<img src="./images/book.jpeg" alt="drawing" width="300" align="left"/>  
<img src="./images/helal.jpg" alt="drawing" width="314" align="left"/>  



**[Docker Deep Dive: Zero to Docker in a single book](https://www.amazon.com/gp/product/B01LXWQUFF/ref=dbs_a_def_rwt_bibl_vppi_i1)**

# Virtualization

- **HW-Level Virtualization**  
    - **Network Virtualization**  
    - **Storage Virtualization**  
    - **Server  Virtualization**  
- **Application Virtualization**  
- **OS-Level Virtualization**

# 1: Containers from a 30,000 feet

## The bad old days
## Hello VMWare!
## Hello Containers!
- **Linux subsystems**  
- **Mainframe**

## Hello Docker!
- **Docker, Inc. 1999**
- **Windows Containers**  
- **[Docker in GitHub](https://github.com/docker)**  

## Windows containers vs Linux containers
## What about Mac containers
## What about Kubernetes

---------

# 2: Docker

- **Docker, Inc. the company**  
- **Docker the technology**

## Docker - The TLDR


- **Software runs on Windows and Linux**  
- **Create, Manage and Orchestrate containers**  
- **Created by a companyn called Docker, Inc. in 1999**


## Docker, Inc.
<img src="./images/1.png" alt="drawing" width="300" align="left"/>

- **Was dotCloud**  
- **Started as PaaS provider**  
- **Build on Linux containers**  
- **In 2013 Became Docker, Inc."**
- **Two Main products:**
    - **Docker Desktop**  
    - **Docker Hub**

## The Docker technology

**Architecture**  
<img src="./images/2.png" alt="drawing" width="900" align="left"/>

**1. The runtime**  
- ``runc``  
    - Reference implementation of Open Containers Initiative (OCI) runtime-spec  
    - Start/Stop containers  
    - Build OS Constructs  
- ``containerd``  
    - Pull images  
    - Create network interfaces  
    - Manage runc  
    - Open source project from CNCF  
    
**2. The daemon (a.k.a engine) ``dockerd``**  
- Expose the Docker remote API  
- Manage images  
- Manage columes  
- Manage netwroks  
- etc.  

**3. The orchestrator**  
- Native support for managing clusters of nodes running Docker
- Clusters of nodes running Docker are called swarm

## The Open Container Initiative (OCI)

- **A governance council responsible for standardizing the low-level fundamental components of container infrastructure** 
- **Image formats. [image-spec](https://github.com/opencontainers/image-spec)**  
- **container runtime. [runtime-spec](https://github.com/opencontainers/runtime-spec)**  

----

# 3: Installing Docker

- **Windows, Mac and Linux**  
- **Local and Cloud**  
- **Manual, Scripted and Wizard-based**

- Docker Desktop:  
    * Windows 10  
    * Mac  
- Server installs:  
    - Linux  
    - Windows Server 2019  
- Play with Docker  

## Docker Desktop

- Single-engine Docker 
- Docker Compose
- Single-node Kubernetes cluster

## Installing Docker on Linux

**[Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)**

```
$ sudo apt-get update
$ sudo apt-get remove docker docker-engine docker.io containerd runc

$ sudo apt-get update
$ sudo apt-get install ca-certificates curl gnupg lsb-release

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

$ echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null


$ sudo apt-get update --allow-unauthenticated --allow-insecure-repositories
$ sudo apt-get install docker-ce docker-ce-cli containerd.io

$ sudo docker --version
$ sudo docker info
```

**[Play with Docker](https://labs.play-with-docker.com/)**

----

# 4: The Big Picture

## Quick overview on DevOps of the containers

### The Ops perspective

- Download images
- Start containers
- Log in to containers
- Run commands inside containers
- List containers
- etc.

#### Confirm Installation

`$ sudo docker version`

**note: you might need to add your user account to the local docker group rather than using "sudo" always**  
- To check the current local groups:  
    `$ sudo getent group`  
- To check the groups you're currently in:  
    `$ groups`  
- To add a user to the local docker group:  
    `$ sudo usermod -a -G docker <username>`  
    `$ groups`  

#### Images

List all images  
`$ docker image ls`

Pull the `ubuntu:latest` image  
`$ docker image pull ubuntu:latest`

Launch a container from an image  
`$ docker container run -it ubuntu:latest /bin/bash`

Exit a container without terminating it: `Ctrl-PQ`

Attach to a running container  
`$ docker container exec -it <containername> bash`

Stop a running container  
`$ docker container stop <containername>`

Start a stopped container  
`$ docker container start <containername>`  

Delete a stopped container  
`$ docker container rm <containername>`  

### The Dev perspective

Clone a github repo that has a docker file  
`$ git clone https://github.com/nigelpoulton/psweb.git`

