Docker: Creating Structured Containers

Table of Contents

Docker: Creating Structured Containers

Meet Your Course Guide

What's so cool about Docker?

What's in it for me – Course Structure

Course Journey

The Course Roadmap and Timeline

1. Course Module 1: Learning Docker

1. Getting Started with Docker

An introduction to Docker

Docker on Linux

Differentiating between containerization and virtualization

The convergence of containerization and virtualization

Containerization technologies

Docker networking/linking

Installing Docker

Installing Docker from the Ubuntu package repository

Installing the latest Docker using docker.io script

Upgrading Docker

Building Docker from source

User permissions

UFW settings

Installing Docker on Mac OS X

Installation

Installing Docker on Windows

Installation

Upgrading Docker on Mac OS X and Windows

Downloading the first Docker image

Running the first Docker container

Running a Docker container on Amazon Web Services

Troubleshooting

2. Up and Running

Docker terminologies

Docker images and containers

A Docker layer

A Docker container

The docker daemon

Docker client

Dockerfile

Docker repository

Docker commands

The daemon command

The version command

The info command

The run command

Running a server

The search command

The pull command

The start command

The stop command

The restart command

The rm command

The ps command

The logs command

The inspect command

The top command

The attach command

The kill command

The cp command

The port command

Running your own project

The diff command

The commit command

The images command

The rmi command

The save command

The load command

The export command

The import command

The tag command

The login command

The push command

The history command

The events command

The wait command

The build command

Uploading to Docker daemon

Dockerfile

The FROM instruction

The MAINTAINER instruction

The RUN instruction

The CMD instruction

The ENTRYPOINT instruction

The WORKDIR instruction

The EXPOSE instruction

The ENV instruction

The USER instruction

The VOLUME instruction

The ADD instruction

The COPY instruction

The ONBUILD instruction

3. Container Image Storage

Docker Hub

The Docker Hub location

Dashboard

Explore the repositories page

Organizations

The Create menu

Settings

The Stars page

Docker Hub Enterprise

Comparing Docker Hub to Docker Subscription

Docker Subscription for server

Docker Subscription for cloud

4. Working with Docker containers and images

Docker Hub Registry

Docker Registry versus Docker Hub

Searching Docker images

Working with an interactive container

Tracking changes inside containers

Controlling Docker containers

Housekeeping containers

Building images from containers

Launching a container as a daemon

5. Publishing Images

Pushing images to the Docker Hub

Automating the building process for images

Private repositories on the Docker Hub

Organizations and teams on the Docker Hub

The REST APIs for the Docker Hub

6. Running Your Private Docker Infrastructure

The Docker registry and index

Docker registry use cases

Run your own index and registry

Step 1 – Deployment of the index components and the registry from GitHub

Step 2 – Configuration of nginx with the Docker registry

Step 3 – Set up SSL on the web server for secure communication

Push the image to the newly created Docker registry

7. Running Services in a Container

A brief overview of container networking

Envisaging the Container as a Service

Building an HTTP server image

Running the HTTP server Image as a Service

Connecting to the HTTP service

Exposing container services

Publishing container ports – the -p option

Network Address Translation for containers

Retrieving the container port

Binding a container to a specific IP address

Auto-generating the Docker host port

Port binding using EXPOSE and the -P option

8. Sharing Data with Containers

The data volume

Sharing host data

The practicality of host data sharing

Sharing data between containers

Data-only containers

Mounting data volume from other containers

The practicality of data sharing between containers

Avoiding common pitfalls

Directory leaks

The undesirable effect of data volume

Data volume containers

Docker volume backups

9. Docker Machine

Installation

Using Docker Machine

Local VM

Cloud environment

Docker Machine commands

active

ip

ls

scp

ssh

upgrade

url

TLS

10. Docker Compose

Linking containers

Orchestration of containers

Orchestrate containers using docker-compose

Installing Docker Compose

Installing on Linux

