Docker Grimoire

Author

Alexis Armin Huf

Base containers

  • openjdk:<version> (debian with openJDK at <version>) Tag examples (all denoted the same image at 2021-06-21)
    • Tags: $version-{,jdk,jre}-$debian_codename
      • version e.g., 11.0.11-9, omit rightmost for latest
      • current (2021-06) debian codename is buster, can be omitted for latest
      • default is jdk instead of jre
  • busybox: minimal image without even libc (unless tagged)
    • Tags: {$version,stable,latest}-{,uclibc,glibc,musl}.
  • alpine: minimal distro with package manager and musl libc

Dockerfile

# comment
INSTRUCTION arg1 arg2 ...
...

Environment variables

  • Syntax: $name or ${name}
    • Bash-like modifiers:
      • ${name:-default}: $name if defined, else default
      • ${name:+override} empty if $name not defined, else override
  • Instructions that expand: ADD, COPY, ENV, EXPOSE, FROM, LABEL, STOPSIGNAL, USER, VOLUME, WORKDIR and ONBUILD
  • Instructions that do not expand: ARG, CMD, ENTRYPOINT, HEALTHCHECK and SHELL.

Main instructions

  • FROM name:tag: base container image
  • ARG name[=default]: Allow a variable $name to be set on docker build --build-arg name=value
  • ADD [--chown=user:group] src... dest: copies files/dirs, inside to the context dir to dest, relative to the WORKDIR. Allows * as wildcard on src. Features not present in COPY:
    • src can be an URL to be downloaded
    • src can be a .tar.* archive, which will be extracted into dest
  • COPY [--from=name|--chown=user:group] src... dest Like ADD but allows refering to parent images (FROM base AS AS name).
  • ENV name=value Set env vars (will affect build and run-time)
    • at runtime: docker run --env name=value
  • EXPOSE port[/protocol]... expose a listening port
    • at runtime: docker run -p 80:80/tcp
  • LABEL name=value ... Set metadata (version, description, com.example.vendor, …)
  • USER user[:group] Set the user and group that will run further RUN, CMD or ENTRYPOINT
  • VOLUME mountpoint...: Declare a mountpoint for an external volume. Writing to mountpoint at build time after this instruction will have no visible effects at run-time. The backing storage of the volume must be specified when lauching the container.
  • WORKDIR dir: A cd that affects further instructions at build- and run-time
  • ENTRYPOINT ["binary", "arg1", ...]: The container will run ENTRYPOINT + CMD, with CMD being overriden with arguments given to docker run
  • CMD ["binary/arg1", "arg1/arg2", ...]: See ENTRYPOINT, if ENTRYPOINT is omitted the first item is assumed to be a binary

Some best practices: - The RUN, COPY and ADD instructions are the ones that create new layers. - Instances of RUN should be minimized (with scripts or &&) - Instances of COPY/ADD add should be as granular and late as possible - Splitting a copy and delaying part of it avoids invalidating cached layers between the two copy instructions when only the later sources change - Between COPY and ADD, prefer COPY for its simplicity - Instead of ADDing remote files used only at build time, wget/curl them and then remove - Use ENTRYPOINT as the main binary and CMD as the default arguments. - Use VOLUME for mutable databases or config files to be edited by who launches the container

Building/managing/distributing Images

  • Local build: docker build -t TAG . (without a tag, the image is named by its hash)
  • Local images:
    • docker image ls: list images
    • docker image rm name[:tag]: remove image
    • docker image prune -a: remove all images not used by any container
  • Publish image:
    • docker tag LOCAL_TAG alexishuf/NAME:PUB_TAG
    • docker push alexishuf/NAME:TAG (tag defaults to latest)

Container management

Common flags for docker run image [CMD]:

  • -it: Run interactive (i attaches docker run stdin with container entrypoint stdin) and with TTY (t). -t is not compatible with output redirection of the docker run command (use -a instead).
  • -d: Run detached (in background)
  • -p hostPort:containerPort: Connections to hostPort of the host are tuneled to containerPort of the container.
  • -w dir: set working directory of CMD inside the container
  • --cpus=2.5 maximum CPUs usable by the container default is 0.0 (no limit)
  • -m=512m: maximum RAM usable by the container (suffixes are m and g), minimum is 4m and default is 0 (no limit)
  • --memory-swap=1g maximum memory that the container may swap to disk. Disable swap by setting this to the value given to -m. A value of 0 imposes no limit.

Reverse forwarding / acessing services on the host: Make the container point to the IPv4 addres in ip addr show docker0.

Volume mounting:

  • -v /host:/container[:opts]: bind mount the host dir in the host into the container dir inside the container
  • -v name:/container: Mount a docker volume-managed volume on the container dir.
  • -v /container[:opts]: mount the container dir inside the container to a volume created by docker for this container
  • mount options (:opts) are ,-delimited

Volume management (docker volume):

  • create --driver=local [--opt (driver-opt)] name
  • ls [dangling|DRIVER_NAME|label=KEY[=VALUE]|NAME] list volumes matching filter
  • inspect NAME... show metadata
  • rm [-f|--force] NAME... remove a container

Container management (docker container):

  • ls [-a] list running (-a: all) containers
  • rm ID remove container
  • docker logs -f ID follow the output from a detached container
Back to top