Docker cheasheet
ubuntu bin/bash docker
docker run -it ubuntu /bin/bash
docker run
argument to docker run such as /bin/bash overrides and CMD command we wrote in Dockerfile
ENTRYPOINT cannot be overriden at run time with normal commands docker run <command> what we do specify at the end of docker run <command> is provided as arguments to the ENTRYPOINT in this way a container is as a binary as ls.
so CMD can act as default parameters to ENTRYPINT and then we can override the CMD args from <command>.
ENTRYPOINT can be overriden with --entrypoint
ENV
ENV key=value key2=value
CMD $key $key2
docker info
docker info: shows summary of how many containers we have how many images.
$ docker info
Containers: 74
Running: 0
Paused: 0
Stopped: 74
Images: 31
docker insepct
shows lot of info about the container you can view them directly at:
ls -l /var/lib/docker/containers/3487jhf.../ config.json shows the inspect value.
on mac there is a vm image: ls -lh ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/
docker attach
attaches to PID1 of the container so if PID1 is not ssh, here is what we do:
docker exec -it 87sdfhsjh /bin/bash
docker top
shows all process inside the docker container but it shows the PID from outside the container.
show last container which was run
docker ps -l
Show docker containers including exited
docker ps -a
Show how a docker image was created (the commnands)
docker history imagename
docker stop
it sends a SIGTERM to the container PID1 and the container terminates when PID1 terminates
sending other sigterms
docker kill -s <SIGNAL> which goes to PID1
what does docker run command does
reads the images and stacks them one on another and adds a new writable top layer.
check if docker installed only on ubuntu
service docker.io status
docker.io because on linux there was already some old service docker (so to install sudo apt-get install docker)
docker mount volume
when deleting a container without -v the volumes are not deleted so delete with
docker rm -v <container>
security docker group
sudo gpasswd -a yourusername docker
instead of using root to communicate (run docker commands) with docker socket you can add users to the docker unix group
docker run -v /some/local/dir:dirindocker redis
docker daemon to listen on network and not local socket file
docker -H 192.168.56.50:2375 -d &
export DOCKER_HOST="tcp://192.168.56.50:2375
# client connects to docker daemon
docker info
what happens to data when you stop a docker container
if you edited a file inside the consitner and you stop and start your container file still exists, it exists on the actual disk under the host instance id so when you start its still there unless you remove the conatiner with docker rm. This data is not in the docker image unless you commit it, it was just set on the currently running docker instance.
take volume mounted on r1 container and mount to ubuntu
docker run --volumes-from r1 -it ubuntu ls /data
(motivation: no need to mount same volume twice code duplication)
mount /docker/redis-data as read only volume
docker run -v /docker/redis-data:/data:ro -it ubuntu rm -rf /data
logs
docker logs redis-server
docker logs -f redis-server # like tail -f
note your possibilities with logs are to stdout/stderr or you can redirect to syslog this can be useful if you already have systems which take syslog and manage it.
auto restart
docker run -d --name restart-3 --restart=on-failure:3 scrapbook/docker-restart-example
auto restart on exitcode !== 0 up to 3 times.
restart-always: will restart it indefinitely.
images
multiple containers using the same lower level containers won’t need to transfer those images if already exist they share those images.
Image layering
If an upper image has the same file as lower level image then the higher level image wins. This using the union mounts feature.
The top layer is the only writable layer. When the container boots there is another layer! below the OS layer bootfs layer which gets gone after the container has booted.
show images layering
docker images --tree
on ubuntu you would see all local image layers directly at
ls -l /var/lib/docker/aufs/layers
if you cat the top layer it would just print to console the uuids of the below layers.
to look at the difference which a layer adds type (on ubuntu)
ls -l /var/lib/docker/aufs/diff/87384728.../ and you would see the file diff of this layers from below!
export docker image
docker save -o /tmp/imagename.tar imagename
examine the tar
tar -tf /tmp/imagename.tar
docker load -i /tmp/imagename.tar
upload image to repo
first tag
docker tag 2347823hfj tomerbregistry/helloworldrepo:1.0
docker push tomerbregistry/helloworldrepo:1.0
networking
docker0: a bridge
install bridge-utils to see details on it.
brctl show docker0
when you ping or do any networking operation from within docker0 the packets go through the docker0 bridge. you can see it with traceroute google.com
in Dockerfile: EXPOSE 80: Makes it possible to expose port 80, we still need to run -p 5020:80 localhost 5020 forwarded to 80 on container.
docker port yourcontainer: view exposed port.
by default ports are tcp if you want udp add it:
docker run -d -p 5002:80/udp --name=yourcontainer apache
attach a port to a different ip existing in host (for example if host has eth0 and eth1 each with its own ip):
docker run -d -p 192.168.56.50:5003:80 --name=web3 apache-img
P: capital p will automatically map the exposed ports from Dockerfile into random ports on host.
assign different address to docker0 it has a specific network address it tries in case all are captured:
service docker stop
ip a
ip link del docker0
vi /etc/default/docker
DOCKER_OPTS=--bip=150.150.0.1./24 # bip = bridge ip.
service docker start
any new container or old container that restarts will get an ip from the new range.
linking containers
safer because ports are not exposed. we have a src and rcvr container the src when linked initially communicates with the receiver container and tells it what’s its EXPOSE ports from the Dockerfile in this way the receiver container can communicate to these ports. When linking containers the --name is important so that we link to this name.
docker run --name=receiver --link=src:alias-src -it ubuntu:15.04 /bin/bash you need to alias the src
what docker did is that in the receiver container docker updated the hosts file and env variables with the src container ip and port the apps that uses the other container need to use these environemnt variables in order to use the other container.
troubleshooting containers
service docker stop
docker -d -l debug &
or edit the docker config file at /etc/default/docker add to that file DOCKER_OPTS=--log-level=debug
- Start docker
daemonin debug mode.
When Dockerfile build fails
docker images
you will see the latest successful image created, run it with docker run -it 7e8yfushfjh /bin/bash and try that command and troubleshoot why Dockerfile failed.