And add the following config to /etc/default/grub:
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
Now we need to reinstall GRUB for the last change to take effect (replace sdX with wherever you want GRUB to go):
update-grub
grub-install /dev/sdX
From http://www.boronine.com/2013/12/30/Installing-Docker-on-Debian-Jessie/
list all containers
docker ps -aq
stop all running containers
docker stop $(docker ps -aq)
remove all containers
docker rm $(docker ps -aq)
remove all images
docker rmi $(docker images -q)
remove all none images
docker rmi $(docker images -f "dangling=true" -q)
print version of client and server
docker version
print drivers( storage, logging, cgroup), kernel, OS, arch, root dir, num of images and containers
docker info
Run a command in a new container
docker run options:
--interactive, -I Keep STDIN open even if not attache
--publish, -p Publish a container's port(s) to the host, difolt is tcp mapping for udp we should use [IP]:HPORT:CPORT/udp
--tty, -t Allocate a pseudo-TTY
--name Assign a name to the container
--link Add link to another container
--detach, -d Run container in background and print container ID
--env, -e Set environment variables
-P, --publish-all=true|false Publish all exposed ports to random ports on the host interfaces. The default is false
Remove one or more containers
docker rm options:
-f, --force Force the removal of a running container (uses SIGKILL)
--help Print usage
-l, --link Remove the specified link
-v, --volumes Remove the volumes associated with the container
Remove one or more images
docker rmi [OPTIONS] IMAGE [IMAGE...]
-f, --force Force removal of the image
Return low-level information on Docker objects. We can see in the output specification of the inspected resource. It will have previous and current spec definition.
docker inspect [CONTAINER_ID|NAMES|SERVCE_CONTAINER_ID]
Info about Version.Index can be used to check what service is last updated.
"ID": "wa48r1e3mgnw45y5tytjuups4", "Version": { "Index": 477 },
print folder we are changes added to container to original image
docker inspect --format='{{json .GraphDriver.Data.UpperDir}}' centko
"/var/lib/docker/overlay2/e656ef81f0a8b8346c2380432b09a2a17d34a2e25d07eba739d072987ee83fa6/diff"
Attach local standard input, output, and error streams to a running container, exiting will halt the container unless one use CTRL+P+Q ( this shortcut is also possible from docker run -it IMAGE CMD container ).Alternative, is to use
docker exec -it CONTAINER /bin/bash
or
docker attach CONTAINER
Run a command in a running container
docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
-d, --detach Detached mode: run command in the background
--detach-keys string Override the key sequence for detaching a container
-e, --env list Set environment variables
--help Print usage
-i, --interactive Keep STDIN open even if not attached
--privileged Give extended privileges to the command
-t, --tty Allocate a pseudo-TTY
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
Create a new image from a container’s changes
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
-a, --author string Author (e.g., "John Hannibal Smith <[email protected]>")
-c, --change list Apply Dockerfile instruction to the created image
--help Print usage
-m, --message string Commit message
-p, --pause Pause container during commit (default true)
Save one or more images to a tar archive (streamed to STDOUT by default)
docker save -o /tmp/image.tar IMAGE [IMAGE...]
Load an image from a tar archive or STDIN
docker load -i /tmp/image.tar
Display the running processes of a container
docker top CONTAINER [ps OPTIONS]
start and stop containers
https://www.ctl.io/developers/blog/post/gracefully-stopping-docker-containers/
create network with specific ip address
docker network create -o "com.docker.network.bridge.host_binding_ipv4"="172.19.0.1" simple-network
| Key | Option | Description |
|---|---|---|
| com.docker.network.bridge.name | - | bridge name to be used when creating the Linux bridge |
| com.docker.network.bridge.enable_ip_masquerade | –ip-masq | Enable IP masquerading |
| com.docker.network.bridge.enable_icc | –icc | Enable or Disable Inter Container Connectivity |
| com.docker.network.bridge.host_binding_ipv4 | –ip | Default IP when binding container ports |
| com.docker.network.driver.mtu | –mtu | Set the containers network MTU |
create network with specific CIDR range
docker network create --subnet=172.18.0.0/16 puppet
run container with specific ip address where docker network must exist
docker run --name puppetclient -h client --net puppet --ip 172.18.0.100 --rm -it puppetclient
http://blog.nigelpoulton.com/demystifying-docker-overlay-networking/
Docker is using IPVS (IP virtual server) technology in swarm mode networking for load balancing.