Inspect the Dockerfile  
`$ cat Dockerfile`

Create a new image from the Dockerfile in the repo  
Run the following command from inside the repo directory  
`$ docker image build -t test:latest .`

List images after build. You should see 3 images (2 of them related to the newly built Dockerfile)  
`$ docker image ls`

Launch a container from the test image  
``` >
$ docker container run -d \
  --name web1 \
  --publish 8080:8080 \
  test:latest
```

----

# 5: The Docker Engine

## Docker Engine - The TLDR

<img src="./images/5.png" alt="drawing" width="900" align="left"/>

### Docker Engine - The Deep Dive

<img src="./images/6.png" alt="drawing" width="900" align="left"/>

### The influence of the Open Container Initiative (OCI)

#### **`runc`**

- CLI wrapper  
- Only creates containers
- Standalone container runtime tool
- Also called "the OCI layer"
- [`runc` lastest release information](https://github.com/opencontainers/runc/releases)

#### **`containerd`**

- Backgroud process (`$ ps -elf | grep containerd`)
- Manage container lifecycle(`start | stop | pause | rm ...`)
- Image pulls, volumes, networks, etc.
- Initially developed by Docker, Inc. then denoted to CNCF
- [`containerd` latest release information](https://github.com/containerd/containerd/releases)

#### Starting a new container (example)

`$ docker container run --name ctr1 -it alpine:latest sh`

1. Docker client converts it into appropriate API payload  
2. POSTs it into API endpoint exposed by Docker daemon (`/var/run/docker.sock` on Linux)  
3. Daemon calls `containerd`  
4. `containerd` converts the required Docker image into an OCI bundle and uses `runc` to create the container  
5. `runc` interfaces with the OS kernel to pull together all of th constructs necessary as a child-process of `runc`  
6. After the child-process starts `runc` exits  

<img src="./images/7.png" alt="drawing" width="900" align="left"/>

**One huge benefit of this model**  
- Container runtime is decoupled from the Docker daemon: "daemonless containers"  
- You can perform maintenance and upgrades on the Docker daemon without impacting running containers

**What’s this shim all about?**  
- Reduced version of `containerd` that remains running after `runc` exists after creating the container  
- STDIN and STDOUT streams remain open even after the daemon is restarted  
- Reports container status to daemon

- `dockerd` (the Docker daemon)
- `docker-containerd` (containerd)
- `docker-containerd-shim` (shim)
- `docker-runc` (runc)

`$ ps -elf | grep container`

**Securing client and daemon communication**

Locally over IPC sockets:
- `/var/run/docker.sock` on Linux  
- `//./pipe/docker_engine` on Windows

Over the network unsecure HTTP socket call on port `2375/tcp`

<img src="./images/8.png" alt="drawing" width="900" align="left"/>

**TLS can be enforced on both client and daemon**  
1. Configure a CA and certificates 
2. Create a CA  
3. Create and sign keys for the Daemon  
4. Create and sign keys for the Client  
5. Distribute keys  
6. Configure Docker to use TLS  
7. Configure daemon mode  
8. Configure client mode  

**[Protect the Docker daemon socket](https://docs.docker.com/engine/security/protect-access/)**

<img src="./images/9.png" alt="drawing" width="900" align="left"/>

<img src="./images/10.png" alt="drawing" width="900" align="left"/>

----

# 6: Images

## Docker images - The TLDR

- A unit of packaging that contains everything required for an application to run
- Application code
- Application dependencies
- OS Constructs

- In VM analogy an image is like a template VM (Stopped VM)
- Get an image by "Pulling" it from a registry. By default Docker Hub is used
- Consists of layers stacked on top of each other

## Docker images - The deep dive

- Images are considered _build-time_ constructs where containers are _runtime_ constructs.

<img src="./images/11.png" alt="drawing" width="900" align="left"/>

### Images and containers

To start a container from an image  
- `docker container run`  
- `docker service create`

### Images are usually small

- Images have _just enought operating system_  
- They normally don't include kernel  
- Some images are really small:  
- [Alpine image in Docker Hub](https://hub.docker.com/_/alpine)  
- [Alpine Linux](https://alpinelinux.org/downloads/)

### Pulling images

- Fresh installation of Docker comes with no images  
- The local repo of Docker is in `/var/lib/docker/<storage-driver>`  
- Use `docker image ls` to list all of the current images in the local repo

- Use `$ docker image pull redis:latest` to pull the latest redis image  
- Use `$ docker image pull alpine:latest` to pull the latest alpine linux image

### Image naming

**Image Registries**  
- Images are stored in centralized places called _image registries_.  
- The most common registry is [Docker Hub](https://hub.docker.com)  
- Other 3rd party registries and local registries can also be used.
- Use `$ docker info` to check the current "Registry" option.
- Image registries contain one or more _image repositories_. Each repo can have one or more versions of the image.

