Popular Posts

Docker Commands Cheat Sheet

Docker commands cheat sheet

Docker commands cheat sheet





Docker Configuration

Docker CLI stores its configuration files in a directory called .docker within your $HOME directory.(/Users/$USER/.docker/config.json)

The config.json file stores a JSON encoding of several properties. sample config.json looks like below

~/.docker/config.json
# config file stores credentials in Base64 format
$ cat config.json
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "xxxxxxxxxxxxxxWF6dGgwcmFheg=="
		},
		"phx.ocir.io": {
			"auth": "xxxxxxxxxxxl6SyskUkNUOnQuTGNtRDFiTSE=" (1)
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.1-ol (linux)"
	}

}

-- OS specific credsStore used to store credentials

tvajjala$ cat ~/.docker/config.json
{
	"auths": {
		"registry-1.docker.io": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.8 (darwin)"
	},
	"credsStore": "osxkeychain", (2)
	"experimental": "disabled",
	"stackOrchestrator": "swarm"
}
  1. Config file stores credentials in Base64 format.

  2. OS Specific credsStore(osxkeychain for MacOS) used to store credentials.

Decode Base64 credentials using below command

decode.sh
echo YW11cmRhY2E6c3VwZXJzZWNyZXRwYXNzd29yZA== | base64 -D

Docker Login

docker_login.sh
tvajjala$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: tvajjala
Password:
Tip
Refer official documentation on config.json supported properties.
Details
config.json
{
  "HttpHeaders": {
    "MyHeader": "MyValue"
  },
  "psFormat": "table {{.ID}}\\t{{.Image}}\\t{{.Command}}\\t{{.Labels}}",
  "imagesFormat": "table {{.ID}}\\t{{.Repository}}\\t{{.Tag}}\\t{{.CreatedAt}}",
  "pluginsFormat": "table {{.ID}}\t{{.Name}}\t{{.Enabled}}",
  "statsFormat": "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}",
  "servicesFormat": "table {{.ID}}\t{{.Name}}\t{{.Mode}}",
  "secretFormat": "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}",
  "configFormat": "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}",
  "serviceInspectFormat": "pretty",
  "nodesFormat": "table {{.ID}}\t{{.Hostname}}\t{{.Availability}}",
  "detachKeys": "ctrl-e,e",
  "credsStore": "secretservice",
  "credHelpers": {
    "awesomereg.example.org": "hip-star",
    "unicorn.example.com": "vcbait"
  },
  "stackOrchestrator": "kubernetes",
  "plugins": {
    "plugin1": {
      "option": "value"
    },
    "plugin2": {
      "anotheroption": "anothervalue",
      "athirdoption": "athirdvalue"
    }
  },
  "proxies": {
    "default": {
      "httpProxy":  "http://user:pass@example.com:3128",
      "httpsProxy": "http://user:pass@example.com:3128",
      "noProxy":    "http://user:pass@example.com:3128",
      "ftpProxy":   "http://user:pass@example.com:3128"
    },
    "https://manager1.mycorp.example.com:2377": {
      "httpProxy":  "http://user:pass@example.com:3128",
      "httpsProxy": "http://user:pass@example.com:3128"
    },
  }
}

Credentials store

The Docker Engine can keep user credentials in an external credentials store, such as the native keychain of the operating system. Using an external store is more secure than storing credentials in the Docker configuration file.

Possible value for credsStore property in config.json

credsStore

os

description

NotSpecified

ALL

stores credentials in config.json as Base64 encoded format.

desktop

-

Stores credentials in ~/.docker/dockerpwd.txt

osxkeychain

MacOS

credentials store specific to macOS

wincred

Windows

credentials store specific to windows

pass

Linux

credentials store specific to Linux

Docker Credential Helper

docker-credential-helpers helps to save credential in more secure way.

docker-credential-helpers used to perform specific operations on credsStore .

