0% found this document useful (0 votes)

231 views109 pages

Docker Tutorial: Containers & Images

1. The document provides an introduction and overview of Docker, including what Docker is, how it works using containers and images, and how Docker helps with development and deployment workflows. 2. It then covers managing Docker containers through commands like create, run, start, stop, kill to control the lifecycle of containers. 3. Finally, it discusses installing Docker and provisioning Docker nodes on local VMs or remote cloud servers.

Uploaded by

Nguyen Anh Duc

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

231 views109 pages

Docker Tutorial: Containers & Images

Uploaded by

Nguyen Anh Duc

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 109

Intro Containers I/O Images Builder Security Ecosystem Future

Docker Tutorial
Anthony Baire

Université de Rennes 1 / UMR IRISA

March 2, 2020

This tutorial is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 France License

1 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Summary

1. Introduction

2. Managing docker containers

3. Inputs/Outputs

4. Managing docker images

5. Building docker images

6. Security considerations

7. The ecosystem & the future

2 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Part 1.
Introduction

3 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

What is Docker (1/3)

“Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications.

Consisting of Docker Engine, a portable, lightweight runtime and packaging tool, and Docker Hub, a cloud service

for sharing applications and automating workflows, Docker enables apps to be quickly assembled from components

and eliminates the friction between development, QA, and production environments. As a result, IT can ship faster

and run the same app, unchanged, on laptops, data center VMs, and any cloud.”

source: https://www.docker.com/whatisdocker/

4 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

What is Docker (2/3)

• a container manager
• lightweight virtualisation
(host and guest systems share the same kernel)
• based on linux namespaces and cgroups

• massively copy-on-write
• immutable images
• instant deployment
• suitable for micro-services (one process, one container)

→ immutable architecture

5 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

What is Docker (3/3)

• a build system
• images may be build from sources
• using a simple DSL (Dockerfile)

• a set of REST APIs

• Engine API (control the docker engine)
• Plugin API (extend the engine → network, storage,
authorisation)
• Registry API (publish/download images)
• Swarm API (manage a clusted of docker machines)

6 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

How Docker helps?

• normalisation: same environment (container image) for

• development
• jobs on the computing grid
• continuous integration
• peer review
• demonstrations, tutorials
• technology transfer

• archival (ever tried to reuse old codes)

• source → Dockerfile = recipe to rebuild the env from scratch
• binary → docker image = immutable snapshot of the software
with its runtime environment
→ can be rerun it at any time later

7 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

In practice
A docker image is an immutable snapshot of the filesystem
A docker container is
• a temporary file system
• layered over an immutable fs (docker image)
• fully writable (copy-on-write1 )
• dropped at container’s end of life (unless a commit is made)

• a network stack
• with its own private address (by defaut in 172.17.x.x)

• a process group
• one main process launched inside the container
• all sub-process SIGKILLed when the main process exits

1
several possible methods: overlayfs (default), btrfs, lvm, zfs, aufs
8 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Installation
https://docs.docker.com/engine/installation/

Native installation:

• requires linux kernel >3.8

Docker Machine:
• a command for provisionning an managing docker nodes
deployed:
• in a local VM (virtualbox)
• remotely (many cloud API supported)

9 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Part 2.
Managing containers
• create/start/stop/remove containers
• inspect containers
• interact, commit new images

10 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Lifecycle of a docker container

11 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Container management commands

command description
docker create image [ command ] create the container
docker run image [ command ] = create + start
docker rename container new name rename the container
docker update container update the container config
docker start container. . . start the container
docker stop container. . . graceful2 stop
docker kill container. . . kill (SIGKILL) the container
docker restart container. . . = stop + start
docker pause container. . . suspend the container
docker unpause container. . . resume the container
docker rm [ -f3 ] container. . . destroy the container

2
send SIGTERM to the main process + SIGKILL 10 seconds later
3
-f allows removing running containers (= docker kill + docker rm)
12 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Notes about the container lifecycle

• the container filesystem is created in docker create and

dropped in docker rm
• it is persistent across stop/start

• the container configuration is mostly static

• config is set in create/run
• docker update may change only a few parameters
(eg: cpu/ram/blkio allocations)
• changing other parameters require destroying and re-creating
the container

• other commands are rather basic

13 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Usage: docker create [OPTIONS] IMAGE [COMMAND] [ARG...] Usage: docker start [OPTIONS] CONTAINER [CONTAINER...]

