SlideShare une entreprise Scribd logo

DCEU 18: Tips and Tricks of the Docker Captains

Docker, Inc.
Docker, Inc.

Brandon Mitchell - Solutions Architect, BoxBoat Docker Captain Brandon Mitchell will help you accelerate your adoption of Docker containers by delivering tips and tricks on getting the most out of Docker. Topics include managing disk usage, preventing subnet collisions, debugging container networking, understanding image layers, getting more value out of the default volume driver, and solving the UID/GID permission issues with volumes in a way that allows images to be portable from any developer laptop and to production.

Technologie
1  sur  63
Télécharger pour lire hors ligne
Pruning Cleaning Logs + YAML Network Address Pools Netshoot Layers Buildkit Local Volume Driver Fixing Permissions Agenda 1 / 63
Brandon Mitchell Twitter: @sudo_bmitch GitHub: sudo-bmitch Tips and Tricks From A Docker Captain 2 / 63
$ whoami - Solutions Architect @ BoxBoat - Docker Captain - Frequenter of StackOverflow 3 / 63
Who is a Developer? 4 / 63
Ops 101 - Full Harddrive 5 / 63
Prune $ docker system prune WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all dangling images - all build cache 6 / 63
Prune $ docker system prune WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all dangling images - all build cache What this doesn't clean by default: Running containers (and their logs) Tagged images Volumes 7 / 63
Prune - YOLO $ docker run -d --restart=unless-stopped --name cleanup -v /var/run/docker.sock:/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" 8 / 63
Prune - YOLO $ docker run -d --restart=unless-stopped --name cleanup -v /var/run/docker.sock:/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" $ docker service create --mode global --name cleanup --mount type=bind,src=/var/run/docker.sock, dst=/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" 9 / 63
Clean Your Logs Docker logs to per container json files by default, without any limits Rotating yourself could break that json formatting Luckily "without any limits" is just the default... we can change that 10 / 63
Clean Your Logs $ docker container run --log-opt max-size=10m --log-opt max-file=3 ... 11 / 63
Clean Your Logs $ docker container run --log-opt max-size=10m --log-opt max-file=3 ... $ cat docker-compose.yml version: '3.7' services: app: image: your_app logging: options: max-size: "10m" max-file: "3" 12 / 63
Clean Your Logs version: '3.7' x-default-opts: &default-opts logging: options: max-size: "10m" max-file: "3" services: app_a: <<: *default-opts image: your_app_a app_b: <<: *default-opts image: your_app_b 13 / 63
Clean Your Logs $ cat /etc/docker/daemon.json { "log-opts": {"max-size": "10m", "max-file": "3"} } $ systemctl reload docker 14 / 63
15 / 63
16 / 63
Networking 17 / 63
Subnet Collisions Docker networks sometimes conflict with other networks 18 / 63
Subnet Collisions Docker networks sometimes conflict with other networks Originally we had the BIP setting $ cat /etc/docker/daemon.json { "bip": "10.15.0.0/24" } 19 / 63
Subnet Collisions Default address poll added in 18.06 $ cat /etc/docker/daemon.json { "bip": "10.15.0.0/24", "default-address-pools": [ {"base": "10.20.0.0/16", "size": 24}, {"base": "10.40.0.0/16", "size": 24} ] } 20 / 63
Subnet Collisions $ docker swarm init --help ... --default-addr-pool ipNetSlice --default-addr-pool-mask-length uint32 21 / 63
Subnet Collisions $ docker swarm init --help ... --default-addr-pool ipNetSlice --default-addr-pool-mask-length uint32 $ docker swarm init --default-addr-pool 10.20.0.0/16 --default-addr-pool 10.40.0.0/16 --default-addr-pool-mask-length 24 22 / 63
Network Debugging Networks in docker come in a few flavors: bridge, overlay, host, none You can also configure the network namespace to be another container 23 / 63
Network Debugging Networks in docker come in a few flavors: bridge, overlay, host, none You can also configure the network namespace to be another container $ docker run --name web-app -p 9080:80 -d nginx $ docker run -it --rm --net container:web-app nicolaka/netshoot ss -lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* 24 / 63
Network Debugging $ docker run -it --rm --net container:web-app nicolaka/netshoot tcpdump -n port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 25 / 63