For example : osxkeychain is credsStore you can perform following operation with docker-credential-helpers

docker-credential-helpers.sh
tvajjala$ docker-credential-osxkeychain
Usage: docker-credential-osxkeychain <store|get|erase|list|version>

tvajjala$ docker-credential-osxkeychain version
0.6.3

tvajjala$ docker-credential-osxkeychain list
{"https://phx.ocir.io":"oraclefaonbm/thiru.vajjala@oracle.com","https://registry-1.docker.io":"tvajjala"}

tvajjala$ docker-credential-osxkeychain get https://phx.ocir.io
Tip
Refer docker-credentials-store documentation

Docker login

login.sh
#docker login <registry-url> interactive ways
docker login registry-1.docker.io
<Interactive shell>

# using password-stdin option
$/> echo YourPassword | docker login --username YourUsername --password-stdin

Docker login in Jenkins Pipeline

login.groovy
withCredentials([usernamePassword(credentialsId: 'jenkins-credential-id', usernameVariable: 'DOCKER_USERNAME', passwordVariable: 'DOCKER_PASSWORD')]) {
  sh script: """

    echo '$DOCKER_PASSWORD' | docker login registry-1.docker.io -u "$DOCKER_USERNAME" --password-stdin

  """, label: 'docker login '
}

Docker Proxy Configuration

config.json also helps us to add proxy configuration to under proxies section

proxies.json
  "proxies": {
    "default": {
      "httpProxy":  "http://user:pass@example.com:3128",
      "httpsProxy": "http://user:pass@example.com:3128",
      "noProxy":    "http://user:pass@example.com:3128",
      "ftpProxy":   "http://user:pass@example.com:3128"
    },
    "https://manager1.mycorp.example.com:2377": {
      "httpProxy":  "http://user:pass@example.com:3128",
      "httpsProxy": "http://user:pass@example.com:3128"
    },
  }

Verify Proxy

proxy.sh
tvajjala-mac:.docker tvajjala$ docker run --rm busybox env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=4d5501dc701b
HOME=/root
HTTPS_PROXY=http://www-proxy.us.myorg.com:80
https_proxy=http://www-proxy.us.myorg.com:80

Verify Network Access

dns.sh
tvajjala-mac:.docker tvajjala$ docker run --rm busybox nslookup tvajjala.in
Server:		xx.168.xx.x
Address:	xx.168.xx.1:xx

Non-authoritative answer:
Name:	tvajjala.in
Address: xxx.xxx.xx.xx

Important Docker commands

Create Docker Image

Write your docker file as per your need. Ex: Create simple docker image from busybox base image.

Dockerfile
# Build linux docker image from busybox
FROM busybox
build.sh
tvajjala$ docker build . -t tvajjala/linux
Sending build context to Docker daemon  2.048kB
Step 1/1 : FROM busybox
 ---> c7c37e472d31
Successfully built c7c37e472d31
Successfully tagged tvajjala/linux:latest

tvajjala$ docker images
REPOSITORY                                    TAG                 IMAGE ID            CREATED             SIZE
tvajjala/linux                                latest              c7c37e472d31        9 days ago          1.22MB

Run docker container

run.sh
tvajjala$ docker run -d --rm -it tvajjala/linux
bfc1433196ea115a58b8c3c337e8852f2288c5c8b29c6f1bc4f44e7488b23925
  • -d run container in background (daemon)

  • --rm remove container once it stopped.

  • -it interactive mode to enter inside container

View running and stopped containers

list.sh
tvajjala$ docker ps -as
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES               SIZE
199482d83992        tvajjala/linux      "sh"                14 seconds ago      Up 14 seconds                           intelligent_bohr    0B (virtual 1.22MB)

View Complete configuration

inspect.sh
#docker inspect <container_name>
docker inspect jolly_mestorf

Filter configuration

inspect_filter.sh
docker inspect --format='{{.State.Status}}' jolly_mestorf (1)
  1. Response in text format

inspect_format_json.sh
tvajjala$ docker inspect --format='{{json .State}}' mystifying_kare | python -m json.tool  (1)

{
    "Dead": false,
    "Error": "",
    "ExitCode": 0,
    "FinishedAt": "0001-01-01T00:00:00Z",
    "OOMKilled": false,
    "Paused": false,
    "Pid": 84320,
    "Restarting": false,
    "Running": true,
    "StartedAt": "2020-07-09T19:05:53.9926804Z",
    "Status": "running"
}
  1. Prints response in JSON Format

inspect_specific_portion.sh
# Network settings
docker inspect --format='{{json .NetworkSettings.Networks}}' mystifying_kare | python -m json.tool

# configuration
docker inspect --format='{{json .Config}}' mystifying_kare | python -m json.tool

# state
docker inspect --format='{{json .State}}' mystifying_kare | python -m json.tool  (1)

Delete not running images

delete-containers.bash
docker images -q --filter='reference=tvajjala' | xargs --no-run-if-empty docker rmi -f