Create a new container Start one or more stopped containers

-a, --attach=[] Attach to STDIN, STDOUT or STDERR -a, --attach=false Attach STDOUT/STDERR and forward signals
--add-host=[] Add a custom host-to-IP mapping (host:ip) --help=false Print usage
--blkio-weight=0 Block IO (relative weight), between 10 and 1000 -i, --interactive=false Attach container's STDIN
--cpu-shares=0 CPU shares (relative weight)
--cap-add=[] Add Linux capabilities
--cap-drop=[] Drop Linux capabilities
--cgroup-parent= Optional parent cgroup for the container
--cidfile= Write the container ID to the file Usage: docker stop [OPTIONS] CONTAINER [CONTAINER...]
--cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota Stop a running container.
--cpuset-cpus= CPUs in which to allow execution (0-3, 0,1) Sending SIGTERM and then SIGKILL after a grace period
--cpuset-mems= MEMs in which to allow execution (0-3, 0,1)
--device=[] Add a host device to the container --help=false Print usage
--disable-content-trust=true Skip image verification -t, --time=10 Seconds to wait for stop before killing it
--dns=[] Set custom DNS servers
--dns-opt=[] Set DNS options
--dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables
--entrypoint= Overwrite the default ENTRYPOINT of the image Usage: docker restart [OPTIONS] CONTAINER [CONTAINER...]
--env-file=[] Read in a file of environment variables
--expose=[] Expose a port or a range of ports Restart a container
--group-add=[] Add additional groups to join
-h, --hostname= Container host name --help=false Print usage
--help=false Print usage -t, --time=10 Seconds to wait for stop before killing the container
-i, --interactive=false Keep STDIN open even if not attached
--ipc= IPC namespace to use
--kernel-memory= Kernel memory limit
-l, --label=[] Set meta data on a container
--label-file=[] Read in a line delimited file of labels Usage: docker kill [OPTIONS] CONTAINER [CONTAINER...]
--link=[] Add link to another container
--log-driver= Logging driver for container Kill a running container
--log-opt=[] Log driver options
--lxc-conf=[] Add custom lxc options --help=false Print usage
-m, --memory= Memory limit -s, --signal=KILL Signal to send to the container
--mac-address= Container MAC address (e.g. 92:d0:c6:0a:29:33)
--memory-reservation= Memory soft limit
--memory-swap= Total memory (memory + swap), '-1' to disable swap
--memory-swappiness=-1 Tuning container memory swappiness (0 to 100)
--name= Assign a name to the container Usage: docker rm [OPTIONS] CONTAINER [CONTAINER...]
--net=default Set the Network for the container
--oom-kill-disable=false Disable OOM Killer Remove one or more containers
-P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host -f, --force=false Force the removal of a running container (uses SIGKILL)
--pid= PID namespace to use --help=false Print usage
--privileged=false Give extended privileges to this container -l, --link=false Remove the specified link
--read-only=false Mount the container's root filesystem as read only -v, --volumes=false Remove the volumes associated with the container
--restart=no Restart policy to apply when a container exits
--security-opt=[] Security Options
--stop-signal=SIGTERM Signal to stop a container, SIGTERM by default
-t, --tty=false Allocate a pseudo-TTY
-u, --user= Username or UID (format: <name|uid>[:<group|gid>]) Usage: docker pause [OPTIONS] CONTAINER [CONTAINER...]
--ulimit=[] Ulimit options
--uts= UTS namespace to use Pause all processes within a container
-v, --volume=[] Bind mount a volume
--volume-driver= Optional volume driver for the container --help=false Print usage
--volumes-from=[] Mount volumes from the specified container(s)
-w, --workdir= Working directory inside the container 14 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — Run a container

https://docs.docker.com/reference/run/

docker run [ options ] image [ arg0 arg1...]

→ create a container and start it

• the container filesystem is initialised from image image

• arg0..argN is the command run inside the container (as PID 1)

$ docker run debian /bin/hostname
f0d0720bd373
$ docker run debian date +%H:%M:%S
17:10:13
$ docker run debian true ; echo $?
0
$ docker run debian false ; echo $?
1

15 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — Foreground mode vs. Detached mode

• Foreground mode is the default

• stdout and stderr are redirected to the terminal
• docker run propagates the exit code of the main process

• With -d, the container is run in detached mode:

• displays the ID of the container
• returns immediately

$ docker run debian date
Tue Jan 20 17:32:07 UTC 2015
$ docker run -d debian date
4cbdefb3d3e1331ccf7783b32b47774fefca426e03a2005d69549f3ff06b9306
$ docker logs 4cbdef
Tue Jan 20 17:32:16 UTC 2015

16 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — TTY allocation

Use -t to allocate a pseudo-terminal for the container
→ without a tty

$ docker run debian ls
bin
boot
dev
...
$ docker run debian bash
$

→ with a tty (-t)

