the token is authorized.

5.index sends "true" or "false" to registry, thus determining whether the user is allowed to download the required image.

Scenario B: The user wants to push the image to registry. The steps involved are as follows:

1.用户发送附带证书的请求到index要求分配库名。2.在认证成功，命名空间可用之后，库名也被分配。index发出响应返回临时的token。3.镜像连带token，一起被推送到registry中。4.registry与index证实token被授权，然后在index验证之后开始读取推送流。5.该index由Docker校验的镜像更新。

Scenario C: The user wants to remove the image from index or registry:

1.index接收来自Docker一个删除库的信号。2.如果index对库验证成功，它将删除该库，并返回一个临时的token。3.registry现在接收到带有该token的删除信号。4.registry与index核实该token，然后删除库以及所有与其相关的信息。5.Docker现在通知有关删除的index，然后index移除库的所有记录。

Scenario D: The user wants to use registry in standalone mode without index.
Using registry without index, which is completely controlled by Docker, is best suited for storing images in a private network. The registry is running in a special mode that restricts the communication between registry and Docker index. All information about security and authentication requires the user's own attention.

Scenario E: The user wants to use Registry in standalone mode with index.
In this case, a custom index is created in the private network to store and access the mirror's problem. However, it is time-consuming to notify Docker about the custom index. Docker provides an interesting concept chaining registries, which allows for load balancing and registry allocations specified for specific requests. In the next series of Docker tutorials, we'll discuss how to use the Docker Registry API in each of these scenarios, and get an insight into Docker Security.

Docker Security

We must attach great importance to the security of open source software, and when developers are using Docker, there is no difference in how they build applications from the local to the production environment (note: The author's implication is that more attention should be paid to Docker's security issues). When Docker is used by more and more platforms, we need to strictly guarantee the security of Docker as a project or platform.

Therefore, we decided to discuss the issues related to Docker security and why they affect the overall security of Docker in the fifth chapter of the Docker series. Because Docker is an extension of LXC, it is also easy to use the security features of LXC.

In the first article in this series, we know that the Docker Run command can be used to run the container. What specific work does Docker do after running this command? Specific as follows:

1.docker run命令初始化。2.Docker 运行 lxc-start 来执行run命令。3.lxc-start 在容器中创建了一组namespace和Control Groups。

For those of you who do not know the concept of namespace and control groups, let me explain to them here: namespace is the first level of isolation, the containers are isolated from each other, A container is a process that cannot be seen running inside other containers (Translator Note: namespace series tutorials can read the series of tutorials on Dockerone). Each container is assigned a separate network stack, so a container cannot access the sockets of another container. In order to support IP communication between containers, you must specify the public IP port of the container.

Control groups is a very important component that has the following features:

1.负责资源核算和限制。2.提供CPU、内存、I/O和网络相关的指标。3.避免某种DoS攻击。4.支持多租户平台。

The attack surface of Docker daemon
Docker daemon runs as root, which means there are some issues that require extra care.
Here are some things to keep in mind:

1 当Docker允许与访客容器目录共享而不限制其访问权限时，Docker Daemon的控制权应该只给授权用户。2 REST API支持Unix sockets，从而防止了cross-site-scripting攻击。3 REST API的HTTP接口应该在可信网络或者VPN下使用。4 在服务器上单独运行Docker时，需要与其它服务隔离。

Some of the key Docker security features include:

1 容器以非特权用户运行。2 Apparmor、SELinux、GRSEC解决方案，可用于额外的安全层。3 可以使用其它容器系统的安全功能。

Docker.io API

For managing several processes related to authorization and security, Docker provides rest APIs. The following table lists some of the commands that this API uses to maintain related security features.

The other 15 Docker commands

In the previous article, we introduced 15 Docker commands and shared their hands-on experience. In this article, we will learn about the other 15 Docker commands. Each of them is:

Daemon:

Docker Daemon is a background process for managing containers. In general, the daemon is a long-running process service to process requests. The-d parameter is used to run the background process.

Build:

As discussed earlier, you can use Dockerfile to build the image. The simple build command is as follows:
Docker build [options] PATH | Url
There are additional options provided by Docker, such as:
–rm=true indicates that all intermediate containers are removed after a successful build
–no-cache=false means that the cache is not used during the build process

The following is a table using the Docker build command.

Attach:

Docker allows you to interact with a running container using the Attach command, and you can observe the health of the process inside the container at any time. Exiting a container can be done in two ways:

1 Ctrl+C 直接退出2 Ctrl-\ 退出并显示堆栈信息（stack trace）

The syntax of the Attach command is:

• Docker Attach Container

The following is a display of the Execute attach command.

diff:

Docker provides a very powerful command diff that lists the files and directories that have changed within the container. These changes include add (a-add), delete (D-delete), modify (C-change). This command facilitates debug and enables fast sharing of the environment.

The syntax is:

• Docker diff container

Displays the execution of the diff.

vents:
Prints real-time system events for containers within a specified time.

Import:
Docker can import remote files, local files, and directories. The URL to use HTTP is imported from a remote location, and the import of a local file or directory requires the-parameter. The syntax for importing from a remote location is:

• Docker Import Http://example.com/example.tar

Represents a local file:

Export:

Similar to the Import,export command is used to package a container's system files into a tar file.

Describes the process of its execution:

CP:

The command is to copy files from within the container to the specified path. The syntax is as follows:

• Docker CP Container:path Hostpath.

Shows the execution of the CP command.

Login:

This command is used to log on to the Docker Registry server with the following syntax:

• Docker login [Options] [Server]

To log in to your host's registry, use:

Docker Login localhost:8080

Inspect:
The Docker Inspect command collects the underlying information about containers and mirrors. This information includes:

容器实例的IP地址端口绑定列表特定端口映射的搜索收集配置的详细信息

The syntax for this command is:

• Docker Inspect Container/image

Kill:

Sends a sigkill signal to stop the main process of the container. The syntax is:

• Docker kill [Options] Container

RMI:

The command can remove one or more mirrors with the following syntax:

• Docker RMI Image

A mirror can have multiple tabs linked to it. When you delete a mirror, you should be sure to remove all relevant tags to avoid errors. Shows an example of the command.

wait:

Blocks other calling methods on the specified container until the container stops and exits blocking.

load:

This command loads the photographed image or warehouse to stdin from the tar file.

Show loading App_box.tar to stdin:

Save:

Similar to load, the command saves the image as a tar file and sends it to STDOUT. The syntax is as follows:

• Docker Save Image

A simple example is as follows:

Docker Learning Tutorial Notes integration (complete)