Download: Red Hat Certificate of Expertise in Containerized Application Development

Study Guide Red Hat Certificate of Expertise in Containerized Application Development,

Contents

Prerequisites 3 Linux 3 Installation 3 Docker Refresh 3 What is Docker? 3 Basic Docker Commands 3 Containers4ASample Command 4 Running Containers Locally 4 Linking Containers 4 Container Logs 4 Docker Events 5 Docker Inspect 5 Exposing Containers 5 Volume Command 5 Security Best Practices 6 Images 6 Image Registries 6 Image Design Best Practices 7 Working with Images 7 Dockerfile Syntax 7 Custom Images 8 Image Lifecyle 9 Managing Images 9 Designing an image for application deployment 9, Private Registry Security 10 Image Tags and Pulls 10,

Prerequisites Linux

• Using the 3.10.x kernel or newer

Installation

• On CentOS • yum -y install docker • On Ubuntu • apt-get update && apt-get install docker

Docker Refresh What is Docker?

• Docker is open source software that automates application deployment inside software containers • Docker containers are a complete software environment. Containers have: • Code • Runtime • System Tools & Libraries • A container is designed to run the same regardless of the environment • If you are not familiar with Docker you should take the Linux Academy – Docker Quick Start course or our Docker Deep Dive course

Basic Docker Commands

• docker create • Creates a container • docker run • Creates a container and starts it running • docker stop • Stops a running container • docker rm • Remove one or more containers • docker rmi • Remove one or more images • docker exec • Run a command in a running container • docker images • List images - 4 -, • docker save • Save an image to a tar archive. (does not compress) • docker load • Load an image from a tar archive • docker export • Export a containers filesystem as a tar archive • More Docker commands can be found on docs.docker.com

Containers A Sample Command

• Let’s provision a database server. • Since MySQL expects certain variables to be passed through to the container, to instantiate a basic MySQL instance named test1-mysql, we would type in the following: • docker run -d -name=test1-mysql -env=”MYSQL_ROOT_ PASSWORD=mypassword” mysql • To see what the IP address of the running container is we would type in: • docker inspect test1-mysql |grep “IPAddress” • To stop this running container we would use: • docker stop test1-mysql

Running Containers Locally Linking Containers

• Let’s see how we link a MySQL container to a WordPress container at runtime. • First we run our MySQL container. We could use the following command to do this: • docker run -d -name=test1-mysql -env=”MYSQL_ROOT_ PASSWORD=mypassword” mysql • To link a WordPress container to this database container we would use the following command: • docker run -d -name test1-wordpress -link test1-mysql:mysql wordpress

Container Logs

• We get the container logs from Docker via the docker logs command: - 5 -, • docker logs [options] CONTAINER • An example command to get the logs from a WordPress container called test-wordpress would be the following: • docker logs -f test1-wordpress

Docker Events

• We can get real-time events from the docker host with the events command • docker events [OPTIONS]

Docker Inspect

• Docker inspect gives you low level information about docker objects. An example would be as follows: • docker inspect test1-mysql

Exposing Containers

• Docker allows you to expose a port or ports from a container so connections can be made. If the image has been designed to allow this then you can enable it via the expose option. An example is shown below: • docker run -d -name=test1-mysql -env=”MYSQL_ROOT_PASSWORD=password” -publish 3306:3306 mysql

Volume Command

• Docker allows you to set up storage via the volume command, which can help you create persistent storage between containers. An example would be as follows: • The commands to work with a volume • docker volume create -name ShareVol1 • docker volume inspect ShareVol1 • docker volume ls ShareVol1 • docker volume rm ShareVol1 • To assign the ShareVol1 to a filesystem on a ubuntu server you would do the following: • docker run -ti -v ShareVol1:/newvol1 ubuntu - 6 -,

Security Best Practices

• Docker runs as root. If you’re in the docker group you effectively have root access • Greater security can be found by running Docker inside a virtual machine • You can use software such as apparmor, seccomp or SELinux to increase security • Limit no of active processes (since Docker 1.11) • docker run -pids-limit=64 • Control new processes (kernel above 3.5.x) • docker run -security-opt=no-new-privileges • Turn off ipc • docker -ipc=false • Disable iptables changes • docker -iptables=false • Docker as read only • docker run -read-only • Volume as read only • docker run -ti -v ShareVol1:/newvol1:ro ubuntu • Use hash to pull image • docker pull debian@sha256:a253063385... • Limit memory and CPU sharing • docker -c 512 -mem 512m • Define and run a user in your Dockerfile, so you’re not running as root inside the container • RUN groupadd -r user && useradd -r -g user user

Images Image Registries

• Image registries store Docker images. When you just type in an image name it pulls it from Docker directly. So the following command: - 7 -, • docker pull centos • Is the same as typing this command: • docker pull docker.io/library/centos • You can easily run your own image repository. You can run it via a Docker pull. The following command pulls and runs a repository and makes it available on port 5000 of the Docker container: • docker run -d -p 5000:5000 -restart=always -name registry registry:2