<img src="./images/12.png" alt="drawing" width="900" align="left"/>

### Official and unofficial repositories

- **_Official repositories_** are the home to images that have been vetted and curated by Docker, Inc.  
- **_Unofficial repositories_** may not be safe, well-documented or built according to best practices.

- _Official repos_ exist on the top level namespace in docker hub:
    - nginx: https://hub.docker.com/_/nginx/
    - busybox: https://hub.docker.com/_/busybox/
    - redis: https://hub.docker.com/_/redis/
    - mongo: https://hub.docker.com/_/mongo/
- _Unofficial repos_ will have user account name in the url and not in the top level namespace:
    - nigelpoulton/tu-demo — https://hub.docker.com/r/nigelpoulton/tu-demo/
    - nigelpoulton/pluralsight-docker-ci — https://hub.docker.com/r/nigelpoulton/pluralsight-docker-ci/
    - https://hub.docker.com/repository/docker/asami76/web

### Image naming and tagging

**Pulling images from Official repos**

- `$ docker image pull <repository>:<tag>`  
- `$ docker image pull alpine:latest`
- `$ docker image pull mongo:4.2.6`
- `$ docker image pull alpine`

**Pulling images from Unofficial repos**

- `$ docker image pull nigelpoulton/tu-demo:v2`  

**Pulling images from 3rd party registries (not Docker Hub)**

Pulling from `google-containers/git-sync` repo:  
`$ docker image pull gcr.io/google-containers/git-sync:v3.1.5`

### Images with multiple tags

`$ docker image pull -a <imagename>` // will pull all versions of the image from the repo  
`$ docker image prune` // remove all images that are not referenced by any container  
`$ docker image prune -a` //remove all dangling images (images with no tags)

### Searching Docker Hub from the CLI

- Use `docker search`  
- `$ docker search nigelpoulton`
- `$ docker search asami76`

`--filter "is-official=true"`

- `$ docker search alpine --filter "is-official=true"`  
- `$ docker search ubuntu --filter "is-official=true"`

### Images and layers

- A Docker image is a bunch of loosely-connected read-only layers.  
- Each layer is one or more files

<img src="./images/13.png" alt="drawing" width="900" align="left"/>

<img src="./images/15.png" alt="drawing" width="700" align="left"/>

<img src="./images/14.png" alt="drawing" width="900" align="left"/>

Another way to see the layers of an image is to use `docker image inspect <image-name>`

`$ docker image inspect ubuntu:latest`

- All Docker images start with a _base layer_  
- New layers are added on top as new content is added to the image

**Example:**  
Create a Python application on top over ubuntu 20.04 then some source code is added

<img src="./images/16.png" alt="drawing" width="900" align="left"/>

<img src="./images/17.png" alt="drawing" width="900" align="left"/>

<img src="./images/18.png" alt="drawing" width="900" align="left"/>

**Docker uses a _storage driver_ in order to stack and merge all layers and present them as a single image.**  
- `AUFS`, `overlay2`, `devicemapper`, `btrfs` and `zfs` for Linux
- `windowsfilter` for Windows NTFS.

<img src="./images/19.png" alt="drawing" width="900" align="left"/>

### Sharing image layers

Multiple images can, and do, share layers. This leads to efficiencies in space and performance.

`$ docker image pull -a nigelpoulton/tu-demo`

<img src="./images/20.png" alt="drawing" width="600" align="left"/>

### Pulling images by digest

- What happens after you download an image with a tag and then the vendor uploads another image with the same tag?
- Docker 1.10 introduced a content addressable storage model.
-  As part of this model, all images get a _cryptographic content hash_.
- This has is referred to as the _digest_.
- Every time you pull an image, the `docker image pull` command includes the image’s digest as part of the information returned

- `$ docker image pull alpine`
- `$ docker image ls --digests alpine`

- You can use the digest of the image when pulling it to ensure that we get **exactly the image we expect**

### A little bit more about image hashes (digests)

- The _image_ itself is a configuration file that lists the layers and some metadata.
- The _layers_ are where the data lives (files, codes, etc.).
- Each layer is independent.
- Each image is identified by a crypto ID which is a hash of the config file.
- Each layer is identified by a crypto ID which is a has of the contents (also called _content hashes_).

- If and image or a layer is changed the hash changes.
- When pushing or pulling an image docker compresses the image to save network bandwidth - But this changes the hashes.
- That's why each layer also has a **_distribution hash_** which is the hash of the image after compression.