Installing on OS X and Windows

Docker Compose YAML file

The Docker Compose usage

The Docker Compose options

The Docker Compose commands

build

kill

logs

port

ps

pull

restart

rm

run

scale

start

stop

up

version

Docker Compose – examples

image

build

The last example

11. Docker Swarm

Docker Swarm install

Installation

Docker Swarm components

Swarm

Swarm manager

Swarm host

Docker Swarm usage

Creating a cluster

Joining nodes

Listing nodes

Managing a cluster

The Docker Swarm commands

Options

list

create

manage

The Docker Swarm topics

Discovery services

Advanced scheduling

The Swarm API

The Swarm cluster example

12. Testing with Docker

A brief overview of the test-driven development

Testing your code inside Docker

Running the test inside a container

Using a Docker container as a runtime environment

Integrating Docker testing into Jenkins

Preparing the Jenkins environment

Automating the Docker testing process

13. Debugging Containers

Process level isolation for Docker containers

Control groups

Debugging a containerized application

The Docker exec command

The Docker ps command

The Docker top command

The Docker stats command

The Docker events command

The Docker logs command

Installing and using nsenter

2. Course Module 2: Networking Docker

1. Docker Networking Primer

Networking and Docker

Linux bridges

Open vSwitch

NAT

IPtables

AppArmor/SELinux

The docker0 bridge

The --net default mode

The --net=none mode

The --net=container:$container2 mode

The --net=host mode

Port mapping in Docker container

Docker OVS

Unix domain socket

Linking Docker containers

Links

What's new in Docker networking?

Sandbox

Endpoint

Network

The Docker CNM model

2. Docker Networking Internals

Configuring the IP stack for Docker

IPv4 support

IPv6 support

Configuring a DNS server

Communication between containers and external networks

Restricting SSH access from one container to another

Configuring the Docker bridge

Overlay networks and underlay networks

3. Building Your First Docker Network

Introduction to Pipework

Multiple containers over a single host

Weave your containers

Open vSwitch

Single host OVS

Creating an OVS bridge

Multiple host OVS

Networking with overlay networks – Flannel

4. Networking in a Docker Cluster

Docker Swarm

Docker Swarm setup

Docker Swarm networking

Kubernetes

Deploying Kubernetes on AWS

Kubernetes networking and its differences to Docker networking

Deploying the Kubernetes pod

Mesosphere

Docker containers

Deploying a web app using Docker

Deploying Mesos on AWS using DCOS

5. Next Generation Networking Stack for Docker – libnetwork

Goal

Design

CNM objects

Sandbox

Endpoint

Network

Network controller

CNM attributes

CNM lifecycle

Driver

Bridge driver

Overlay network driver

Using overlay network with Vagrant

Overlay network deployment Vagrant setup

Overlay network with Docker Machine and Docker Swarm

Prerequisites

Key-value store installation

Create a Swarm cluster with two nodes

Creating an overlay network

Creating containers using an overlay network

Container network interface

CNI plugin

Network configuration

IP allocation

IP address management interface

Project Calico's libnetwork driver

3. Course Module 3: Monitoring Docker

1. Introduction to Docker Monitoring

Pets, Cattle, Chickens, and Snowflakes

Pets

Cattle

Chickens

Snowflakes

So what does this all mean?

Launching a local environment

Cloning the environment

Running a virtual server

Halting the virtual server

2. Using the Built-in Tools

Docker stats

Running Docker stats

What just happened?

What about processes?

Docker top

Docker exec

3. Advanced Container Resource Analysis

What is cAdvisor?

Running cAdvisor using a container

Compiling cAdvisor from source

Collecting metrics

The Web interface

Overview

Processes

CPU

Memory

Network

Filesystem

Viewing container stats

Subcontainers

Driver status

Images

This is all great, what's the catch?

Prometheus

Launching Prometheus

Querying Prometheus

Dashboard

The next steps

Alternatives?

4. A Traditional Approach to Monitoring Containers

Zabbix

Installing Zabbix

Using containers

Using vagrant

Preparing our host machine

The Zabbix web interface

Docker metrics

Create custom graphs

Compare containers to your host machine

Triggers

5. Querying with Sysdig

What is Sysdig?

Installing Sysdig

Using Sysdig

The basics

Capturing data

Containers

Further reading

Using Csysdig

6. Exploring Third Party Options

A word about externally hosted services

Deploying Docker in the cloud

Why use a SaaS service?