Network Debugging $ docker run -it --rm --net container:web-app nicolaka/netshoot tcpdump -n port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes $ curl localhost:9080 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ... 26 / 63
Network Debugging $ docker run -it --rm --net container:web-app nicolaka/netshoot tcpdump -n port 80 14:08:58.878822 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [S],... 14:08:58.878848 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [S.],.. 14:08:58.878872 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 14:08:58.879089 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [P.],.. 14:08:58.879110 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [.],... 14:08:58.879208 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [P.],.. 14:08:58.879238 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 14:08:58.879267 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [P.],.. 14:08:58.879285 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 14:08:58.879695 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [F.],.. 14:08:58.879739 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [F.],.. 14:08:58.879776 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 27 / 63
Layers and Volumes 28 / 63
Understanding Layers $ docker image inspect localhost:5000/jenkins-docker:latest --format '{{json .RootFS.Layers}}' | jq . [ "sha256:b28ef0b6fef80faa25436bec0a1375214d9a23a91e9b75975bb...", ... "sha256:08794ff8753b0fbca869a7ece2dff463cdb7cffd5d7ce792ec0...", "sha256:37986c5c5dff18257b9a12a19801828a80aea036992b34d35a3...", "sha256:34bb0412a3f6c0f3684e05fcd0a301dc999510511c3206d8cd3...", "sha256:696245ae585527c34e2cbc0d01d333aa104693e12e0b79cf193...", "sha256:91b63ceb91a75edb481c1ef8b005f9a55aa39d57ac6cc6ef490...", "sha256:afddea070d31e748730901215d11b546f4f212114e38e685465...", "sha256:0c05256b3bb44190557669126bf69897c7faf7628ff1ed2e2d4...", "sha256:0c05256b3bb44190557669126bf69897c7faf7628ff1ed2e2d4..." ] 29 / 63
Understanding Layers $ docker image inspect jenkins/jenkins:lts --format '{{json .RootFS.Layers}}' | jq . [ "sha256:b28ef0b6fef80faa25436bec0a1375214d9a23a91e9b75975bb...", ... "sha256:08794ff8753b0fbca869a7ece2dff463cdb7cffd5d7ce792ec0...", "sha256:37986c5c5dff18257b9a12a19801828a80aea036992b34d35a3...", "sha256:34bb0412a3f6c0f3684e05fcd0a301dc999510511c3206d8cd3..." ] 30 / 63
Understanding Layers $ docker image history localhost:5000/jenkins-docker:latest IMAGE CREATED CREATED BY SIZE COMMENT 6ca185e69f2e 292 years ago LABEL org.label-schema 0B buildkit <missing> 292 years ago HEALTHCHECK &{["CMD-SH 0B buildkit <missing> 292 years ago ENTRYPOINT ["/entrypoi 0B buildkit <missing> 3 weeks ago COPY entrypoint.sh /en 1.08kB buildkit <missing> 3 weeks ago RUN |2 GOSU_VERSION=1. 203MB buildkit <missing> 3 weeks ago RUN /bin/sh -c apt-get 83.6MB buildkit <missing> 292 years ago USER root 0B buildkit <missing> 6 weeks ago /bin/sh -c #(nop) COPY 6.11kB <missing> 6 weeks ago /bin/sh -c #(nop) USER 0B <missing> 6 weeks ago /bin/sh -c #(nop) EXPO 0B <missing> 7 weeks ago /bin/sh -c apt-get upd 2.21MB <missing> 7 weeks ago /bin/sh -c #(nop) ADD 101MB 31 / 63
Understanding Layers $ DOCKER_BUILDKIT=0 docker build --no-cache --rm=false . Sending build context to Docker daemon 146.4kB ... Step 5/17 : RUN apt-get update && DEBIAN_FRONTEND=noninteracti... ---> Running in 1fc215ebb603 ... ---> d6dff86e8b89 Step 9/17 : RUN curl -fsSL https://download.docker.com/linux/de... ---> Running in a7a3a942a617 ... ---> a241c22525d8 ... Successfully built b01e4c46a2bf 32 / 63
Understanding Layers $ docker container diff 1fc215ebb603 C /etc A /etc/python3.5 A /etc/python3.5/sitecustomize.py ... C /usr/bin A /usr/bin/pygettext3 A /usr/bin/helpztags A /usr/bin/python3 A /usr/bin/rvim A /usr/bin/view A /usr/bin/python3.5 ... 33 / 63
Understanding Layers If you create a temporary file in a step, delete it in that same step Look for unexpected changes that trigger a copy-on-write, e.g. timestamps Do your dirty work in early stages of a multi-stage build 34 / 63
Merge RUN Commands RUN apt-get update RUN apt-get install -y curl RUN rm -rf /var/lib/apt/lists/* 35 / 63
Merge RUN Commands RUN apt-get update RUN apt-get install -y curl RUN rm -rf /var/lib/apt/lists/* RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* 36 / 63
Use Multi-Stage FROM openjdk:jdk as build RUN apt-get update && apt-get install -y maven COPY code /code RUN mvn build FROM openjdk:jre as final COPY --from build /code/app.jar /app.jar ENTRYPOINT ["java", "-jar", "/app.jar"] 37 / 63