### Multi-architecture images

- Windows and Linux, on variations of ARM, ARM 64, IBM Z, IBM POWER, x64, PowerPC, and s390x.
- A single image tag supporting multiple platforms and architectures.
- To make this happen, the Registry API supports two important constructs:
    - **`manifest lists`**
    - **`manifests`**

<img src="./images/21.png" alt="drawing" width="800" align="left"/>

1. When pulling the image the Docker client makes a call to the Docker Registry API exposed by Docker Hub.
2. Docker Registry API inspect the platform/Arch of the calling docker client.  
3. If a **manifest list** exists for the image it will be parsed to see if there's a **manifest** for the calling client.
4. If a **manifest** exists the API will retrieve the layers in it.

**All official images have manifest lists.**

`$ docker manifest inspect golang` // inspects manifest file on Docker Hub

To build an image for Linux/ARM:  
`$ docker buildx build --platform linux/arm/v7 -t myimage:arm-v7`

To create your own manifest lists:  
`docker manifest create`

### Deleting Images

`$ docker image rm <imagename or id>..<imagename or id>`

Delete all images:  
`$ docker image rm $(docker image ls -q) -f`

`$ docker image ls -q` // returns a list containing just the image IDs of all images pulled locally on the system

## Images - The commands

- `docker image pull` is the command to download images.  
- `docker image ls` lists all of the images stored in your Docker host’s local image cache.  
- `docker image inspect` all of the details of an image — layer data and metadata.  
- `docker manifest inspect` allows you to inspect the manifest list of any image stored on Docker Hub.  
- `docker buildx` is a Docker CLI plugin that extends the Docker CLI to support multi-arch builds.  
- `docker image rm` is the command to delete images.

----

# 7: Containers

**[Open Container Initiative (OCI)](https://www.opencontainers.org)**

## Docker containers - The TLDR

- A container is the runtime instance of an image.
- Instead of running a full-blown OS like a VM, containers share the OS/kernel with the host they’re running on.
- A single Docker image can be used to start multiple Docker containers.

<img src="./images/22.png" alt="drawing" width="800" align="left"/>

- `docker container run <image> <app>`
- `$ docker container run -it ubuntu /bin/bash`
- `$ docker container run -it alpine:latest sleep 10`

To stop the container:  
`docker container stop`

To start the container:  
`docker container start`

To delete a container forever:  
`docker container rm`

## Docker containers - The deep dive

### Containers vs VMs

**VMs Architecture**

<img src="./images/23.png" alt="drawing" width="800" align="left"/>

**Containers Architecture**

<img src="./images/24.png" alt="drawing" width="800" align="left"/>

- Hypervisors perform **hardware virtualization** — they carve up physical hardware resources into virtual versions called VMs.
- Containers perform **OS virtualization** — they carve OS resources into virtual versions called containers.

### The VM tax

- Less resources
- Less licenses
- Faster
- Single kerner, single surface of attack

### Running containers

- Docker Desktop on Mac or Windows
- docker.io on Linux

### Checking that Docker is running

`$ sudo docker version`

To check the current local groups:  
`$ sudo getent group`  
To check the groups you're currently in:  
`$ groups`  
To add a user to the local docker group:  
`$ sudo usermod -a -G docker <username>`  
`$ groups`

Check service status:  
`$ service docker status`  
`$ systemctl is-active docker`

### Starting a simple container

`$ docker container run -it ubuntu:latest`  
1. Docker client POSTs the request to Docker API on local socket `/var/run/docker.sock`  
2. Docker daemon checks the local repo for the `ubuntu:latest` image, if it's not their it will check Docker Hub.
3. After obtaining the image it instructs `containerd` and 'runc' to create and run the container.

- `-i` run container in interactive mode keeping STDIN stream open  
- `-t` Allocate a pseudo-TTY  
- `/bin/bash` this makes Bash shell **one and only process running inside of the container**. Run `ps -elf` to validate.
- `root@50949b614477:/#` container pseudo terminal

### Container processes

- `/bin/bash` is the only process running in the container, hence if you run `exit` it will exit and terminate the container.
- If you run `Ctrl-PQ` it will exist the container without terminating it.
- **killing the main process in the container will kill the container**

### Container lifecycle

**Change the name of the running container**  
`$ docker container run --name sawsan -it ubuntu:latest /bin/bash`

**Write data to container**  
`# cd tmp`   
`# echo "Jan 25th, the day Egypt stood still" > newfile`  
`# ls -l`  
`# cat newfile`

**Stop containers**  
`docker container stop <container-id or container-name>`

**Start containers**  
`docker container start <container-name>`

**Start containers in detached mode (run it in the background)**  
`docker container run -d <container-name>`

**Connect to running container**  
`docker container exec -it <container-name> bash`

**Try to access the text file created (newfile) after restarting and reconnecting to the container**

**Notes**  
1. The data created in this example is stored on the Docker hosts local filesystem. If the Docker host fails, the data will be lost.  
2. Containers are designed to be immutable objects and it’s not a good practice to write data to them