Image Design Best Practices

• Containers should be designed to be ephemeral • Use a .dockerignore file for files you want ignored • Try not to install unnecessary packages • Use each container for a single purpose. e.g. One container for a DB, one container for an application • Minimize number of layers in a container • Utilize build cache where possible • Don’t want to use the cache? Use -co-cache=true • Use common sense when designing the image

Working with Images

• Docker containers are created from a base image • In the Dockerfile, each action adds to the ‘layer’ before it • Dockerfile syntax is designed to be clean and allows #comment blocks for commenting • File syntax consists of comments, commands, and arguments • A Dockerfile is serial, there are no ‘goto’s or loops • MAINTAINER can be placed almost anywhere but must be after the FROM

Dockerfile Syntax

• FROM • Defines a base image for the build • RUN • Is executed during the build of the image • ADD • Copies a file from the build folder to the image. If it’s a compressed file the contents will - 8 -, be extracted. Allows remote url support • COPY • Copies new files or directories from the source to the container. COPY should be used instead of ADD unless the special ADD abilities are needed • WORKDIR • Directive used to set where CMD is to be executed. It’s working directory • USER • Is used to set the UID or username which is to run the container based on the image being built • CMD • Similar to RUN, but executed when the container is running, not when its built • ENTRYPOINT • Should be used when a container should run an application after its instantiated • ONBUILD • A trigger for when the image is used as the basis for another image. • EXPOSE • Expose a port to the outside world. Enables networking between containers • ENV • Is used to set an environment variable inside the container • VOLUME • Creates a mount point inside the container

Custom Images

• You can nest images in subsequent Dockerfiles if you need to • Here is an example: • docker image1 has FROM ubuntu inside • docker image2 has FROM image1 inside plus other commands • docker image3 has FROM image2 inside plus other commands • You cannot have multiple FROM inside a Dockerfile • A sample Dockerfile is shown below that has the following properties: • It uses a base image of CentOS 6 • The MAINTAINER is kevin • yum install is run to install software • A compressed file is uncompressed and copied to the file system • Port 80 is exposed to the container • The container starts Apache when it is run • FROM centos:6 MAINTAINER kevin RUN yum -y install httpd elinks ADD mainfile.tar.gz /var/www/html - 9 -, EXPOSE 80 ENTRYPOINT [“/usr/sbin/http”, “-D”, “FOREGROUND”]

Image Lifecyle

• A need for a container arises • An image is designed and a Dockerfile is created • A Docker image is built • The image is tested • The image is modified as required • An approved image is moved to production • As changes are required, the image goes back through the cycle to be modified • When an image is no longer required its use is stopped • Old unused images are deleted and cleaned up

Managing Images Designing an image for application deployment

• A Docker image is a stripped down version of the normal operating system that would be used by the container. So what extra code is required for the app to run in a container properly? • Is the application to run in a cluster? • Is a shared Database required? • Does the container need shared volumes? • What ports need to be open? • What registries will be used to store the image? • What tagging format will be required? • The application work flow is as follows • The image is created • The image is tagged • The image is pushed to a registry • The image gets pulled from a registry and used - 10 -,

Private Registry Security

• You can download and run a private registry from within Docker. • The following command pulls and runs a repository and makes it available on port 5000 of the docker container • docker run -d -p 5000:5000 -restart=always -name registry registry:2 • You can set the registry to use a folder on the host server with a command like the following: • docker run -d -p 5000:5000 -restart=always -name registry -v /usr/ data:/var/lib/registry registry:2 • You can use TLS to secure the communications with the repository. To do this with a self signed certificate you would do the following: • Generate the key • openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain. key -x509 -days 365 -out certs/domain.crt • Run the registry with the key added like the following: • docker run -d -p 5000:5000 -restart=always -name registry -v / usr/data:/var/lib/registry REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2 • With a self-signed cert you will need to add a copy of the cert to any Docker installs that will use the repo. This can be done by copying the domain.crt to the proper location and calling it ca.crt as shown in this example for the previous docker run command: • cp certs/domain.crt /etc/docker/certs.d/centos-master\:5000/ca.crt

Image Tags and Pulls

• You can group your images together using names and tags. The format of the tag command is as follows: • docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG] • Tagging an image will help you keep track of them. It makes it easier to see if there are different versions for instance. • If you’re using an external registry, for example, you need to tag your image with the target its going to before you can push the image. • To push an image to centos-master:5000/ubuntu:v1, for instance, you would need to do the following: • docker pull ubuntu • To get the image - 11 -, • docker tag ubuntu centos-master:5000/ubuntu:v1 • Tagging the image • docker push centos-master:5000/ubuntu:v1 • Pushing the image to the repository - 12 -]

15