$ docker run -t debian ls
bin dev home lib64 mnt proc run selinux sys usr
boot etc lib media opt root sbin srv tmp var
$ docker run -t debian bash
root@10d90c09d9ac:/#

17 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — interactive mode

• By default containers are non-interactive
• stdin is closed immediately
• terminal signals are not forwarded4

$ docker run -t debian bash
root@6fecc2e8ab22:/# date
ˆC
$

• With -i the container runs interactively
• stdin is usable
• terminal signals are forwarded to the container

$ docker run -t -i debian bash
root@78ff08f46cdb:/# date
Tue Jan 20 17:52:01 UTC 2015
root@78ff08f46cdb:/# ˆC
root@78ff08f46cdb:/#

4
ˆC only detaches the terminal, the container keeps running in background
18 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — override defaults (1/2)

user (-u)

$ docker run debian whoami
root
$ docker run -u nobody debian whoami
nobody

working directory (-w)

$ docker run debian pwd
/
$ docker run -w /opt debian pwd
/opt

19 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — override defaults (2/2)

environment variables (-e)

$ docker run debian sh -c 'echo $FOO $BAR'

$ docker run -e FOO=foo -e BAR=bar debian sh -c 'echo $FOO $BAR'

foo bar

hostname (-h)

$ docker run debian hostname
830e47237187
$ docker run -h my-nice-container debian hostname
my-nice-hostname

20 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — set the container name

--name assigns a name for the container
(by default a random name is generated)

$ docker run -d -t debian
da005df0d3aca345323e373e1239216434c05d01699b048c5ff277dd691ad535
$ docker run -d -t --name blahblah debian
0bd3cb464ff68eaf9fc43f0241911eb207fefd9c1341a0850e8804b7445ccd21
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED .. NAMES
0bd3cb464ff6 debian:7.5 "/bin/bash" 6 seconds ago blahblah
da005df0d3ac debian:7.5 "/bin/bash" About a minute ago drunk_darwin
$ docker stop blahblah drunk_darwin

Note: Names must be unique

$ docker run --name blahblah debian true
2015/01/20 19:31:21 Error response from daemon: Conflict, The name blahblah is already assigned
to 0bd3cb464ff6. You have to delete (or rename) that container to be able to assign blahblah to a
container again.

21 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — autoremove

By default the container still exists after command exit

$ docker run --name date-ctr debian date
Tue Jan 20 18:38:21 UTC 2015
$ docker start date-ctr
date-ctr
$ docker logs date-ctr
Tue Jan 20 18:38:21 UTC 2015
Tue Jan 20 18:38:29 UTC 2015
$ docker rm date-ctr
date-ctr
$ docker start date-ctr
Error response from daemon: No such container: date-ctr
2015/01/20 19:39:27 Error: failed to start one or more containers

With --rm the container is automatically removed after exit

$ docker run --rm --name date-ctr debian date
Tue Jan 20 18:41:49 UTC 2015
$ docker rm date-ctr
Error response from daemon: No such container: date-ctr
2015/01/20 19:41:53 Error: failed to remove one or more containers

22 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Common rm idioms
Launch an throwaway container for debugging/testing purpose

$ docker run --rm -t -i debian
root@4b71c9a39326:/#

Remove all zombie containers

$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
2b291251a415 debian:7.5 "hostname" About a minute ago Exited (0) About a mi
6d36a2f07e18 debian:7.5 "false" 2 minutes ago Exited (1) 2 minutes
0f563f110328 debian:7.5 "true" 2 minutes ago Exited (0) 2 minutes
4b57d0327a20 debian:7.5 "uname -a" 5 minutes ago Exited (0) 5 minutes
$ docker container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Deleted Containers:
2b291251a415
6d36a2f07e18
0f563f110328
4b57d0327a20

23 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Inspecting the container

command description
docker ps list running containers
docker ps -a list all containers
docker logs [ -f5 ] container show the container output
(stdout+stderr)
docker top container [ ps options ] list the processes running
inside the containers6
docker stats [ container ] display live usage statistics7
docker diff container show the differences with
the image (modified files)
docker port container list port mappings
docker inspect container. . . show low-level infos
(in json format)
5
with -f, docker logs follows the output (à la tail -f)
6
docker top is the equivalent of the ps command in unix
7
docker stats is the equivalent of the top command in unix
24 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Interacting with the container

command description
docker attach container attach to a running container
(stdin/stdout/stderr)
docker cp container:path hostpath|- copy files from the container
docker cp hostpath|- container:path copy files into the container
docker export container export the content of
the container (tar archive)
docker exec container args. . . run a command in an existing
container (useful for debugging)
docker wait container wait until the container terminates
and return the exit code
docker commit container image commit a new docker image
(snapshot of the container)