**Kill a running container**  
- In one step:
    - `docker container rm -f <container-name>`
- In two steps:
    - `docker container stop <container-name>`
    - `docker container rm <container-name>`

### Stopping containers gracefully

- `docker container stop` sends a **SIGTERM** signal to PID(1)
- If the process doesn't exit in 10 sec it sends a **SIGKILL** signal  

### Self-healing containers with restart policies

Restart policies are applied per-container, and can be configured imperatively on the command line as part of `docker container run` commands, or declaratively in YAML files for use with higher-level tools

**`always`**  
container will always restart if the main process is killed from inside the container but won't restart if you manually stopped it. Will restart if the Docker daemon restarts.  
**`unless-stopped`**  
container will always restart if the main process is killed from inside the container but won't restart if you manually stopped it. However will NOT restart if the Docker daemon restarts.  
**`on-failue`**  
container will always restart if the main process exits with non-zero code (i.e. with error) but won't restart if you manually stopped it. However will restart if the Docker daemon restarts.  


`docker container run --name <container-name> --restart always <image-name> <process>`

1. `$ docker container run --name neversaydie -it --restart always alpine sh`
2. `# exit`
3. `$ docker container ls`
4. `$ docker container inspect neversaydie`

check the `RestartCount` item in the inspection json.

### Web server example

1. `$ docker container run -d --name webserver -p 80:80 nginx:latest`
2. open browser http://localhost:80
3. stop the container 
4. open browser again and refresh
5. start the container
6. open browser again and refresh

### SQL Example

**[Docker Hub - Microsoft SQL Server Repo](https://hub.docker.com/_/microsoft-mssql-server)**

`$ docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=P@ssw0rd" -e "MSSQL_PID=Express" -p 1433:1433 -d mcr.microsoft.com/mssql/server:2019-latest`

### Inspecting containers

- When building a Docker image, you can embed an instruction that lists the default app for any containers that use the image. You can see this for any image by running a `docker image inspect`  
- `Cmd` show the command/app that the container will run unless you override it with a different one when you launch the container with `docker container run`
- sometimes the default app is listed as `Entrypoint` instead of `Cmd`

### Tidying up

Delete all containers by force  
`$ docker container rm $(docker container ls -aq) -f`  
Delete all images by force  
`$ docker image rm $(docker image ls -q) -f`

## Containers - The commands

- `docker container run`  // start new containers.
- `docker container run -it ubuntu /bin/bash`
- `Ctrl-PQ`  // will detach your shell from the terminal of a container and leave the container running (UP) in the background.
- `docker container ls`  // lists all containers in the running (UP). Add -a flag to list (Existed) containers.
- `docker container exec`  // runs a new process inside of a running container.
- `docker container stop`  // stop a running container and put it in the Exited (0) state.
- `docker container start`  // will restart a stopped (Exited) container.
- `docker container rm`  // delete a stopped container.
- `docker container stop`  // stops a running (UP) container .
- `docker container inspect`  // will show you detailed configuration and runtime information about a container.

----

# 8: Containerizing an App

The process of taking an application and configuring it to run as a container is called “containerizing".

## Containerizing an app - The TLDR

The process of containerizing an app looks like this:

1. Start with your application code and dependencies
2. Create a _Dockerfile_ that describes your app, its dependencies, and how to run it
3. Feed the _Dockerfile_ into the `docker image build` command
4. Push the new image to a registry (optional)
5. Run container from the image

<img src="./images/25.png" alt="drawing" width="800" align="left"/>

## Containerizing an app - The deep dive

### Containerize a single-container app

- Clone the repo to get the app code
- Inspect the Dockerfile
- Containerize the app
- Run the app
- Test the app
- Look a bit closer
- Move to production with Multi-stage Builds
- A few best practices

#### Getting the application code

`$ git clone https://github.com/nigelpoulton/psweb.git`

#### Inspecting the Dockerfile

1. All Dockerfiles start with the `FROM` instruction. This will be the base layer of the image, and the rest of the app will be added on top as additional layers.

<img src="./images/26.png" alt="drawing" width="800" align="left"/>

2. Next, the Dockerfile creates a `LABEL` that specifies “nigelpoulton@hotmail.com” as the maintainer of the image

3. The `RUN apk add --update nodejs nodejs-npm` instruction uses the Alpine `apk` package manager to install `nodejs` and `nodejs-npm` into the image.

<img src="./images/27.png" alt="drawing" width="800" align="left"/>

4. The `COPY . /src` instruction creates another new layer and copies in the application and dependency files from the _build context_.