"Hold my beer." --BuildKit 38 / 63
BuildKit is Awesome # syntax = tonistiigi/dockerfile:runmount20180607 FROM openjdk:jdk as build RUN apt-get update && apt-get install -y maven RUN --mount=type=bind,target=/code,source=code --mount=type=cache,target=/root/.m2 mvn build FROM openjdk:jre as final COPY --from build /output/app.jar /app.jar ENTRYPOINT ["java", "-jar", "/app.jar"] 39 / 63
BuildKit is Awesome # syntax = docker/dockerfile:experimental FROM python:3 RUN pip install awscli RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 cp s3://... ... $ docker build --secret id=aws,src=$HOME/.aws/credentials -t s3-app . 40 / 63
BuildKit is Awesome $ export DOCKER_BUILDKIT=1 $ docker build -t your_image . 41 / 63
BuildKit is Awesome $ export DOCKER_BUILDKIT=1 $ docker build -t your_image . $ cat /etc/docker/daemon.json { "features": {"buildkit": true} } 42 / 63
Volumes 43 / 63
Local Volume Driver 44 / 63
NFS Mounts version: '3.7' volumes: nfs-data: driver: local driver_opts: type: nfs o: nfsvers=4,addr=nfs.example.com,rw device: ":/path/to/dir" services: app: volumes: - nfs-data:/data ... 45 / 63
Other Filesystem Mounts version: '3.7' volumes: ext-data: driver: local driver_opts: type: ext4 o: ro device: "/dev/sdb1" services: app: volumes: - ext-data:/data ... 46 / 63
Overlay Filesystem as a Volume version: '3.7' volumes: overlay-data: driver: local driver_opts: type: overlay device: overlay o: lowerdir=${PWD}/data2:${PWD}/data1, upperdir=${PWD}/upper,workdir=${PWD}/workdir services: app: volumes: - overlay-data:/data ... 47 / 63
Named Bind Mount version: '3.7' volumes: bind-test: driver: local driver_opts: type: none o: bind device: /home/user/test services: app: volumes: - "bind-test:/test" ... 48 / 63
That's nice, but I just use: $(pwd)/code:/code 49 / 63
That's nice, but I just use: $(pwd)/code:/code "$(pwd)/code:/code" 50 / 63
Fixing UID/GID FROM openjdk:jdk as build RUN useradd -m app USER app COPY code /home/app/code RUN --mount=target=/home/app/.m2,type=cache mvn build CMD ["java", "-jar", "/home/app/app.jar"] 51 / 63
Fixing UID/GID version: '3.7' volumes: m2: services: app: build: context: . target: build image: registry:5000/app/app:dev command: "/bin/sh -c 'mvn build && java -jar /home/app/app.jar' volumes: - ./code:/home/app/code - m2:/home/app/.m2 52 / 63
Fixing UID/GID Error accessing /home/app/code: permission denied 53 / 63
Fixing UID/GID Error accessing /home/app/code: permission denied UID of app inside the container doesn't match developer's UID on the host 54 / 63
Fixing UID/GID Possible solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose 55 / 63
Fixing UID/GID Possible solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose "... or we could use a shell script" - Some Ops Guy 56 / 63
Disclaimer The following slide may not be suitable for all audiences 57 / 63
Fixing UID/GID # update the uid if [ -n "$opt_u" ]; then OLD_UID=$(getent passwd "${opt_u}" | cut -f3 -d:) NEW_UID=$(ls -nd "$1" | awk '{print $3}') if [ "$OLD_UID" != "$NEW_UID" ]; then echo "Changing UID of $opt_u from $OLD_UID to $NEW_UID" usermod -u "$NEW_UID" -o "$opt_u" if [ -n "$opt_r" ]; then find / -xdev -user "$OLD_UID" -exec chown -h "$opt_u" {} ; fi fi fi 58 / 63
Fixing UID/GID FROM openjdk:jdk as build COPY --from=sudobmitch/base:scratch / / COPY entrypoint.sh /usr/bin/ ENTRYPOINT ["/usr/bin/entrypointd.sh"] RUN useradd -m app USER app COPY code /home/app/code RUN --mount=target=/home/app/.m2,type=cache mvn build CMD ["java", "-jar", "/home/app/app.jar"] 59 / 63
Fixing UID/GID #!/bin/sh if [ "$(id -u)" = "0" ]; then fix-perms -r -u app -g app /code exec gosu app "$@" else exec "$@" fi 60 / 63
Fixing UID/GID version: '3.7' volumes: m2: services: app: build: context: . target: build image: registry:5000/app/app:dev command: "/bin/sh -c 'mvn build && java -jar /home/app/app.jar' user: "0.0" volumes: - ./code:/home/app/code - m2:/home/app/.m2 61 / 63
Fixing UID/GID Developers can run the same image and compose file on multiple systems App runs with the developers individual uid/gid Changes to ./code are owned by the developer Same image in prod can run without ever needing root 62 / 63
Brandon Mitchell Twitter: @sudo_bmitch GitHub: sudo-bmitch Thank You github.com/sudo-bmitch/presentations github.com/sudo-bmitch/docker-base 63 / 63