25 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker commit example

$ docker run --name my-container -t -i debian
root@3b397d383faf:/# cat >> /etc/bash.bashrc <<EOF
> echo 'hello!'
> EOF
root@3b397d383faf:/# exit
$ docker start --attach my-container
my-container
hello!
root@3b397d383faf:/# exit
$ docker diff my-container
C /etc
C /etc/bash.bashrc
A /.bash_history
C /tmp
$ docker commit my-container hello
a57e91bc3b0f5f72641f19cab85a7f3f860a1e5e9629439007c39fd76f37c5dd
$ docker rm my-container
my-container
$ docker run --rm -t -i hello
hello!
root@386ed3934b44:/# exit
$ docker images -t
511136ea3c5a Virtual Size: 0 B
af6bdc397692 Virtual Size: 115 MB
667250f9a437 Virtual Size: 115 MB Tags: debian:wheezy, debian:latest
a57e91bc3b0f Virtual Size: 115 MB Tags: hello:latest

26 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Part 3.
Inputs/Outputs
• Data volumes (persistent data)
• mounted from the host filesystem
• named volumes (interal + volume plugins)
• Devices
• Links
• Publishing ports (NAT)

27 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — mount external volumes

docker run -v /hostpath:/ctrpath[:ro] ...
docker run
--mount type=bind,src=/hostpath,dst=/ctrpath[,ro] ...

mounts the location /hostpath from the host filesystem at the

location /ctrpath inside the container
With the “ro” option, the mount is read-only
Purposes:

• store persistent data outside the container

• provide inputs: data, config files, . . . (read-only mode)
• inter-process communication (unix sockets, named pipes)

Note: -v creates /ctrpath automatically, --mount does not

28 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

mount examples (1/2)

Persistent data

$ docker run --rm -t -i -v /tmp/persistent:/persistent debian
root@0aeedfeb7bf9:/# echo "blahblah" >/persistent/foo
root@0aeedfeb7bf9:/# exit
$ cat /tmp/persistent/foo
blahblah
$ docker run --rm -t -i -v /tmp/persistent:/persistent debian
root@6c8ed008c041:/# cat /persistent/foo
blahblah

Inputs (read-only volume)

$ mkdir /tmp/inputs
$ echo hello > /tmp/inputs/bar
$ docker run --rm -t -i -v /tmp/inputs:/inputs:ro debian
root@05168a0eb322:/# cat /inputs/bar
hello
root@05168a0eb322:/# touch /inputs/foo
touch: cannot touch `/inputs/foo': Read-only file system

29 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

mount examples (2/2)

Named pipe

$ mkfifo /tmp/fifo
$ docker run -d -v /tmp/fifo:/fifo debian sh -c 'echo blah blah> /fifo'
ff0e44c25e10d516ce947eae9168060ee25c2a906f62d63d9c26a154b6415939
$ cat /tmp/fifo
blah blah

Unix socket

$ docker run --rm -t -i -v /dev/log:/dev/log debian
root@56ec518d3d4e:/# logger blah blah blah
root@56ec518d3d4e:/# exit
$ sudo tail /var/log/messages | grep logger
Jan 21 08:07:59 halfoat logger: blah blah blah

30 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — named volumes

Named volumes

• stored inside /var/lib/docker

• lifecycle managed with the docker volume command
• plugin API to provide shared storage over a cluster/cloud8

$ docker volume create my-volume
my-volume
$ docker volume ls
DRIVER VOLUME NAME
local my-volume
$ docker run --rm -t -i -v my-volume:/vol busybox
/ # echo foo > /vol/bar
/ # ˆD
$ docker volume inspect my-volume|grep Mountpoint
"Mountpoint": "/var/lib/docker/volumes/my-volume/_data",
$ docker run --rm -t -i -v my-volume:/vol busybox cat /vol/bar
foo
$ docker volume rm my-volume
my-volume

8
https://docs.docker.com/engine/tutorials/dockervolumes/
31 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

initialisation: bind volumes vs named volumes

• bind volumes are created empty

• named volumes are created with a copy of the image content

at the same mount point

$ docker run --rm -t alpine ls /etc/apk
arch keys protected_paths.d repositories world