<img src="./images/28.png" alt="drawing" width="800" align="left"/>

5. Next, the Dockerfile uses the `WORKDIR` instruction to set the working directory inside the image filesystem for the rest of the instructions in the file

6. Then the `RUN npm install` instruction creates a new layer and uses `npm` to install application dependencies listed in the `package.json` file in the build context.

<img src="./images/29.png" alt="drawing" width="800" align="left"/>

7. The application exposes a web service on TCP port 8080, so the Dockerfile documents this with the `EXPOSE 8080` instruction.

8. Finally, the `ENTRYPOINT` instruction is used to set the main application that the image (container) should run. This is also added as metadata and not an image layer.

#### Containerize the app/build the image

`$ docker image build -t web:latest .`

`$ docker images`

`$ docker image inspect web:latest`

#### Pushing images

First login to the Docker Hub registry:  
`docker login`

Docker needs the following information when pushing an image:
- `Registry`
- `Repository`
- `Tag`

The `tag` should include the `repository` name (your user account on Docker Hub):  
`$ docker image tag <current-tag> <repository-name>/<new-tag>`  
`$ docker image tag web:latest asami76/newweb:latest`

`$ docker image push asami76/newweb:latest`

<img src="./images/30.png" alt="drawing" width="800" align="left"/>

You can also create multiple image tags and push them to the same repo:  

`$ docker image tag web:latest asami76/newweb:v2`

Check the following URL to find all of the tags in the `newweb` repo  
**[asami76/newweb](https://hub.docker.com/repository/docker/asami76/newweb)**

#### Run the app

Remove all images from the local repo.

Run the following command to create a container named c1 based on the image we just pushed:  
 `$ docker container run -d --name c1 -p 80:8080 asami76/newweb:latest`

#### Test the app

Open the browser in the Docker Host on URL http://localhost:80

#### Looking a bit closer

The `docker image build` command parses the Dockerfile one-line-at-a-time starting from the top.

Comment lines start with the `#` character.

**Instructions** and take the format `INSTRUCTION argument`.

View the instructions that were used to build the image with the `docker image history` command.

- Each line corresponds to an instruction in the Dockerfile (starting from the bottom and working up).  
- The CREATED BY column even lists the exact Dockerfile instruction that was executed.  
- Only 4 of the lines displayed in the output create new layers (the ones with non-zero values in the SIZE column).

The `docker image build` executes in the following order:  
`spin up a temporary container` > `run the Dockerfile instruction inside of that container` > `save the results as a new image layer` > `remove the temporary container`

**[Dockerfile Instructions Cheatsheet](https://medium.com/@oap.py/dockerfile-cheat-sheet-4ad12569aa0b)**

### Moving to production with Multi-stage Builds

Multi-stage builds have a single Dockerfile containing multiple FROM instructions. Each FROM instruction is a new **build stage** that can easily COPY artefacts from previous **stages**.

### A few best practices

#### Leverage the build cache

Artefacts from the first build, such as layers, are cached and leveraged by later builds.

During the `docker image build` and for each instruction in the Dockerfile, Docker looks to see if it already has an image layer for that instruction in its cache. If it does, this is a _cache hit_ and it uses that layer. If it doesn’t, this is a _cache miss_ and it builds a new layer from the instruction.

#### Squash the image

Squashing an image means that after building the image all layers will be merged(squashed) into a single layer.

Add the `--squash` flag to the `docker image build` command if you want to create a squashed image.

<img src="./images/31.png" alt="drawing" width="800" align="left"/>

#### Use no-install-recommends

- `no-install-recommends` flag with the `apt-get` install command.
- This makes sure that apt only installs main dependencies (packages in the Depends field) and not recommended or suggested packages.

## Containerizing an app - The commands

- `docker image build` // the command that reads a Dockerfile and containerizes an application
- Dockerfile instructions:
    - `FROM`  // specifies the base image for the new image you will build. It is usually the first instruction in a Dockerfile
    - `RUN`  // run commands inside the image. Each RUN instruction creates a single new layer.
    - `COPY`  // adds files into the image as a new layer. It is common to use the COPY instruction to copy your application code into an image.
    - `EXPOSE`  // documents the network port that the application uses.
    - `ENTRYPOINT`  // sets the default application to run when the image is started as a container.
    - Other Dockerfile instructions include LABEL, ENV, ONBUILD, HEALTHCHECK, CMD and more…

----

# 9: Deploying Apps with Docker Compose

## Deploying apps with Compose - The TLDR

“microservices”. A simple example might be an app with the following seven services:

- Web front-end
- Ordering
- Catalog
- Back-end database
- Logging
- Authentication
- Authorization

**Docker Compose** lets you describe an entire app in a single declarative configuration file, and deploy it with a single command

## Deploying apps with Compose - The Deep Dive

### Compose background

- Fig was a powerful Python tool, created by a company called Orchard, let you define entire multi-container apps in a single YAML file.
- Docker, Inc. acquired Orchard and re-branded Fig as Docker Compose.
- In April 2020 announced open standard for defining multi-container cloud-native apps.

