Table of Contents

Preface xiii

Acknowledgments xv

About this book xvi

About the cover illustration xix

Part 1 Docker Fundamentals 1

1 Discovering Docker 3

1.1 The what and why of Docker 4

What is Docker? 5

What is Docker good for? 7

Key concepts 8

1.2 Building a Docker application 10

Ways to create a new Docker image 11

Writing a Dockerfile 12

Building a Docker image 13

Running a Docker container 14

Docker layering 16

2 Understanding Docker: Inside the engine room 19

2.1 Docker's architecture 20

2.2 The Docker daemon 21

Technique 1 Open your Docker daemon to the world 22

Technique 2 Running containers as daemons 24

Technique 3 Moving Docker to a different partition 27

2.3 The Docker client 28

Technique 4 Using socat to monitor Docker API traffic 28

Technique 5 Using Docker in your browser 32

Technique 6 Using ports to connect to containers 34

Technique 7 Allowing container communication 35

Technique 8 Linking containers for port isolation 37

2.4 Docker registries 39

Technique 9 Setting up a local Docker registry 40

2.5 The Docker Hub 41

Technique 10 Finding and running a Docker image 42

Part 2 Docker and Development 45

3 Using Docker as a lightweight virtual machine 47

3.1 From VM to container 48

Technique 11 Converting your VM to a container 48

Technique 12 A host-like container 51

Technique 13 Splitting a system into microservice containers 54

Technique 14 Managing the startup of your container's services 57

3.2 Saving and restoring your work 59

Technique 15 The "save game" approach: Cheap source control 60

Technique 16 Docker tagging 62

Technique 17 Sharing images on the Docker Hub 65

Technique 18 Referring to a specific image in builds 67

3.3 Environments as processes 68

Technique 19 The "save game" approach: Winning at 2048 68

4 Building images 71

4.1 Building images 71

Technique 20 Injecting files into your image using ADD 72

Technique 21 Rebuilding without the cache 75

Technique 22 Busting the cache 76

Technique 23 Intelligent cache-busting using build-args 78

Technique 24 Intelligent cache-busting using the ADD directive 81

Technique 25 Setting the right time zone in your containers 84

Technique 26 Locale management 86

Technique 27 Stepping through layers with the image-stepper 90

Technique 28 Onbuild and golang 94

5 Running containers 97

5.1 Running containers 97

Technique 29 Running GUIs within Docker 98

Technique 30 Inspecting containers 100

Technique 31 Cleanly killing containers 101

Technique 32 Using Docker Machine to provision Docker hosts 103

Technique 33 Wildcard DNS 107

5.2 Volumes-a persistent problem 108

Technique 34 Docker volumes: Problems of persistence 108

Technique 35 Distributed volumes with Resilio Sync 110

Technique 36 Retaining your container's bash history 112

Technique 37 Data containers 114

Technique 38 Remote volume mounting using SSHFS 116

Technique 39 Sharing data over NFS 119

Technique 40 Dev tools container 121

6 Day-to-day Docker 124

6.1 Staying ship-shape 124

Technique 41 Running Docker without sudo 125

Technique 42 Housekeeping containers 125

Technique 43 Housekeeping volumes 127

Technique 44 Detaching containers without stopping them 129

Technique 45 Using Portainer to manage your Docker daemon 130

Technique 46 Generating a dependency graph of your Docker images 131

Technique 47 Direct action: Executing commands on your container 133

Technique 48 Are you in a Docker container? 134

7 Configuration management: Getting your house in order 137

7.1 Configuration management and Dockerfiles 138

Technique 49 Creating reliable bespoke tools with ENTRYPOINT 138

Technique 50 Avoiding package drift by specifying versions 140

Technique 51 Replacing text with perl -p -i -e 142

Technique 52 Flattening images 143

Technique 53 Managing foreign packages with Alien 145

7.2 Traditional configuration management tools with Docker 148

Technique 54 Traditional: Using make with Docker 148

Technique 55 Building images with Chef Solo 151

7.3 Small is beautiful 155

Technique 56 Tricks for making an image smaller 155

Technique 57 Tiny Docker images with BusyBox and Alpine 157

Technique 58 The Go model of minimal containers 159

Technique 59 Using inotifywait to slim containers 162

Technique 60 Big can be beautiful 164

Part 3 Docker and DevOps 167

8 Continuous integration: Speeding up your development pipeline 169

8.1 Docker Hub automated builds 170

Technique 61 Using the Docker Hub workflow 170

8.2 More efficient builds 173

Technique 62 Speeding up I/O-intensive builds with eatmydata 173

Technique 63 Setting up a package cache for faster builds 175

Technique 64 Headless Chrome in a container 178

Technique 65 Running Selenium tests inside Docker 180

8.3 Containerizing your CI process 185

Technique 66 Running the Jenkins master within a Docker container 185

