Docker For Dummies - Nick Leghorn PDF Free Download

2y ago

40 Views

1 Downloads

1.58 MB

43 Pages

Report/dmca

Download PDF

Transcription

Docker for Dummies

Nick LeghornManager of Security Engineering, Indeed.com

Agenda1.What is Docker and Why Do I Care?2.Setting Up A Standalone Docker System3.Understanding The Bells and Whistles4.Use Casesa. Standalone PiHole containerb. HTTP Web server with mounted directoryc. Deploy a LibreNMS Monitoring Suite on Linked Containers5.Docker Swarm, Kubernetes, and Beyond#spiceworldATX

In The Beginning.ServicesPhysicalServersHTTP ServerDatabase ServerEmail ServerDNS ServerDHCP Server#spiceworldATX

And Then Came VMwareServicesVirtualServersPhysical ServersHTTPServerDatabaseServerEmailServerDNS ServerDHCPServer#spiceworldATX

Docker: Like VMware,But Without the ServerEmailServerDNS ServerDHCPServer#spiceworldATX

So, How Does It Work? Think of “containers” as Virtual Machines, each one is its own server Containers can be generated locally or pre-configured containers (images) can bedownloaded from the “docker hub” Each container uses the kernel of the host system to operate but is isolated fromeverything else by default The container has a single purpose which it is assigned atstartup called an “entrypoint” Once complete it shuts down automatically, saving state.#spiceworldATX

Networking for Docker Containers DEFAULT: Bridge (Docker creates a localVLAN for containers, acts as router tonetwork) Containers addressable by name Host (Container uses host network interfacedirectly) Isolated Network (Like bridge, but isolatedVLAN for specific containers)#spiceworldATX

Benefits of DockerBetter Resource Usage Only install the packages you need, not the bloat Manage resources for specific containersInfrastructure as Code Deploy containers in seconds with scripted deployment “Treat containers like cattle, not cats”Improved Security Each container has its own sandbox#spiceworldATX

Popular Docker Images Database Servers Database Helpers Oracle DatabaseCouchbaseMongoMariadbRedisPostgresOracle instant clientBase OS Images Web Servers Docker Helpers NginxApacheTraefikDevelopment Environments Java 8PythonBusyboxAlpineUbuntuFedoraRHEL#spiceworldATX

Setting Up aStandaloneDocker System

Why?ConsistentdevelopmentenvironmentClean and simpleway to rundifferent versionsof applications(Python 2.7 versus3.0)Easily configuredsandbox fortesting projectsand code#spiceworldATX

InstallingDockerSudo yum install docker [-y -q -e 0]Sudo systemctl start dockerSudo systemctl enable docker#spiceworldATX

MakingDockerAccessibleWithout SudoSudo groupadd dockerSudo usermod -aG docker user[Log out and log back in]#spiceworldATX

#spiceworldATX

Running Docker ContainersDocker Run versus Docker ComposeDocker run [image] Starts a single image / server Easy and good for standalone systems Start here!Docker-compose up Orchestrate deploying multiple networks, containers and defining the links between them Requires a “dockerfile” called “docker-compose.yml” and installation of another tool We won’t be covering this in this “basic” overview - just know it exists!#spiceworldATX

Make Sure Docker is Properly Configured#spiceworldATX

Understanding the Bellsand Whistles

Basic Container ManagementSee running containersDocker psStart a stopped containerDocker start [container]Delete a containerDocker rm [container]Run a detached containerDocker run -d [container]Stop a started containerDocker stop [container]Docker kill [container]#spiceworldATX

Docker PS#spiceworldATX

Fedora Cockpit#spiceworldATX

Docker Run [arguments] [image name]#spiceworldATX

DetachedBy default, Docker will attach yourterminal to the terminal running within thecontainer you just started.To enable a container to continue to run“in the background” you will need to“detach” the container from yourterminal.-d#spiceworldATX

NamesNaming docker containers make it easierto manage and address.Docker will randomly assign a two wordname to all unnamed containers.--name testenv#spiceworldATX

EnvironmentVariablesMost pre-configured docker containers willaccept environment variablesEnvironment variables tell the container thingslike where to connect for database services, DNSnames to use, or other configurable variables-env dns docker.nickleghorn.com#spiceworldATX

Publishing PortsIf you need your container to be available on the network as a service you can“publish” (think “map”) a port from the docker network to the host networkREMEMBER: [host port]:[container port]-p 8080:80You can also specify an IP address to bind the port on-p 10.128.1.224:8080:80Default is to expose TCP. You can specify UDP as well.-p 10.128.1.224:514:514/udp#spiceworldATX

Mounting DirectoriesWant to have a folder on your host OS available to a container?REMEMBER: [host directory]:[container directory]-v /home/foghorn/website:/var/www/html#spiceworldATX

Manual Container OperationsCopy a file FROM a containerDocker cp [container]:[/path/to/container/file] [/path/to/host/file]Copy a file TO a containerDocker cp [/path/to/host/file] [container]:[/path/to/container/file]Run a command in an existing containerDocker exec [container] [command]#spiceworldATX

Get an Interactive Shell in a ContainerIs the container already running?Docker exec -it [container] /bin/bashDo you need to start the container?Docker run -it [container] /bin/bash#spiceworldATX

When should the container be restarted?RestartconditionsAlways!--restart alwaysIf the container fails, maximum twice--restart on-failure:2#spiceworldATX

Setting an EntrypointMost pre-built containers already have an entrypoint.Docker run -d \-v /test/:/usr/local/test/ \--entrypoint /usr/local/test/start.sh \fakecontainer#spiceworldATX

Use Case Examples

Standalone PiHole Container / DNS Serverdocker run -d \--name pihole \-p 53:53/tcp -p 53:53/udp \-p 67:67/udp \-p 80:80 \-p 443:443 \-e ServerIP "[INSERT IP HERE]" \-e WEBPASSWORD "[SET A PASSWORD]" \--restart always \--cap-add NET ADMIN \--dns 127.0.0.1 --dns 1.1.1.1 \pihole/pihole:latest#spiceworldATX

HTTP Web Server with Mounted Directorydocker run -d \--name webserver \-p 127.0.0.1:8080:80\-v /home/foghorn/website/:/usr/local/apache2/htdocs/ \httpd:2.4sudo chcon -Rt svirt sandbox file t /home/foghorn/website#spiceworldATX

LibreNMSDeploymenton LinkedContainersFor extra homework andhands-on spiceworldATX

Docker Swarm andKubernetes#spiceworldATX

Docker is Just The BeginningDocker just manages the containers on a single hostDocker swarm pools multiple servers to form sharedresources and manages the running of containerswithin that “swarm”Kubernetes is like docker swarm but with more controlover networking, load balancing, and other higher-levelfunctions#spiceworldATX

Standalone DockerEnvironmentFirewallLoad BalancerWeb HostsDatabase#spiceworldATX

KubernetesEnvironmentFirewallLoad BalancerWeb HostsDatabase#spiceworldATX

ReviewHopefully, you are leaving here today able to: Describe docker containers, their purpose, and how they operateInstall docker on your local systemDeploy and configure a docker containerUnderstand the concept of Kubernetes and Docker Swarm#spiceworldATX

Java 8 Python Busybox. Setting Up a Standalone Docker System. #spiceworldATX Why? Consistent development environment Easily configured sandbox for testing projects and code Clean and simple way to run different versions . D