Quartz 4

Docker

5 min read

Docker is a leading containerization platform that simplifies the process of creating, deploying, and running applications in containers. Released in 2013, Docker revolutionized application deployment by making container technology accessible and standardized.

Core Concepts

Docker Architecture

Docker uses a client-server architecture consisting of:

  1. Docker Client: The primary user interface to Docker
  2. Docker Daemon (dockerd): A persistent process that manages Docker containers
  3. Docker Registry: A repository for Docker images (e.g., Docker Hub)

Docker Components

Docker Engine

The Docker Engine is the core of Docker, comprising:

  • Docker daemon: Runs in the background and handles container operations
  • REST API: Provides an interface for the client to communicate with the daemon
  • Command-line interface (CLI): The user interface for Docker commands

Docker Images

A Docker image is a read-only template containing a set of instructions for creating a Docker container:

  • Built in layers, with each layer representing a set of filesystem changes
  • Defined in a Dockerfile
  • Stored in a registry (e.g., Docker Hub or private registry)
  • Immutable: once built, the image doesn’t change

Docker Containers

A container is a runnable instance of an image:

  • Isolated environment for running applications
  • Contains everything needed to run the application (code, runtime, libraries, etc.)
  • Shares the host OS kernel but is isolated at the process level

Docker Image Format

Docker images use a layered architecture that provides several benefits:

  • Efficient storage: Layers are cached and reused across images
  • Faster transfers: Only new or modified layers need to be transferred
  • Version control: Each layer represents a change, enabling versioning

Image Layers

An image consists of multiple read-only layers, each representing a set of filesystem changes:

  1. Base layer: Usually a minimal OS distribution
  2. Additional layers: Each layer adds, modifies, or removes files from the previous layer
  3. Container layer: When a container runs, a writable layer is added on top

Content Addressable Storage

Docker uses content-addressable storage for images:

  • Each layer is identified by a hash of its contents
  • Ensures image integrity and enables deduplication
  • Allows deterministic builds and reproducibility

Dockerfiles

A Dockerfile is a text file containing instructions for building a Docker image:

# Example Dockerfile
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y nginx
COPY ./my-nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

Common Dockerfile Instructions

  • FROM: Specifies the base image
  • RUN: Executes commands in a new layer
  • COPY/ADD: Copies files from the build context into the image
  • WORKDIR: Sets the working directory
  • ENV: Sets environment variables
  • EXPOSE: Documents the ports the container will listen on
  • VOLUME: Creates a mount point for external volumes
  • ENTRYPOINT: Configures the executable to run when the container starts
  • CMD: Provides default arguments for the ENTRYPOINT

Docker Commands

Basic Commands

# Build an image
docker build -t myapp:1.0 .
 
# Run a container
docker run -d -p 8080:80 myapp:1.0
 
# List running containers
docker ps
 
# Stop a container
docker stop container_id
 
# Remove a container
docker rm container_id
 
# List images
docker images
 
# Remove an image
docker rmi image_id

Advanced Commands

# Inspect a container
docker inspect container_id
 
# View container logs
docker logs container_id
 
# Execute a command in a running container
docker exec -it container_id bash
 
# Create a new image from a container
docker commit container_id new_image_name:tag
 
# Push an image to a registry
docker push username/repository:tag

Docker Compose

Docker Compose is a tool for defining and running multi-container Docker applications:

  • Uses a YAML file to configure application services
  • Enables managing multiple containers as a single application
  • Simplifies development and testing workflows

Example docker-compose.yml

version: '3'
services:
  web:
    build: ./web
    ports:
      - "8080:80"
    depends_on:
      - db
  db:
    image: postgres:13
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: example
      POSTGRES_USER: user
      POSTGRES_DB: mydb
volumes:
  postgres_data:

Docker Networking

Docker provides several network drivers for container communication:

  • bridge: Default network driver, allows containers on the same host to communicate
  • host: Removes network isolation, container uses host’s network
  • overlay: Connects multiple Docker daemons together
  • macvlan: Assigns a MAC address to containers, making them appear as physical devices
  • none: Disables all networking

Docker Volumes

Volumes provide persistent storage for containers:

  • Bind mounts: Map a host directory to a container directory
  • Named volumes: Managed by Docker, more portable
  • tmpfs mounts: Stored in host memory, temporary storage

Docker Security Considerations

Docker containers provide some isolation, but security requires attention:

  • Running containers as non-root users
  • Using security profiles (e.g., seccomp, AppArmor)
  • Regularly updating base images
  • Using Docker Content Trust for image signing
  • Minimizing container capabilities
  • Scanning images for vulnerabilities

Advantages of Docker

  • Consistency: Same environment from development to production
  • Isolation: Applications run in isolated environments
  • Portability: Run anywhere Docker is installed
  • Efficiency: Lightweight compared to VMs
  • Version Control: Image layers enable tracking changes
  • Scalability: Easy to scale containers horizontally

Limitations of Docker

  • Stateless by design: Requires extra consideration for stateful applications
  • Kernel sharing: All containers share the host kernel
  • Security concerns: Container isolation is not as strong as VM isolation
  • Complexity: Container orchestration adds complexity

Graph View

Backlinks