Sysdig Cloud

Installing the agent

Exploring your containers

Summary and further reading

Datadog

Installing the agent

Exploring the web interface

Summary and further reading

New Relic

Installing the agent

Exploring the web interface

Summary and further reading

7. Collecting Application Logs from within the Container

Viewing container logs

ELK Stack

Starting the stack

Logspout

Reviewing the logs

What about production?

Looking at third party options

8. What Are the Next Steps?

Some scenarios

Pets, Cattle, Chickens, and Snowflakes

Pets

Cattle

Chickens

Snowflakes

Scenario one

Scenario two

A little more about alerting

Chickens

Cattle and Pets

Sending alerts

Keeping up

4. Course Module 4: Securing Docker

1. Securing Docker Hosts

Docker host overview

Discussing Docker host

Virtualization and isolation

Attack surface of Docker daemon

Protecting the Docker daemon

Securing Docker hosts

Docker Machine

SELinux and AppArmor

Auto-patching hosts

2. Securing Docker Components

Docker Content Trust

Docker Content Trust components

Signing images

Hardware signing

Docker Subscription

Docker Trusted Registry

Installation

Securing Docker Trusted Registry

Administering

Workflow

Docker Registry

Installation

Configuration and security

3. Securing and Hardening Linux Kernels

Linux kernel hardening guides

SANS hardening guide deep dive

Access controls

Distribution focused

Linux kernel hardening tools

Grsecurity

Lynis

4. Docker Bench for Security

Docker security – best practices

Docker – best practices

CIS guide

Host configuration

Docker daemon configuration

Docker daemon configuration files

Container images/runtime

Docker security operations

The Docker Bench Security application

Running the tool

Running the tool – host configuration

Running the tool – Docker daemon configuration

Running the tool – Docker daemon configuration files

Running the tool – container images and build files

Running the tool – container runtime

Running the tool – Docker security operations

Understanding the output

Understanding the output – host configuration

Understanding the output – the Docker daemon configuration

Understanding the output – the Docker daemon configuration files

Understanding the output – container images and build files

Understanding the output – container runtime

Understanding the output – Docker security operations

5. Monitoring and Reporting Docker Security Incidents

Docker security monitoring

Docker CVE

Mailing lists

Docker security reporting

Responsible disclosure

Security reporting

Additional Docker security resources

Docker Notary

Hardware signing

Reading materials

Awesome Docker

6. Using Docker's Built-in Security Features

Docker tools

Using TLS

Read-only containers

Docker security fundamentals

Kernel namespaces

Control groups

Linux kernel capabilities

Containers versus virtual machines

7. Securing Docker with Third-Party Tools

Third-party tools

Traffic Authorization

Summon

sVirt and SELinux

Other third-party tools

dockersh

DockerUI

Shipyard

Logspout

8. Keeping up Security

Keeping up with security

E-mail list options

The two e-mail lists are as follows:

GitHub issues

IRC rooms

CVE websites

Other areas of interest

5. Course Module 5: Mastering Docker

1. Docker in Production

Where to start?

Setting up hosts

Setting up nodes

Host management

Host monitoring

Docker Swarm

Swarm manager failover

Container management

Container image storage

Image usage

The Docker commands and GUIs

Container monitoring

Automatic restarts

Rolling updates

Docker Compose usage

Developer environments

Scaling environments

Extending to external platform(s)

Heroku

Overall security

Security best practices

DockerUI

ImageLayers

2. Shipyard

Up and running

Containers

Deploying a container

IMAGES

Pulling an image

NODES

REGISTRIES

ACCOUNTS

EVENTS

Back to CONTAINERS

3. Panamax

Installing Panamax

An example

Applications

Sources

Images

Registries

Remote Deployment Targets

Back to Applications

Adding a service

Configuring the application

Service links

Environmental variables

Ports

Volumes

Docker Run Command

4. Tutum

Getting started

The tutorial page

The Service dashboard

The Nodes section

Cloud Providers

Back to Nodes

Back to the Services section

Containers

Endpoints

Logs

Monitoring

Triggers

Timeline

Configuration

The Repositories tab

Stacks

5. Advanced Docker

Scaling Docker

Using discovery services

Consul

etcd

Debugging or troubleshooting Docker

Docker commands

GUI applications

Resources

Common issues and solutions

Docker images

Docker volumes

Using resources

Various Docker APIs