Technique 67 Containing a complex development environment 188

Technique 68 Scaling your CI with Jenkins' Swarm plugin 192

Technique 69 Upgrading your containerized Jenkins server safely 195

9 Continuous delivery: A perfect fit for Docker principles 200

9.1 Interacting with other teams in the CD pipeline 201

Technique 70 The Docker contract: Reducing friction 201

9.2 Facilitating deployment of Docker images 204

Technique 71 Manually mirroring registry images 204

Technique 72 Delivering images over constrained connections 206

Technique 73 Sharing Docker objects as TAR files 208

9.3 Configuring your images for environments 210

Technique 74 Informing your containers with etcd 210

9.4 Upgrading running containers 214

Technique 75 Using confd to enable zero-downtime switchovers 214

10 Network simulation: Realistic environment testing without the pain 220

10.1 Container communication: Beyond manual linking 221

Technique 76 A simple Docker Compose cluster 221

Technique 77 A SQLite server using Docker Compose 225

10.2 Using Docker to simulate real-world networking 229

Technique 78 Simulating troublesome networks with Comcast 230

Technique 79 Simulating troublesome networks with Blockade 233

10.3 Docker and virtual networks 237

Technique 80 Creating another Docker virtual network 238

Technique 81 Setting up a substrate network with Weave 241

Part 4 Orchestration from a Single Machine to the Cloud 247

11 A primer on container orchestration 249

11.1 Simple single-host Docker 251

Technique 82 Managing your host's containers with systemd 251

Technique 83 Orchestrating the startup of your host's containers 254

11.2 Manual multi-host Docker 257

Technique 84 Manual multi-host Docker with Helios 257

11.3 Service discovery: What have we here? 263

Technique 85 Using Consul to discover services 264

Technique 86 Automatic service registration with Registrator 271

12 The data center as an OS with Docker 275

12.1 Multi-host Docker 276

Technique 87 A seamless Docker cluster with swarm mode 276

Technique 88 Using a Kubernetes cluster 280

Technique 89 Accessing the Kubernetes API from within a pod 285

Technique 90 Using OpenShift to run AWS APIs locally 289

Technique 91 Building a framework on Mesos 294

Technique 92 Micromanaging Mesos with Marathon 302

13 Docker platforms 306

13.1 Organizational choice factors 307

Time to market 310

Buy vs. build 310

Monolithic vs. piecemeal 311

Open source vs. licensed 312

Security stance 312

Consumer independence 313

Cloud strategy 313

Organizational structure 313

Multiple platforms? 314

Organizational factors conclusion 314

13.2 Areas to consider when adopting Docker 314

Security and control 315

Building and shipping images 321

Running containers 324

13.3 Vendors, organizations, and products 327

The Cloud Native Computing Foundation (CNCF) 327

Docker, Inc. 328

Google 329

Microsoft 329

Amazon 330

Red Hat 330

Part 5 Docker and security 335

14 Docker and security 335

14.1 Docker access and what it means 336

Do you care? 336

14.2 Security measures in Docker 337

Technique 93 Constraining capabilities 337

Technique 94 A "bad" Docker image to scan 341

14.3 Securing access to Docker 343

Technique 95 HTTP auth on your Docker instance 343

Technique 96 Securing your Docker API 346

14.4 Security from outside Docker 350

Technique 97 Reducing a container's attack surface with DockerSlim 350

Technique 98 Removing secrets added during a build 356

Technique 99 OpenShift: An application platform as a service 360

Technique 100 Using security options 368

15 Plain sailing: Running Docker in production 376

15.1 Monitoring 377

Technique 101 Logging your containers to the host's syslog 377

Technique 102 Logging your Docker logs output 380

Technique 103 Monitoring containers with cAdvisor 382

15.2 Resource control 383

Technique 104 Restricting the cores a container can execute on 383

Technique 105 Giving important containers more CPU 384

Technique 106 Limiting the memory usage of a container 386

15.3 Sysadmin use cases for Docker 388

Technique 107 Using Docker to run cron jobs 388

Technique 108 The "save game" approach to backups 391

16 Docker in production: Dealing with challenges 394

16.1 Performance: You can't ignore the tin 395

Technique 109 Accessing host resources from the container 395

Technique 110 Disabling the OOM killer 399

16.2 When containers leak-debugging Docker 401

Technique 111 Debugging a container's network with nsenter 401

Technique 112 Using tcpflow to debug in flight without reconfiguring 404

Technique 113 Debugging containers that fail on specific hosts 405

Technique 114 Extracting a file from an image 409

Appendix A Installing and using Docker 413

Appendix B Docker configuration 418

Appendix C Vagrant 421

Index 423