**[Compse Specficiation](https://github.com/compose-spec/compose-spec)**

### Installing Compose

Windows and Mac: Part of Docker Desktop

#### Installing Compose on Linux

1. Download the binary using the curl command.
2. Make it executable using chmod

**[docker-compose repo in GitHub](https://github.com/docker/compose/releases)**

`$ sudo curl -L \
https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-linux-x86_64 \
-o /usr/local/bin/docker-compose`

`$ sudo chmod +x /usr/local/bin/docker-compose`

`$ docker-compose --version`

### Compose files

- Compose uses YAML files to define multi-service applications. 
- YAML is a subset of JSON, so you can also use JSON. 
- The default name for a Compose YAML file is `docker-compose.yml`.

Four top-level keys:
- `version`
- `services`
- `networks`
- `volumes`

### Deploying an app with Compose

`$ git clone https://github.com/nigelpoulton/counter-app.git`

Inspect the files

Build the App:  
`$ docker-compose up &`

The multi-container app defined in a Compose file is called a _Compose app_.

`docker-compose up` expects the name of the Compose file to `docker-compose.yml`.

Or use the `-f` flag to specify a different compose file name:  
`$ docker-compose -f prod-equus-bass.yml up`

We can see that three images were either built or pulled as part of the deployment.

Run the container in a browser

### Managing an app with Compose

start, stop, delete, and get the status of applications being managed by Docker Compose

To stop and remove all containers in an App  
`$ docker-compose down`

`counter-net` network removed  
`counter-vol` volume NOT rmeoved (persistent)

To start the App in the background `-d`  
`$ docker-compose up -d`

To list the processes running inside of each service (container)  
`$ docker-compose top`

To stop the app without deleting its resources  
`$ docker-compose stop`

To delete a stopped Compose app  
`$ docker-compose rm`

To Restart the app  
`$ docker-compose restart`

## Deploying apps with Compose - The commands

- `docker-compose up`  // deploy a Compose app.
- `docker-compose stop`  // stop all of the containers in a Compose app without deleting them from the system.
- `docker-compose rm`  // delete a stopped Compose app.
- `docker-compose restart`  // restart a Compose app that has been stopped with docker-compose stop.
- `docker-compose ps`  // list each container in the Compose app.
- `docker-compose down`  // stop and delete a running Compose app. It deletes containers and networks, but not volumes and images.

----

# 10: Docker Swarm

----

# 11: Docker Networking

## Docker Networking - The TLDR

- container-to-container
- continer to other network
- container to VLAN

- Docker networking is based on open-source Container Network Model (CNM).
- `libnetwork` is Docker's implementation of CNM.
    - single-host bridge networks
    - multi-host overlays
    - plugins for existing VLANs
    - native service discovery
    - basic container load balancing

## Docker Networking - The Deep Dive

### The theory

Docker networking components:
- The Container Network Model (CNM)
- libnetwork
- Drivers

<img src="./images/32.png" alt="drawing" width="800" align="left"/>

### The Container Network Model (CNM)

**[CNM Design Specifications on GitHub](https://github.com/docker/libnetwork/blob/master/docs/design.md)**

CNM Building Blocks:
- **Sandboxes**: an isolated network stack. It includes; Ethernet interfaces, ports, routing tables, and DNS config.
- **Endpoints**: virtual network interfaces responsible for making sandboxes connect to networks.
- **Networks**: software implementation of an switch (802.1d bridge)

<img src="./images/33.png" alt="drawing" width="800" align="left"/>

<img src="./images/34.png" alt="drawing" width="800" align="left"/>

<img src="./images/35.png" alt="drawing" width="800" align="left"/>

## `libnetwork`

### Drivers

`libnetwork` implements the control plane and management plane functions and drivers implement the data plane.

<img src="./images/36.png" alt="drawing" width="800" align="left"/>

- Linux drivers: `bridge`, `overlay`, and `macvlan`.  
- Windows drivers: `nat`, `overlay`, `transparent`, and `l2bridge`.
- 3rd parties can also write _remote drivers_ or plugins.
- The driver is responsible for creating, managing and deletings network resources.

### Single-host bridge networks

- **Single-host**: only exists on a single Docker host and can only connect containers that are on the same host.
- **Bridge**: implementation of an 802.1d bridge (layer 2 switch).

- Linux: created by `bridge` driver.
- Windows: created by `nat` driver.

<img src="./images/37.png" alt="drawing" width="800" align="left"/>

All new containers will be connected to this default network unless `--network` flag is used.

