Docker Basics

Introduction

OCI Specifications: Runtime Specification (runtime-spec), Image Specification (image-spec), Distribution Specification (distribution-spec).

In the Linux kernel, namespaces are a feature that allows the isolation of various system resources, making it possible for a process and its children to have a view of a subset of the system that is separate from other processes. Namespaces help to create an abstraction layer to keep containerized processes separate from one another and from the host system. There are several types of namespaces in Linux, including: PID (Process IDs), Network (NET), Mount (MNT), UTS (UNIX Time Sharing System), User (USER), IPC (Inter-Process Communication).

cgroups

Union FS: Ephemeral FS / Volume Mounts / Bind Mounts.

Docker components

• Dockerfile: instructions to build image.
• Docker Image: snapshot of a container.
• Docker Container: A running instance of Docker image.

Commands

Basic commands

# image
docker pull <image> # download image
docker build -t <image_name> <path> # build an image from Dockerfile
docker image ls # or docker images
docker image rm <image>
# container
docker run -d -p <host_port>:<container_port> --name <container_name> <image>
docker container ls # or `docker ps`, -a for all
docker ps -a # list all containers
docker (container) start|stop <container>
docker container rm <container>
docker exec -it CONTAINER_ID bash # access running container shell

docker run options:

• --name: name of the container.
• -p, --publish: expose port to the host.
• -e, --env: set environment variables.
• -d, --detach: detached mode.
• -v, --volume: mount volume.
• --cpus: e.g. --cpus=2, limits the number of core used.
• --memory: e.g. --memory=1G.
• --user: run as another user or UID.
• --read-only: prevent unwanted changes to file system.

Interactive

使用 -it 进入交互模式，--rm 在停止后删除容器实例。

docker run -it --rm <image> <command> # interactive mode, delete when stopped
docker pull busybox
docker run -it busybox /bin/sh
docker diff <container> # show changed files

Volume

# creation
docker volume create <my-volume>
docker volume inspect <my-volume> # show details
# mounting to container
docker run -d -v <my-volume>:<data-path>(:ro) <image> # add `:ro` read-only
docker run -d --mount source=<my-volume>,destination=<data-path> <image>
# delete
docker volume rm <my-volume>

<data-path> 是 Volume 在容器内部挂载的路径；通过挂载同一个 Volume 可以实现多个容器共享存储。

Dockerfile & Build

Dockerfile content demo:

# FROM a base image, (AS build-stage)
FROM node:lts-alpine as build-stage
RUN mkdir -p /app
# Set the working directory to /app
WORKDIR /app

# layer caching
COPY package.json *.lock ./
RUN npm config set registry https://registry.npmmirror.com
RUN npm install

# Copy the current directory contents into the container at /app
COPY . /app
# RUN command
RUN npm run build
# expose port
EXPOSE 80
# Define environment variable
ENV NAME World

FROM nginx:alpine
# 复制 build 后的文件到 nginx 的指定目录（/usr/share/nginx/html）
COPY --from=build-stage /app/build/ /usr/share/nginx/html
COPY nginx/nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
# 容器启动时执行的那条入口命令一旦结束了，容器也会结束。所以需要将守护关闭，让 nginx 后台运行。
CMD ["nginx", "-g", "daemon off;"]

docker build (-f Dockerfile) -t <my-image>:<tag> . # -t for tag, -f target Dockerfile
docker run -d -p <host_port>:<container_port> <my-image>:<tag>

Each FROM instruction can use a different base, and each of them begins a new stage of the build. Check: Multi-stage builds

Dockerfile instructions

• FROM: base image.
• WORKDIR: working directory (affects RUN, CMD, ENTRYPOINT, COPY, ADD), create dir if not exist.
• COPY: copy files or directories from host to container.
• ADD: 与 COPY 类似但可以处理远程 URL 与解压缩文件。
• RUN: execute command.
• CMD: default command to execute, e.g. CMD ["arg1", "arg2"].
• EXPOSE: expose port.

Layer Caching

Dockerfile 中每个指令都会创建一个新的层，如果指令未被更改，之前 build 的层将被复用，某一层的镜像缓存失效之后，它之后的镜像层缓存都会失效。所以先拷贝 package.json 和 *.lock 文件，在依赖没变动时则 npm i 不会再重新安装依赖。使用 .dockerignore 忽略 node_modules 和其它无关文件。

使用 alpine 版本缩小镜像体积。RUN 结合多条命令以减少层级创建，示例：

RUN apt-get update && \
    apt-get install -y <package>

DockerHub

docker login
docker tag your-image your-username/your-repository:your-tag
docker push your-username/your-repository:your-tag
docker pull your-username/your-repository:your-tag

Docker Compose

Docker Compose is a tool for defining and running multi-container Docker applications. It allows you to create, manage, and run your applications using a simple YAML file called docker-compose.yml. This file describes your application’s services, networks, and volumes, allowing you to easily run and manage your containers using just a single command. Docker Compose files can also be versioned.

docker-compose.yml demo:

version: "3.9" # docker compose version
services:
  web:
    image: nginx:latest
    ports:
      - "80:80"
    depends_on:
      - db
  db:
    image: mysql:latest
    environment:
      MYSQL_ROOT_PASSWORD: mysecretpassword
    ports:
      - '3306:3306'
    volumes:
      - ./data/mysql:/var/lib/mysql
    env_file:
      - .env

Running docker compose: navigate to the directory containing docker-compose.yml, and run docker-compose up.

docker-compose up|down # up has -d option
docker-compose ps    # list all container status in yaml file
docker-compose logs
docker-compose build # build all images in yaml file

Reference: Docker Compose documentation

Mirror

{
  "registry-mirrors": [
    "https://docker.m.daocloud.io",
    "https://docker.mofu.ltd"
  ]
}

---

References

• [1] roadmap.sh/docker
• [2] mirrors.ustc.edu.cn/help/docker…
• [3] Docker Hub 镜像加速器 (Gist)
• [4] Cloudflare 代理 docker 镜像仓库
• [5] hub.docker.com/_/nginx
• [6] docs.docker.com/reference/