Recommandé

DCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best PracticesDCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best Practices
Docker, Inc.
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
Docker, Inc.
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
Docker, Inc.
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOps
andersjanmyr
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with Docker
Docker, Inc.
 
What’s New in Docker - Victor Vieux, Docker
What’s New in Docker - Victor Vieux, DockerWhat’s New in Docker - Victor Vieux, Docker
What’s New in Docker - Victor Vieux, Docker
Docker, Inc.
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
Docker, Inc.
 

Recommandé

DCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best PracticesDCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best Practices
Docker, Inc.
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
Docker, Inc.
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
Docker, Inc.
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOps
andersjanmyr
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with Docker
Docker, Inc.
 
What’s New in Docker - Victor Vieux, Docker
What’s New in Docker - Victor Vieux, DockerWhat’s New in Docker - Victor Vieux, Docker
What’s New in Docker - Victor Vieux, Docker
Docker, Inc.
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
Docker, Inc.
 
Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discovery
Docker, Inc.
 
TIAD 2016 : Migrating 100% of your production services to containers
TIAD 2016 : Migrating 100% of your production services to containersTIAD 2016 : Migrating 100% of your production services to containers
TIAD 2016 : Migrating 100% of your production services to containers
The Incredible Automation Day
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops Team
Rachid Zarouali
 
DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains
Docker, Inc.
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
Docker Container As A Service - JAX 2016
Docker Container As A Service - JAX 2016Docker Container As A Service - JAX 2016
Docker Container As A Service - JAX 2016
Patrick Chanezon
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...
Docker, Inc.
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
William Stewart
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Nati Shalom
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
Arun prasath
 
Deployment Automation with Docker
Deployment Automation with DockerDeployment Automation with Docker
Deployment Automation with Docker
Egor Pushkin
 
Docker Basics & Alfresco Content Services
Docker Basics & Alfresco Content ServicesDocker Basics & Alfresco Content Services
Docker Basics & Alfresco Content Services
Sujay Pillai
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Patrick Chanezon
 
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level InterfacesKubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeAcademy
 
Docker Container As A Service - March 2016
Docker Container As A Service - March 2016Docker Container As A Service - March 2016
Docker Container As A Service - March 2016
Patrick Chanezon
 
Docker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David Gageot
Docker, Inc.
 
Building kubectl plugins with Quarkus | DevNation Tech Talk
Building kubectl plugins with Quarkus | DevNation Tech TalkBuilding kubectl plugins with Quarkus | DevNation Tech Talk
Building kubectl plugins with Quarkus | DevNation Tech Talk
Red Hat Developers
 
Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real World
Tim Haak
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
Araf Karsh Hamid
 
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor BrownDockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Docker, Inc.
 
Docker practice
Docker practiceDocker practice
Docker practice
wonyong hwang
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
Michelle Holley
 

Contenu connexe

Tendances

[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Nati Shalom
 

Tendances (20)

Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discovery
 
TIAD 2016 : Migrating 100% of your production services to containers
TIAD 2016 : Migrating 100% of your production services to containersTIAD 2016 : Migrating 100% of your production services to containers
TIAD 2016 : Migrating 100% of your production services to containers
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops Team
 
DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
Docker Container As A Service - JAX 2016
Docker Container As A Service - JAX 2016Docker Container As A Service - JAX 2016
Docker Container As A Service - JAX 2016
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
Deployment Automation with Docker
Deployment Automation with DockerDeployment Automation with Docker
Deployment Automation with Docker
 
