Docker - elventear/devops GitHub Wiki

Install Docker

Visit http://download.fedoraproject.org/pub/epel/6/i386/repoview/epel-release.html and get link for epel-release-*.rpm

rpm -U http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum -y install docker-io
chkconfig --add docker
service docker start

Building bivio:centos6

docker pull centos:centos6
wget <repo>centos6-post.sh
perl -pi -e 's/^reboot//g' centos6-post.sh
cat > Dockerfile << 'EOF'
FROM centos:centos6
MAINTAINER Bivio Software <[email protected]>
ADD . /cfg
RUN yum -y install wget screen
RUN sh /cfg/centos6-post.sh
EOF
docker build --tag=bivio:centos6 . > err 2>&1&
tail -f err
tar="bivio-centos6.docker"
docker save bivio:centos6 > $tar
scp $tar <repo>:/var/bdev
rm $tar

Running bivio:centos6

scp <repo>:/var/bdev/bivio-centos6.docker
docker load < bivio-centos6.docker
rm bivio-centos6.docker
docker run -i -t -v /home/vagrant:/vagrant bivio:centos6 /bin/bash
curl https://raw.githubusercontent.com/biviosoftware/utilities/master/bin/fixup-docker.sh | sh
. /.bashrc

Administering

List containers:

docker ps -a

Remove a container:

docker rm <name>

List images:

docker images -a

Remove an image:

docker rmi <image-id>

Attaching to a container with a new command, e.g. a non-interactive container running a server, can be attached to by replacing the command with bash:

docker exec -it <container> bash

Running as non-root

This should only be done inside a virtual machine, because Docker is not secure to run as a non-root user (allows privilege escalation attacks). However, this is very convenient if you are running with Vagrant.

Do this one time as root:

gpasswd -a $USER docker
sudo service docker restart

Then exit your login shell so you get the new group privileges when you login. You should see something like:

$ groups
vagrant docker

You can also put a password on the docker group:

# gpasswd docker
New Password:

Then as an order user:

$ newgrp docker
Password:

CentOS 7 Atomic

In order to properly setup shared volumes and network forwarding, you have to:

groupadd -g 1000 vagrant
useradd -u 1000 -g vagrant vagrant
chcon -Rt svirt_sandbox_file_t /home/vagrant
echo net.ipv4.ip_forward=1 > /etc/sysctl.d/50-bivio-docker.conf
echo NAME.bivio.biz > /etc/hostname
reboot

Fedora 23

We couldn't get Fedora 23 going with OverlayFS. It corrupts files.

http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/

Our salt config initializes with the storage driver (except on Vagrant/VirtualBox).

VOLUME in existing images

VOLUME on a build in an base image can't be cleared via the Dockerfile or anything else it seems. Even if the volume is not mounted (VOLUME [/foo, ""]) it keeps that directory busy so you can't do anything with it. Noticed this on the postgresql data VOLUME.

Docker Disk Space

Docker doesn't manage disk space on the loopback device (used by VirtualBox installs). The devicemapper just keeps on eating space in /var/lib/docker. The only thing to do is clear out your entire docker installation and restart:

systemctl stop docker
rm -rf /var/lib/docker
systemctl start docker

There is a dm:trim-pool and dm:resize, but I can't figure out how to run it. There's scant information out there about devicemapper subcommands.

Docker Image Names

When you have two images docker.io/repo/name and repo/name, the second one will be chosen for operations. This can be confusing when you are debugging an image and creating local commits.

TLS

docker-tls.sh creates the configuration for docker TLS configuration. You need a new certificate authority for every "trust group" (e.g. swarm or cluster) of docker daemons. Keep the CA private key secure and only on one machine, eg. salt-master. It gives root access (via Docker) to anyone who has it.

You should also keep the CA-signed client private key secure. It also gives root access to all those machines, which have the CA certificate installed.

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️