$ docker run --rm -t -v /tmp/dummy:/etc/apk alpine ls /etc/apk

$ ls /tmp/dummy/
$

$ docker run --rm -t -v dummy:/etc/apk alpine ls /etc/apk

arch keys protected_paths.d repositories world
$ ls /var/lib/docker/volumes/dummy/_data
arch keys protected_paths.d repositories world

32 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — grant access to a device

By default devices are not usable inside the container

$ docker run --rm debian fdisk -l /dev/sda
root@dcba37b0c0bd:/# fdisk -l /dev/sda
fdisk: cannot open /dev/sda: No such file or directory

$ docker run --rm debian sh -c 'mknod /dev/sda b 8 0 && fdisk -l /dev/sda'

fdisk: cannot open /dev/sda: Operation not permitted

$ docker run --rm -v /dev/sda:/dev/sda debian fdisk -l /dev/sda

fdisk: cannot open /dev/sda: Operation not permitted

They can be whitelisted with --device

docker run --device /hostpath[:/containerpath ] ...

$ docker run --rm --device /dev/sda debian fdisk -l /dev/sda
Disk /dev/sda: 250.1 GB, 250059350016 bytes
...

33 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — inter-container links (legacy links9 )

Containers cannot be assigned a static IP address (by design)

→ service discovery is a must
Docker “links” are the most basic way to discover a service
docker run --link ctr:alias . . .

→ container ctr will be known as alias inside the new container

$ docker run --name my-server debian sh -c 'hostname -i && sleep 500' &
172.17.0.4

$ docker run --rm -t -i --link my-server:srv debian

root@d752180421cc:/# ping srv
PING srv (172.17.0.4): 56 data bytes
64 bytes from 172.17.0.4: icmp_seq=0 ttl=64 time=0.195 ms

9
since v1.9.0, links are superseded by user-defined networks
34 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Legacy links
deprecated feature

35 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks (since v1.9.0)

• by default new containers are connected to the main network
(named “bridge”, 172.17.0.0/16)

• the user can create additional networks:

docker network create NETWORK

• newly created containers are connected to one network:

docker run --net=NETWORK

• container may be dynamically attached/detached to any

network:
docker network connect NETWORK CONTAINER
docker network disconnect NETWORK CONTAINER

• networks are isolated from each other, communications is

possible by attaching a container to multiple networks
36 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks example

37 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks example

37 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks example

37 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks example

37 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks example

37 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

User-defined networks example

37 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

docker run — publish a TCP port

Containers are deployed in a private network, they are not

reachable from the outside (unless a redirection is set up)

docker run -p [ipaddr:]hostport:containerport

→ redirect incoming connections to the TCP port hostport of the

host to the TCP port containerport of the container
The listening socket binds to 0.0.0.0 (all interfaces) by default or
to ipaddr if given

38 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

publish example

39 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

publish example
bind to all host addresses

$ docker run -d -p 80:80 nginx
52c9105e1520980d49ed00ecf5f0ca694d177d77ac9d003b9c0b840db9a70d62

$ wget -nv http://localhost/

2016-01-12 18:32:52 URL:http://localhost/ [612/612] -> "index.html" [1]
$ wget -nv http://172.17.42.1/
2016-01-12 18:33:14 URL:http://172.17.42.1/ [612/612] -> "index.html" [1]

bind to 127.0.0.1

$ docker run -d -p 127.0.0.1:80:80 nginx
4541b43313b51d50c4dc2722e741df6364c5ff50ab81b828456ca55c829e732c

$ wget -nv http://localhost/

2016-01-12 18:37:10 URL:http://localhost/ [612/612] -> "index.html.1" [1]
$ wget http://172.17.42.1/
--2016-01-12 18:38:32-- http://172.17.42.1/
Connecting to 172.17.42.1:80... failed: Connection refused.

40 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

The whole picture

41 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

The whole picture

41 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Part 4.
Managing docker images

42 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Docker images
A docker image is a snapshot of the filesystem + some metadata

• immutable

• copy-on-write storage
• for instantiating containers
• for creating new versions of the image (multiple layers)

• identified by a unique hex IDs

• Image ID: randomly genreated
• Digest: hashed from the content

• may be tagged10 with a human-friendly name

eg: debian:wheezy debian:jessie debian:latest

10
possibly multiple times
43 / 84
Intro Containers I/O Images Builder Security Ecosystem Future

Image management commands

command description
docker images list all local images
docker history image show the image history
(list of ancestors)
docker inspect image. . . show low-level infos
(in json format)
docker tag image tag tag an image
docker commit container image create an image
(from a container)
docker import url|- [tag] create an image
(from a tarball)
docker rmi image. . . delete images

44 / 84
Intro Containers I/O Images Builder Security Ecosystem Future