Docker Basics & Alfresco Content Services
Docker Basics & Alfresco Content ServicesDocker Basics & Alfresco Content Services
Docker Basics & Alfresco Content Services
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
 
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level InterfacesKubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
 
Docker Container As A Service - March 2016
Docker Container As A Service - March 2016Docker Container As A Service - March 2016
Docker Container As A Service - March 2016
 
Docker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David Gageot
 
Building kubectl plugins with Quarkus | DevNation Tech Talk
Building kubectl plugins with Quarkus | DevNation Tech TalkBuilding kubectl plugins with Quarkus | DevNation Tech Talk
Building kubectl plugins with Quarkus | DevNation Tech Talk
 
Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real World
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor BrownDockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
 

Similaire à DCEU 18: Tips and Tricks of the Docker Captains

Painless Perl Ports with cpan2port
Painless Perl Ports with cpan2portPainless Perl Ports with cpan2port
Painless Perl Ports with cpan2port
Benny Siegert
 

Similaire à DCEU 18: Tips and Tricks of the Docker Captains (20)

Docker practice
Docker practiceDocker practice
Docker practice
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in description
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
 
AtlasCamp 2015 Docker continuous integration training
AtlasCamp 2015 Docker continuous integration trainingAtlasCamp 2015 Docker continuous integration training
AtlasCamp 2015 Docker continuous integration training
 
DeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to DockerDeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to Docker
 
Docker command
Docker commandDocker command
Docker command
 
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
 
Challenges of container configuration
Challenges of container configurationChallenges of container configuration
Challenges of container configuration
 
Docker perl build
Docker perl buildDocker perl build
Docker perl build
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
Docker container management
Docker container managementDocker container management
Docker container management
 
Using Nix and Docker as automated deployment solutions
Using Nix and Docker as automated deployment solutionsUsing Nix and Docker as automated deployment solutions
Using Nix and Docker as automated deployment solutions
 
Adrian Mouat - Docker Tips and Tricks
Adrian Mouat - Docker Tips and Tricks Adrian Mouat - Docker Tips and Tricks
Adrian Mouat - Docker Tips and Tricks
 
Pursue container architecture with mincs
Pursue container architecture with mincsPursue container architecture with mincs
Pursue container architecture with mincs
 
Painless Perl Ports with cpan2port
Painless Perl Ports with cpan2portPainless Perl Ports with cpan2port
Painless Perl Ports with cpan2port
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
 

Plus de Docker, Inc.

Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
Docker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
Docker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 
Sharing is Caring: How to Begin Speaking at Conferences
Sharing is Caring: How to Begin Speaking at ConferencesSharing is Caring: How to Begin Speaking at Conferences
Sharing is Caring: How to Begin Speaking at Conferences
Docker, Inc.
 

Plus de Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 
Sharing is Caring: How to Begin Speaking at Conferences
Sharing is Caring: How to Begin Speaking at ConferencesSharing is Caring: How to Begin Speaking at Conferences
Sharing is Caring: How to Begin Speaking at Conferences
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

