Containers 102: Beyond the basics
About Me
- I am Mohammed Daoudi AKA iduoad
- I am a DevOps engineer
- Nature lover!
- weCanTalkAbout([🐧, 🐳, 🦊, …])
- More about me here !
Agenda
- Containers and images
- Container storage
- Building images
- Container distribution
- Container Operations
- Container Security
Introduction
- 6 Sections => 15 Use cases
- Each use case:
- Problem statement
- What should we know?
- Solution & Openings
Problem statement
- We are trying to run a container image with a legacy application
- The application is not cloud native (no logs to stdout)
- Application writes lots of files into the container
- The application fails on startup and the container
- May or may not have the Dockerfile
What we should know
docker exec doesn’t work!docker run -it bash doesn’t work!- A glimpse into container storage.
Solution
docker commit to the rescue.
1.2 The minimalistic container
Problem statement
- We are trying to run our minimalistic image
- The application keeps failing for unknown network issues.
- The image has no utilities installed.
- No internet access.
What we should know
- Minimalistic images.
- Namespaces (Network namespace as an example)
Problem statement
- We need to run multiple tasks sequentially.
- We need to control the running order and report errors.
What we should know
- Docker Compose limitations
Solution
docker wait and scripting.
1.4 Reporting and Documentation
Problem statement
- We need to run multiple tasks sequentially.
- We need to control the running order and report errors.
What we should know
- Docker Compose limitations
Solution
docker wait and scripting.
Problem statement
- We are running an application that needs special backup process.
- The required tools are not included in the container image.
What we should know
- We can backup the entire volumes from the host.
Solution
--volumes-from and scripting.
2.2 Minimalistic application revisited
Problem statement
- We are trying to run our minimalistic image
- The application keeps failing for unknown network issues.
- The image has no utilities installed.
- No internet access.
Solution
- Mounting images into containers.
3.1 Forever failing builds
Problem statement
- We are trying to build an image from a Dockerfile
- A Build step keeps failing for unknown reasons
What we should know
- What do image builds work ?
Problem statement
- We have to create a build image for other service teams.
- The service teams do not have expertise on our build process
What we should know
- What do image builds work ?
Problem statement
- How can we add conditionals and loops into our build ?
- How can we add complex logic to the build process.
What we should know
- How image builds work ?
- Buildah ?
4. Container distribution
Problem statement
- We are using images from public registries (or private - pulling over internet)
- We need to minimise the time we spend pulling the images.
Solution
- Pull-Through caching registry
- Offline Environment
Skopeo sync
4.1 Copy images from anywhere to everywhere
Problem statement
- We need to copy images between to 2 registries
Solution
skopeo copy- It support lots of formats
5.1 Connect to that remote docker
Problem statement
- We need to deploy our apps to a distant docker daemon.
- The Dockerd is not exposed to internet
What we should know
- How do we connect to docker daemon ?
Problem statement
- We need to run our container with the least privileges
What we should know
- Old vs New root.
- Capabilities.
6.2 Oh Docker! Why so evil ?
Problem statement
- We need to run Docker while staying safe.
What we should know
- What are the different container attacks.
Solution
- SeLinux to the rescue
- Always run docker rootless (if you can)
Thank you
Let’s be friends! 🤗
Containers 102: Beyond the basics