docker run -d -p 5000:5000 --name registry registry:2
update /etc/docker/daemon.json
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}
From https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
on centos
ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS --insecure-registry myregistrydomain.com:5000
create network and service automatically
docker stack deploy -c apis.yml apis
apis.yml - is stack definition ( service and ports etc. )
vagrant@m1:~/services$ cat apis.yml
version: '3.1'
services:
customer:
image: swarmgs/customer
deploy:
replicas: 5
resources:
limits:
cpus: '0.02'
memory: 200M
reservations:
cpus: '0.005'
memory: 80M
balance:
image: swarmgs/balance
deploy:
replicas: 2
environment:
MYWEB_CUSTOMER_API: "customer:3000"
ports:
- "5000:3000"
Healthcheck - Configure a check that’s run to determine whether or not containers for this service are healthy.
vagrant@m1:~/services$ cat calc.yml
version: '3.1'
services:
calc:
image: swarmgs/calc
healthcheck:
test: ["CMD-SHELL", "curl -f -s -S http://localhost/calc/iseverythingok || exit 1"]
# or
#test: curl -f -s -S http://localhost/calc/iseverythingok || exit 1
interval: 15s
timeout: 5s
retries: 3
ports:
- "7000:80"
deploy:
placement:
constraints:
- node.role==manager
Secrets - Create a secret from a file or STDIN as content. Passed secrets to the containers/services will be readable on the running container inside the folder /run/secrets/.
vagrant@m1:~/services$ cat mysql.yml
version: '3.1'
services:
mysql:
image: mysql
environment:
MYSQL_USER: wordpress
MYSQL_DATABASE: wordpress
#MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/mysql_root_pass"
secrets:
#- mysql_root_pass
- source: mysql_root_pass_v2
target: mysql_root_pass
deploy:
placement:
constraints:
- node.role==manager
secrets:å
mysql_root_pass_v2:
external: true
initialize the docker swarm mode - cluster
docker swarm init
root@jmaster:~/net# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
77c2e174d768 edesibe/friendlyhello:latest "python app.py" 35 minutes ago Up 35 minutes 80/tcp getstartedlab_web.2.alq0i8o1b27rzrgokuluf3cau
048e963c9308 edesibe/friendlyhello:latest "python app.py" 35 minutes ago Up 35 minutes 80/tcp getstartedlab_web.4.5dr32oa802ssovxjjusu6zm7u
872e101de1db edesibe/friendlyhello:latest "python app.py" 35 minutes ago Up 35 minutes 80/tcp getstartedlab_web.3.vfqq3hezb08x7b9p474bowdno
9b041eea490b edesibe/friendlyhello:latest "python app.py" 35 minutes ago Up 35 minutes 80/tcp getstartedlab_web.5.5icn909ep36rk34pfh2tkbwvo
127213a3d4d1 edesibe/friendlyhello:latest "python app.py" 35 minutes ago Up 35 minutes 80/tcp getstartedlab_web.1.3wjwf00gxnpz2pxn5693ezsxx
root@jmaster:~/net# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
Mu2g2daarbfc getstartedlab_web replicated 5/5 edesibe/friendlyhello:latest *:80->80/tcp
root@jmaster:~/net# docker service ps getstartedlab_web
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
3wjwf00gxnpz getstartedlab_web.1 edesibe/friendlyhello:latest jmaster Running Running 34 minutes ago
Alq0i8o1b27r getstartedlab_web.2 edesibe/friendlyhello:latest jmaster Running Running 34 minutes ago
Vfqq3hezb08x getstartedlab_web.3 edesibe/friendlyhello:latest jmaster Running Running 34 minutes ago
5dr32oa802ss getstartedlab_web.4 edesibe/friendlyhello:latest jmaster Running Running 34 minutes ago
5icn909ep36r getstartedlab_web.5 edesibe/friendlyhello:latest jmaster Running Running 34 minutes ago
root@jmaster:~/net# docker network ls
NETWORK ID NAME DRIVER SCOPE
9e4d307392a0 bridge bridge local
F679cea60caa docker_gwbridge bridge local
Nibqxhu3ofzn getstartedlab_webnet overlay swarm
1b10c2947ba8 host host local
V0fz3jv7gs00 ingress overlay swarm
2f0c2a9472dc none null local
docker service is new docker run
reserve 200M and 1 cpu
docker service create --name my-web --publish 8080:80 --replicas 2 --detach=false --reserve-cpu 1 --reserve-memory 200M nginx