DCEU 18: Tips and Tricks of the Docker Captains

  • 1. Pruning Cleaning Logs + YAML Network Address Pools Netshoot Layers Buildkit Local Volume Driver Fixing Permissions Agenda 1 / 63
  • 2. Brandon Mitchell Twitter: @sudo_bmitch GitHub: sudo-bmitch Tips and Tricks From A Docker Captain 2 / 63
  • 3. $ whoami - Solutions Architect @ BoxBoat - Docker Captain - Frequenter of StackOverflow 3 / 63
  • 4. Who is a Developer? 4 / 63
  • 5. Ops 101 - Full Harddrive 5 / 63
  • 6. Prune $ docker system prune WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all dangling images - all build cache 6 / 63
  • 7. Prune $ docker system prune WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all dangling images - all build cache What this doesn't clean by default: Running containers (and their logs) Tagged images Volumes 7 / 63
  • 8. Prune - YOLO $ docker run -d --restart=unless-stopped --name cleanup -v /var/run/docker.sock:/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" 8 / 63
  • 9. Prune - YOLO $ docker run -d --restart=unless-stopped --name cleanup -v /var/run/docker.sock:/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" $ docker service create --mode global --name cleanup --mount type=bind,src=/var/run/docker.sock, dst=/var/run/docker.sock docker /bin/sh -c "while true; do docker system prune -f; sleep 1h; done" 9 / 63
  • 10. Clean Your Logs Docker logs to per container json files by default, without any limits Rotating yourself could break that json formatting Luckily "without any limits" is just the default... we can change that 10 / 63
  • 11. Clean Your Logs $ docker container run --log-opt max-size=10m --log-opt max-file=3 ... 11 / 63
  • 12. Clean Your Logs $ docker container run --log-opt max-size=10m --log-opt max-file=3 ... $ cat docker-compose.yml version: '3.7' services: app: image: your_app logging: options: max-size: "10m" max-file: "3" 12 / 63
  • 13. Clean Your Logs version: '3.7' x-default-opts: &default-opts logging: options: max-size: "10m" max-file: "3" services: app_a: <<: *default-opts image: your_app_a app_b: <<: *default-opts image: your_app_b 13 / 63
  • 14. Clean Your Logs $ cat /etc/docker/daemon.json { "log-opts": {"max-size": "10m", "max-file": "3"} } $ systemctl reload docker 14 / 63
  • 18. Subnet Collisions Docker networks sometimes conflict with other networks 18 / 63
  • 19. Subnet Collisions Docker networks sometimes conflict with other networks Originally we had the BIP setting $ cat /etc/docker/daemon.json { "bip": "10.15.0.0/24" } 19 / 63
  • 20. Subnet Collisions Default address poll added in 18.06 $ cat /etc/docker/daemon.json { "bip": "10.15.0.0/24", "default-address-pools": [ {"base": "10.20.0.0/16", "size": 24}, {"base": "10.40.0.0/16", "size": 24} ] } 20 / 63
  • 21. Subnet Collisions $ docker swarm init --help ... --default-addr-pool ipNetSlice --default-addr-pool-mask-length uint32 21 / 63
  • 22. Subnet Collisions $ docker swarm init --help ... --default-addr-pool ipNetSlice --default-addr-pool-mask-length uint32 $ docker swarm init --default-addr-pool 10.20.0.0/16 --default-addr-pool 10.40.0.0/16 --default-addr-pool-mask-length 24 22 / 63
  • 23. Network Debugging Networks in docker come in a few flavors: bridge, overlay, host, none You can also configure the network namespace to be another container 23 / 63
  • 24. Network Debugging Networks in docker come in a few flavors: bridge, overlay, host, none You can also configure the network namespace to be another container $ docker run --name web-app -p 9080:80 -d nginx $ docker run -it --rm --net container:web-app nicolaka/netshoot ss -lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* 24 / 63
  • 25. Network Debugging $ docker run -it --rm --net container:web-app nicolaka/netshoot tcpdump -n port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 25 / 63
  • 26. Network Debugging $ docker run -it --rm --net container:web-app nicolaka/netshoot tcpdump -n port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes $ curl localhost:9080 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ... 26 / 63
