docker

Run a container

# daemon mode
$ docker run -d -p 80:80 --name webserver nginx

# interactive
$ docker run -t --rm <image_id> sh

Attach to running container

$ docker exec -it <image_id> sh

Attach a volume

$ docker run \
  -v /home/<user>/.ssh:/root/.ssh \
  -e BUILDKITE_AGENT_TOKEN="<token>" \
  buildkite/agent

• https://docs.docker.com/v1.8/userguide/dockervolumes/
• https://github.com/buildkite/docker-ssh-env-config/blob/master/ssh-env-config.sh

Docker in Docker

To run Docker, it must have access to /var/run/docker.sock. This provides API access to stuff. To run docker inside of docker, just mount the socket as a volume inside the container, and it can instrument containers on the root machine as expected (and have full access to the API).

$ docker run -v /var/run/docker.sock:/var/run/docker.sock buildkite/agent

Labels

In order to determine where containers come from, strong labels are necessary. After all: without technical controls you only have social guarantees. Label standards should be decided upon and enforced.

LABEL com.example.git.repository="https://github.com/my-org/my-repo"
      com.example.git.sha="7ed5fd94fa9e3b244c8fce56c7b721037e127829"
      com.example.build.time="2016-04-24T15:43:05+00:00"
      com.example.docs="https://github.com/my-org/my-repo/docs"
      com.example.dockerfile="/Dockerfile"
      com.example.api.packages="apk info -vv"

In addition to strong labels, it's also recommended to embed Dockerfiles in images.

Image management

$ docker rmi <image_name>
$ docker ps -a  # see all created containers
$ docker rm $(docker ps -aq)  # remove all existing containers

Example node app

FROM mhart/alpine-node:6

# Create app directory
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

# Install app dependencies
COPY package.json /usr/src/app/
RUN npm install

# Bundle app source
COPY . /usr/src/app

EXPOSE 8080
CMD [ "npm", "start" ]

Docker ADD vs COPY

• ADD performs tar auto extraction, and can target URLs
• COPY is less fancy therefore more safe
• http://stackoverflow.com/questions/24958140/docker-copy-vs-add

Inspect docker properties

Stuff like labels don't show up in $ docker images:

$ docker inspect <image_name>

Remove all stopped containers

$ docker rm "$(docker ps -a -q)"

Remove all untagged images

$ docker rmi "$(docker images | grep "^<none>" | awk '{ print $3 }')"

Iterate over all docker images

$ docker images -q  # images

Stop all docker images

$ docker stop "$(docker ps -q)"

Pass env vars to docker

$ docker run <image_name> -e FOO=bar

See if logged in

$ sudo docker info | grep Username

Tiny containers

Pruning containers is something you probably want to do. This can be done by converting a container to a tarball, removing unneeded stuff and then creating a new container. It's pretty cool.

• https://github.com/jwilder/docker-squash

Push container to registry

$ docker push user/image-name

See Also

• the challenges of container configuration
• https://github.com/wsargent/docker-cheat-sheet