Delete dangling images

delete-docker-images.bash
docker images --quiet --filter='dangling=true' | xargs --no-run-if-empty docker rmi -f
remove_dangling.sh
docker rmi $(docker images -f "dangling=true" -q)
remove_images.sh
docker rmi $(docker images -q)

Container Networks

inspect.sh
docker inspect <container_id>
network.sh
tvajjala-mac:~ tvajjala$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
442a1bfe1c23        bridge              bridge              local
4dd6af85dfd0        host                host                local
031b8ffb3fa4        none                null                local
  • NONE : If we specify none as the network, we will not be able to connect to the container, and vice versa

  • HOST : The host option makes the container network interfaces identical to the host. They share the same IP addresses, so everything started on the container is visible outside.

  • BRIDGE : The most popular option is the default one (bridge), because it lets us define explicitly which ports should be published. It is both secure and accessible.

port.sh
tvajjala-mac:~ tvajjala$ docker port 368b63cce20a
8080/tcp -> 0.0.0.0:80
sharing_volume.sh
$ docker run -i -t -v ~/my_local_folder:/directory_under_container <image_name> /bin/bash
jenkins_volume_sharing.sh
$ docker run -p <host_port>:8080 -v <host_volume>:/var/jenkins_home jenkins/jenkins:2.150.3

View docker logs

logs.sh
docker ps -as

<WILL PRINT NAME>

docker logs <CONTAINER NAME FROM ABOVE >
remove_containers.sh
docker rm $(docker ps --no-trunc -aq)

The -aq option specifies to pass only IDs (no additional data) for all containers. Additionally, --no-trunc asks Docker not to truncate the output.

Tip
We can also adopt a different approach and ask the container to remove itself as soon as it has stopped using the --rm flag, for example
remove_on_stop.sh
docker run --rm <image-name>
remove_images.sh
docker rmi $(docker images -q)
Tip
In order to prevent the removal of images with tags (for example, so as not to remove all the latest images), it’s very common to use the dangling parameter:
remove_dangling.sh
docker rmi $(docker images -f "dangling=true" -q)

Docker Volume Binds

Docker local Registry

docker run -d -p 5000:5000 -restart=always --name registry registry:2

Docker load/save

Docker save as archive

docker save -o controlplane.tar.gz saasmgr:20.04 podmgr:20.04 falcmdb:20.04

Docker load

docker load -i controlplane.tar.gz

Docker Socket

ls /var/run/docker.sock
=== run client inside docker container
 .run_docker_client_inside_docker
 ----
tvajjala-mac:lib tvajjala$ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock docker sh
Unable to find image 'docker:latest' locally
latest: Pulling from library/docker
df20fa9351a1: Pull complete
25ad7478873d: Pull complete
4684f6177b5d: Pull complete
46e300cec669: Pull complete
63038576ad94: Pull complete
0fdb76c4706c: Pull complete
cb7edeffdfd5: Pull complete
Digest: sha256:f9a24a777e813e2692920a86530355e3840d0271464fd486bd8708aa018d0ac6
Status: Downloaded newer image for docker:latest
 ----

Networks

Docker uses bridges to create virtual networks inside your computer.

create-new.sh
tvajjala-mac:~ tvajjala$ docker network create my-org-network
47553d80079f5a1363da90b3b046118e47195cdf89b075ad94036c9496daf673
ubuntu.sh
docker run --rm -it --net=host ubuntu:16.04 bash
#iside container
root@docker-desktop:/# apt-get update && apt-get install bridge-utils

root@docker-desktop:/# brctl show
bridge name	bridge id		STP enabled	interfaces
br-47553d80079f		8000.0242f4119bca	no (1)
br-8e6b0d90bd19		8000.02428278641c	no
docker0		8000.0242243ccb60	no

options

ubuntu.sh
docker run --rm -it --net=host --privileged=true ubuntu bash

#inside ubuntu

root@docker-desktop:/# apt-get update & apt-get install iptables

# To show NAT tables
root@docker-desktop:/# iptables -n -L -t nat
  • --net=host gives this container direct access to networking.

  • --privileged=true which lets this container have full control over the system that’s hosting it.

