Points
- Control groups (cgroups)
- Linux namespace
- Containers will share the same kernel because they are just isolated processes.
- container runtime
- images as templates for creating containers.
- Docker images are built up from a series of layers
- layers packaged together contain everything required for running our application process.
- Layers include meta-information about the required architecture to run
- a container adds a new read-write layer on top of image layers in order to store filesystem differences from these layers on host disk
- Docker uses storage drivers to manage content, on read-only layers and read-write ones.
- A storage driver (known as graph-driver) will manage how Docker will store and manage the interactions between layers.
- Overlay2 is the most common and preferred driver for Linux operating systems.
- Copy-on-write (or COW) is a technique to delay or altogether prevent copying of the data. Rather than duplicate the process address space, the parent and the child can share a single copy. The data, however, is marked in such a way that if it is written to, a duplicate is made and each process receives a unique copy.
- Using the COW based filesystem. All common files are shared between the same image-based containers. When an existing file in a container has to be modified. The storage driver will perform a copy operation to the container layer.
- Networking in containers is based on host bridge interfaces and firewall-level NAT rules.
- volumes are an easy way to share data between containers
- a kernel provides namespaces for process isolation.
- Processes inside a container are namespaced and, as a result, their parent PID will be the main process, with its own PID of 1
- Host resources available to a container are managed by control groups.
- the only requirements for deploying that container on a new node will be the container runtime and the template used to create that container.
- Docker Engine is the core component of container platforms. Docker is a client-server application and Docker Engine will provide the server side.
- client-side application that communicates with the server using REST API calls.
- Docker daemon listens for Docker API requests
- Docker API is available using a Unix socket by default.
- dockerd daemon provides an API interface
- containerd daemon, in fact, manages containers.
- containerd is responsible for managing storage, networking, and interaction between namespaces.
- it will run containers using another external component, RunC
Docker client customization
- There is a config file where the Docker client will look for its configurations ($HOME/.docker/config.json on Linux or %USERPROFILE%/.docker/config.json on Windows).
- In this file, we will set a proxy for our containers if it's needed to connect to the internet or other external services
Customizing the Docker daemon
- key.json: This file contains a unique identifier for this daemon; in fact, it is the daemon's public key that uses the JSON web key format.
- daemon.json: This is the Docker daemon configuration file. It contains all its parameters in JSON format. It has a key-value (or list of values) format
- /etc/docker/daemon.json on Linux systems
- %programdata%\docker\config\daemon.json on Windows systems
Flags used for configuration
| Daemon argument | JSON key | Argument description |
| -b, --bridge string | bridge | Attach containers to a network bridge. This option allows us to change the default bridge behavior. In some cases, it's useful to create your own bridge interfaces and use the Docker daemon attached to one of them. |
| --cgroup-parent string | cgroup-parent | Set the parent cgroup for all containers. |
| -D, --debug | debug | This option enables debug mode, which is fundamental to resolving issues. Usually, it's better to stop Docker service and run the Docker daemon by hand using the -D option to review all dockerd debugging events. |
| --data-root string | data-root | This is the root directory of the persistent Docker state (default /var/lib/docker). With this option, we can change the path to store all Docker data (Swarm KeyValue, images, internal volumes, and so on). |
| --dns list | dns | This is the DNS server to use (default []). These three options allow us to change the container DNS behavior, for example, to use a specific DNS for the container environment. |
| --dns-opt list | dns-opt | These are the DNS options to use (default []). |
| --dns-search list | dns-search | These are the DNS search domains to use (default []). |
| --experimental | experimental | This enables experimental features; don't use it in production. |
| -G, --group string | group | This is the group for the Unix socket (default docker). |
| -H, --host list | host | This is the option that allows us to specify the socket(s) to use. |
| --icc | icc | This enables inter-container communication (default true). With this option, we can disable any container's internal communications. |
| --ip IP | ip | This is the default IP when binding container ports (default 0.0.0.0). With this option, we can ensure that only specific subnets will have access to container-exposed ports. |
| --label list | label | Set key=value labels to the daemon (default []). With labels, we can configure environment properties for container location when using a cluster of hosts. There is a better tagging method you can use when using Swarm, as we will learn in Chapter 8, Orchestration Using Docker Swarm. |
| --live-restore | live-restore | This enables the live restoration of Docker when containers are still running. |
| --log-driver string | log-driver | This is the default driver for container logs (default json-file) if we need to use an external log manager (ELK framework or just a Syslog Server, for example). |
| -l, --log-level string | log-level | This sets the logging level (debug, info, warn, error, fatal) (default info). |
| --seccomp-profile string | seccomp-profile | This is the path to the seccomp profile if we want to use anything other than the default option. |
| --selinux-enabled | selinux-enabled | Enables SELinux support. This option is crucial for production environments using Red Hat Linux/CentOS. It is disabled by default. |
| -s, --storage-driver string | storage-driver | This is the storage driver to use. This argument allows us to change the default driver selected by Docker. In the latest versions, we will use overlay2 because of its stability and performance. Other options include aufs, btrfs, and devicemapper. |
| --storage-opt list | storage-opts | Storage driver options (default []). Depending on the storage driver used, we will need to add options as arguments, for example, using devicemapper or for specifying a maximum container size on overlay2 or Windows filter (MS Windows copy-on-write implementation). |
| --tls | tls | This option enables TLS encryption between client and server (implied by --tlsverify). |
| --tlscacert string | tlscacert | Trust certs signed only by this CA (default ~/.docker/ca.pem). |
| --tlscert string | tlscert | This is the path to the TLS certificate file (default ~/.docker/cert.pem). |
| --tlskey string | tlskey | This is the path to the TLS key file (default ~/.docker/key.pem). |
| --tlsverify | tlsverify | Use TLS and verify the remote. |
No comments:
Post a Comment