add label to node( this can be got with ‘node.lables.servis==web’ during ‘docker service create’
docker node update --label-add 'servis=web' jslave2
remove label from node
docker node update --label-rm 'servis' jslave2
create web service with label ‘servis=web’ ,with 4 replicas but run it only on nodes which has node.label ‘servis==web’, if none have it tasks will not be runned
docker service create --name web --hostname web --replicas 4 --label 'servis=web' --constraint 'node.labels.servis==web' nginx
create redis service with 3 replicas on nodes which has datacenter key (with any value) as label
docker service create --replicas 3 --name redis --placement-pref 'spread=node.labels.datacenter' redis:3.0.6
create service which will use nodes which has engine lables (node.labels can be only applied via ‘docker node update –label-add’ cmd). engine labels are ones which are configured in DOCKER_OPTS with –label options
docker service create --name web --constraint 'engine.labels.stage==dev' nginx
create service where mode will be configured as host ( not ingress ) so one should point to target hosts with provided ports in order to connect to related service
docker service create \
--mode global \
--publish mode=host,target=80,published=8080 \
--name=nginx \
nginx:latest
remove published 9092 and inner target 8080 ports with mode ingress
docker service update --publish-add mode=ingress,published=9092,target=8080 cadvisor
Update image to version 2 of the pay service. During the update, new image will be in ready state until previously running image is going to shutdown state.
docker service update --image swarmgs/payroll:2 pay
Before the update, new image will be ready state while the current machine is running ( in total one machine will be running ).
Every 0.5s: docker service ps delaystop Mon Oct 2 09:16:36 2017
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
xa3agv7hq76v delaystop.1 swarmgs/delaystop:2 m2 Ready Ready 1 second ago
otm8j762ntm9 \_ delaystop.1 swarmgs/delaystop:1 m2 Shutdown Running 1 second ago
After the update, old container is halted and new is up
Every 0.5s: docker service ps delaystop Mon Oct 2 09:17:05 2017
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
xa3agv7hq76v delaystop.1 swarmgs/delaystop:2 m2 Running Running 19 seconds ago
otm8j762ntm9 \_ delaystop.1 swarmgs/delaystop:1 m2 Shutdown Shutdown 19 seconds ago
docker pull chenzj/dfimage
alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm chenzj/dfimage"
dfimage image_id
.env as args file during builddocker build $(cat .env | while read line; do out+="--build-arg $line "; done; echo $out; out="") -t ${DOCKER_IMAGE}:${DOCKER_TAG} .
google/cadvisor - monitoring container
dockersamples/visualizer - dashboard container
mailhog/mailhog - Web and API based SMTP testing
from https://github.com/dockersamples/docker-swarm-visualizer
$ docker service create \
--name=viz \
--publish=8080:8080/tcp \
--constraint=node.role==manager \
--mount=type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
dockersamples/visualizer
edesibe/tor_proxy - tor in docker
Dockerfile
FROM alpine:latest
RUN apk update && apk add \
tor \
--update-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ \
&& rm -rf /var/cache/apk/*
EXPOSE 9050
COPY torrc.default /etc/tor/torrc.default
RUN chown -R tor /etc/tor
USER tor
ENTRYPOINT [ "tor" ]
CMD [ "-f", "/etc/tor/torrc.default" ]
torrc.default
SocksPort 0.0.0.0:9050
building the docker image
▶ tree
.
├── Dockerfile
└── torrc.default
docker build -t edesibe/tor_proxy .
add envs during build
docker build $(cat .env | while read line; do out+="--build-arg $line "; done; echo $out; out="") -t ${IMAGE}:${TAG} .
run the container
docker run -d --restart always -p 9050:9050 --name torproxy edesibe/tor_proxy
For this to work fine one must set the socks5 proxy to localhost:9050 in web browser.