Docker and gradle

Refer gradle docker plugin documentation

defaultPort.sh
#-P published on 8080
docker run -d --name wildfly -P tomcat
docker run -d --name wildfly -p 8080:8080 tomcat

docker container ls

Run spring boot as docker

Dockerfile
FROM openjdk:8-jdk-alpine

ARG JAR_FILE=target/*.jar

COPY ${JAR_FILE} app.jar

ENTRYPOINT ["java","-jar","/app.jar"]
build.sh
#Docker run as image
docker image build -t toggle .

#Docker run as server
docker run --rm -d -p 8080:8080 toggle

# history
docker image history toggle
commands.sh
COPY copy files inside image

ADD copy and extract into image/download from URL and place it inside image (curl/wget)

Docker DNS Issues

If your docker container not able to communicate to external network. it could be proxy issue or DNS issue.

Refer blog on docker-networking-dns

dns.sh
$ docker run --rm busybox nslookup google.com
; connection timed out; no servers could be reached

Installing Docker on Linux

To check all installed

yum.sh
[root@ ~]# sudo yum list installed | grep docker
containerd.io.x86_64                   1.`2.13-3.2`.el7              @docker-ce-stable
docker-ce.x86_64                       3:`19.03.12-3`.el7            @docker-ce-stable
docker-ce-cli.x86_64                   1:`19.03.12-3`.el7            @docker-ce-stable

Uninstall

uninstall.sh
sudo yum remove docker-ce-`19.03.12-3` docker-ce-cli-`19.03.12-3` containerd.io-`2.13-3.2`

Install right SELinux

SELinux.sh
yum install http://ftp.riken.jp/Linux/cern/centos/7/extras/x86_64/Packages/container-selinux-2.74-1.el7.noarch.rpm

Install latest versions

install.sh
sudo yum install containerd.io docker-ce docker-ce-cli

Virtual Machine Vs Docker

  • Docker uses specific OS resources to run the desired software. Whereas VM requires full Guest OS on top of the main operating system.

  • Docker is designed to run specific process whereas VM can be used to run multiple processes inside the guest OS.

QvwTseaMcWMHoE5i3ujopj8 ZpyexZVYi61KlEkGdGwQ2XmjlzS5tt0XPEQIoWKxlLAaqGbgEkSZNWLG1H4l zJPVO TsbtUz3avJuwOZiozU28u3xBEtplkkX4s8aVjQLQQ4f05

Understand docker Image structure

Docker image contains three layers

  • BOOTFS: The first layer in the image is a boot file system called BOOTFS. Which is similar to KERNEL and the boot loader. The boot filesystem acts as a virtual filesystem for all images.

  • ROOTFS: On top of BOOTFS, operating system filesystem is placed, which is called ROOTFS.It adds the typical operating system directory structure to the container. It is in read-only mode.

  • OTHER IMAGES: on top of ROOTFS, other images are placed as per the requirements, In our case, these are JRE and the spring boot microservices JARS.

  • WRITEABLE FILE SYSTEM: when a container initiated, a writable file system is placed on top of the all the other filesystem for the processes to run. This is volatile , data is lost when the container is stopped.

Docker Env Variables

Environment variables are supported by the following list of instructions in the Dockerfile:

  • ADD

  • COPY

  • ENV

  • EXPOSE

  • LABEL

  • USER

  • WORKDIR

  • VOLUME

  • STOPSIGNAL

Docker Engine Vs Docker Machine

Docker Engine : When we say “Docker” it typically means “Docker Engine”, the client-server application made up of the docker daemon, REST API, and CLI client that talks to the daemon through REST API wrapper.

dOVBRK 5V spWJszTfrl5utrzidSDljN j9WDGTB9Ilc1tk8fxM9NlMc  KuV0OID42OMPuS0hiHdq OwM79YCb4sLmILYde96syysVxRaky0inaFu853O4bXnOOFS7plgZDt1eg

Docker Machine It is a tool for provisioning and managing your Dockerized hosts (hosts with docker engine on them). Typically you install docker machine on your local system. Docker machine has its own CLI client (called docker-machine) and the docker engine client(docker).

You can use docker machine to install docker engine on one or more virtual systems.

These virtual systems two types * Local( VirtualBox on Mac) * Cloud( AWS)

1 comment:

  1. The information shared was very much useful My sincere thanks for sharing this post Please Continue to share this post Please continue to share this post
    Devops Training in Bangalore

    ReplyDelete