  • 27. Network Debugging $ docker run -it --rm --net container:web-app nicolaka/netshoot tcpdump -n port 80 14:08:58.878822 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [S],... 14:08:58.878848 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [S.],.. 14:08:58.878872 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 14:08:58.879089 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [P.],.. 14:08:58.879110 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [.],... 14:08:58.879208 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [P.],.. 14:08:58.879238 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 14:08:58.879267 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [P.],.. 14:08:58.879285 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 14:08:58.879695 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [F.],.. 14:08:58.879739 IP 172.17.0.2.80 > 172.17.0.1.55194: Flags [F.],.. 14:08:58.879776 IP 172.17.0.1.55194 > 172.17.0.2.80: Flags [.],... 27 / 63
  • 29. Understanding Layers $ docker image inspect localhost:5000/jenkins-docker:latest --format '{{json .RootFS.Layers}}' | jq . [ "sha256:b28ef0b6fef80faa25436bec0a1375214d9a23a91e9b75975bb...", ... "sha256:08794ff8753b0fbca869a7ece2dff463cdb7cffd5d7ce792ec0...", "sha256:37986c5c5dff18257b9a12a19801828a80aea036992b34d35a3...", "sha256:34bb0412a3f6c0f3684e05fcd0a301dc999510511c3206d8cd3...", "sha256:696245ae585527c34e2cbc0d01d333aa104693e12e0b79cf193...", "sha256:91b63ceb91a75edb481c1ef8b005f9a55aa39d57ac6cc6ef490...", "sha256:afddea070d31e748730901215d11b546f4f212114e38e685465...", "sha256:0c05256b3bb44190557669126bf69897c7faf7628ff1ed2e2d4...", "sha256:0c05256b3bb44190557669126bf69897c7faf7628ff1ed2e2d4..." ] 29 / 63
  • 30. Understanding Layers $ docker image inspect jenkins/jenkins:lts --format '{{json .RootFS.Layers}}' | jq . [ "sha256:b28ef0b6fef80faa25436bec0a1375214d9a23a91e9b75975bb...", ... "sha256:08794ff8753b0fbca869a7ece2dff463cdb7cffd5d7ce792ec0...", "sha256:37986c5c5dff18257b9a12a19801828a80aea036992b34d35a3...", "sha256:34bb0412a3f6c0f3684e05fcd0a301dc999510511c3206d8cd3..." ] 30 / 63
  • 31. Understanding Layers $ docker image history localhost:5000/jenkins-docker:latest IMAGE CREATED CREATED BY SIZE COMMENT 6ca185e69f2e 292 years ago LABEL org.label-schema 0B buildkit <missing> 292 years ago HEALTHCHECK &{["CMD-SH 0B buildkit <missing> 292 years ago ENTRYPOINT ["/entrypoi 0B buildkit <missing> 3 weeks ago COPY entrypoint.sh /en 1.08kB buildkit <missing> 3 weeks ago RUN |2 GOSU_VERSION=1. 203MB buildkit <missing> 3 weeks ago RUN /bin/sh -c apt-get 83.6MB buildkit <missing> 292 years ago USER root 0B buildkit <missing> 6 weeks ago /bin/sh -c #(nop) COPY 6.11kB <missing> 6 weeks ago /bin/sh -c #(nop) USER 0B <missing> 6 weeks ago /bin/sh -c #(nop) EXPO 0B <missing> 7 weeks ago /bin/sh -c apt-get upd 2.21MB <missing> 7 weeks ago /bin/sh -c #(nop) ADD 101MB 31 / 63
  • 32. Understanding Layers $ DOCKER_BUILDKIT=0 docker build --no-cache --rm=false . Sending build context to Docker daemon 146.4kB ... Step 5/17 : RUN apt-get update && DEBIAN_FRONTEND=noninteracti... ---> Running in 1fc215ebb603 ... ---> d6dff86e8b89 Step 9/17 : RUN curl -fsSL https://download.docker.com/linux/de... ---> Running in a7a3a942a617 ... ---> a241c22525d8 ... Successfully built b01e4c46a2bf 32 / 63
  • 33. Understanding Layers $ docker container diff 1fc215ebb603 C /etc A /etc/python3.5 A /etc/python3.5/sitecustomize.py ... C /usr/bin A /usr/bin/pygettext3 A /usr/bin/helpztags A /usr/bin/python3 A /usr/bin/rvim A /usr/bin/view A /usr/bin/python3.5 ... 33 / 63
  • 34. Understanding Layers If you create a temporary file in a step, delete it in that same step Look for unexpected changes that trigger a copy-on-write, e.g. timestamps Do your dirty work in early stages of a multi-stage build 34 / 63
  • 35. Merge RUN Commands RUN apt-get update RUN apt-get install -y curl RUN rm -rf /var/lib/apt/lists/* 35 / 63
  • 36. Merge RUN Commands RUN apt-get update RUN apt-get install -y curl RUN rm -rf /var/lib/apt/lists/* RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* 36 / 63
  • 37. Use Multi-Stage FROM openjdk:jdk as build RUN apt-get update && apt-get install -y maven COPY code /code RUN mvn build FROM openjdk:jre as final COPY --from build /code/app.jar /app.jar ENTRYPOINT ["java", "-jar", "/app.jar"] 37 / 63
  • 39. BuildKit is Awesome # syntax = tonistiigi/dockerfile:runmount20180607 FROM openjdk:jdk as build RUN apt-get update && apt-get install -y maven RUN --mount=type=bind,target=/code,source=code --mount=type=cache,target=/root/.m2 mvn build FROM openjdk:jre as final COPY --from build /output/app.jar /app.jar ENTRYPOINT ["java", "-jar", "/app.jar"] 39 / 63
  • 40. BuildKit is Awesome # syntax = docker/dockerfile:experimental FROM python:3 RUN pip install awscli RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 cp s3://... ... $ docker build --secret id=aws,src=$HOME/.aws/credentials -t s3-app . 40 / 63
  • 41. BuildKit is Awesome $ export DOCKER_BUILDKIT=1 $ docker build -t your_image . 41 / 63
  • 42. BuildKit is Awesome $ export DOCKER_BUILDKIT=1 $ docker build -t your_image . $ cat /etc/docker/daemon.json { "features": {"buildkit": true} } 42 / 63
  • 45. NFS Mounts version: '3.7' volumes: nfs-data: driver: local driver_opts: type: nfs o: nfsvers=4,addr=nfs.example.com,rw device: ":/path/to/dir" services: app: volumes: - nfs-data:/data ... 45 / 63
  • 46. Other Filesystem Mounts version: '3.7' volumes: ext-data: driver: local driver_opts: type: ext4 o: ro device: "/dev/sdb1" services: app: volumes: - ext-data:/data ... 46 / 63
  • 47. Overlay Filesystem as a Volume version: '3.7' volumes: overlay-data: driver: local driver_opts: type: overlay device: overlay o: lowerdir=${PWD}/data2:${PWD}/data1, upperdir=${PWD}/upper,workdir=${PWD}/workdir services: app: volumes: - overlay-data:/data ... 47 / 63
  • 48. Named Bind Mount version: '3.7' volumes: bind-test: driver: local driver_opts: type: none o: bind device: /home/user/test services: app: volumes: - "bind-test:/test" ... 48 / 63
  • 49. That's nice, but I just use: $(pwd)/code:/code 49 / 63
  • 50. That's nice, but I just use: $(pwd)/code:/code "$(pwd)/code:/code" 50 / 63
  • 51. Fixing UID/GID FROM openjdk:jdk as build RUN useradd -m app USER app COPY code /home/app/code RUN --mount=target=/home/app/.m2,type=cache mvn build CMD ["java", "-jar", "/home/app/app.jar"] 51 / 63
  • 52. Fixing UID/GID version: '3.7' volumes: m2: services: app: build: context: . target: build image: registry:5000/app/app:dev command: "/bin/sh -c 'mvn build && java -jar /home/app/app.jar' volumes: - ./code:/home/app/code - m2:/home/app/.m2 52 / 63
  • 53. Fixing UID/GID Error accessing /home/app/code: permission denied 53 / 63
  • 54. Fixing UID/GID Error accessing /home/app/code: permission denied UID of app inside the container doesn't match developer's UID on the host 54 / 63
  • 55. Fixing UID/GID Possible solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose 55 / 63
  • 56. Fixing UID/GID Possible solutions: Run everything as root Change permissions to 777 Adjust each developers uid/gid to match image Adjust image uid/gid to match developers Change the container uid/gid from run or compose "... or we could use a shell script" - Some Ops Guy 56 / 63
  • 57. Disclaimer The following slide may not be suitable for all audiences 57 / 63
  • 58. Fixing UID/GID # update the uid if [ -n "$opt_u" ]; then OLD_UID=$(getent passwd "${opt_u}" | cut -f3 -d:) NEW_UID=$(ls -nd "$1" | awk '{print $3}') if [ "$OLD_UID" != "$NEW_UID" ]; then echo "Changing UID of $opt_u from $OLD_UID to $NEW_UID" usermod -u "$NEW_UID" -o "$opt_u" if [ -n "$opt_r" ]; then find / -xdev -user "$OLD_UID" -exec chown -h "$opt_u" {} ; fi fi fi 58 / 63
  • 59. Fixing UID/GID FROM openjdk:jdk as build COPY --from=sudobmitch/base:scratch / / COPY entrypoint.sh /usr/bin/ ENTRYPOINT ["/usr/bin/entrypointd.sh"] RUN useradd -m app USER app COPY code /home/app/code RUN --mount=target=/home/app/.m2,type=cache mvn build CMD ["java", "-jar", "/home/app/app.jar"] 59 / 63
  • 60. Fixing UID/GID #!/bin/sh if [ "$(id -u)" = "0" ]; then fix-perms -r -u app -g app /code exec gosu app "$@" else exec "$@" fi 60 / 63
  • 61. Fixing UID/GID version: '3.7' volumes: m2: services: app: build: context: . target: build image: registry:5000/app/app:dev command: "/bin/sh -c 'mvn build && java -jar /home/app/app.jar' user: "0.0" volumes: - ./code:/home/app/code - m2:/home/app/.m2 61 / 63
  • 62. Fixing UID/GID Developers can run the same image and compose file on multiple systems App runs with the developers individual uid/gid Changes to ./code are owned by the developer Same image in prod can run without ever needing root 62 / 63
  • 63. Brandon Mitchell Twitter: @sudo_bmitch GitHub: sudo-bmitch Thank You github.com/sudo-bmitch/presentations github.com/sudo-bmitch/docker-base 63 / 63