To list all current networks:  
`$ docker network ls`

To inspect network driver:  
`$ docker network inspect`

The default “bridge” network, on all Linux-based Docker hosts, maps to an underlying _Linux bridge_ in the kernel called **“docker0”**  
`$ ip link show`

<img src="./images/39.png" alt="drawing" width="800" align="left"/>

To create a new single-host bridge network called "localnet":  
`$ docker network create -d bridge localnet`

Check it by:  
`$ ip link show`

<img src="./images/40.png" alt="drawing" width="900" align="left"/>

Create a container and attach it to the new localnet bridge network:  
`$ docker container run -d --name c1 --network localnet alpine sleep 1d`

<img src="./images/41.png" alt="drawing" width="900" align="left"/>

**Beware:** _The default `bridge` network on Linux does not support name resolution via the Docker DNS service. All other user-defined bridge networks do. The following demo will work because the container is on the user-defined `localnet` network._

Create a new container called "c2":  
`$ docker container run -it --name c2 --network localnet alpine sh`

`# ping c1`

Local DNS resolver forwards requests to an internal Docker DNS server that maintains name mapping for containers started with `--name` or `--net-alias` flags.

### Port Mapping

Containers connected to bridge networks cannot communicate outside it except in the case of _Port Mapping_

<img src="./images/42.png" alt="drawing" width="900" align="left"/>

`$ docker container run -d --name web --network localnet --publish 5000:80 nginx`

To verify port mapping:  
`docker port <container-name>`  
`$ docker port web`

### Connecting to existing networks

A common example is a partially containerized app

The built-in `MACVLAN` driver (`transparent` on Windows) was created with this in mind.

<img src="./images/43.png" alt="drawing" width="900" align="left"/>

on the negative side, it requires the host NIC to be in **promiscuous mode**

<img src="./images/44.png" alt="drawing" width="900" align="left"/>

``$ docker network create -d macvlan \
  --subnet=10.0.0.0/24 \
  --ip-range=10.0.0.0/25 \
  --gateway=10.0.0.1 \
  -o parent=eth0.100 \
  macvlan100``

<img src="./images/45.png" alt="drawing" width="900" align="left"/>

Create a container with the macvlan100 network:  
`$ docker container ran -d --name mactainer1 --network macvlan100 alpine sleep 1d`

<img src="./images/46.png" alt="drawing" width="900" align="left"/>

<img src="./images/47.png" alt="drawing" width="900" align="left"/>

### Service discovery

_Service discovery_ allows all containers and Swarm services to locate each other by name.

<img src="./images/48.png" alt="drawing" width="900" align="left"/>

_service discovery_ is network-scoped. This means that name resolution only works for containers and Services on the same network

`--dns` flag specifies external DNS server.  
`--dns-search` specifies custom search domain suffix  

`$ docker container run -it --name c1 \
  --dns=8.8.8.8 \
  --dns-search=nigelpoulton.com \
  alpine sh`

### Ingress load balancing

Swarm support:  
- Ingress mode (default)
- Host mode

<img src="./images/49.png" alt="drawing" width="800" align="left"/>

## Docker Networking - The Commands

- `docker network ls`  // Lists all networks on the local Docker host.
- `docker network create`  // Creates new Docker networks.
- `docker network inspect`  // Provides detailed configuration information about a Docker network.
- `docker network prune`  // Deletes all unused networks on a Docker host.
- `docker network rm`  // Deletes specific networks on a Docker host.

----

# 12: Docker overlay networking

----

# 13: Volumes and persistent data

## Volumes and persistent data - The TLDR

two main categories of data — persistent and non-persistent.

### Volumes and persistent data - The Deep Dive

#### Containers and non-persistent data

- Containers are designed to be immutable
- many applications require a read-write filesystem in order to simply run – they won’t even run on a read-only filesystem.
- Every Docker container is created by adding a thin read-write layer on top of the read-only image it’s based on
- The writeable layer is called many names: _local storage_, _ephemeral storage_, and _graphdriver storage_.
- It’s typically located on the Docker host in these locations:
    - Linux Docker hosts: `/var/lib/docker/<storage-driver>/...`
    - Windows Docker hosts: `C:\ProgramData\Docker\windowsfilter\...`
- it gets created when the container is created and it gets deleted when the container is deleted
- Managed on Docker host using a storage driver (Ubuntu: `overlay2` or `aufs`. `overlay2` is recommended)

<img src="./images/50.png" alt="drawing" width="800" align="left"/>

#### Containers and persistent data

- _Volumes_ are the recommended way to persist data in containers.
    - Volumes are independent objects that are not tied to the lifecycle of a container
    - Volumes can be mapped to specialized external storage systems
    - Volumes enable multiple containers on different Docker hosts to access and share the same data

1. Create a volume
2. Create a container 
3. Mount the volume into it 
4. The volume is mounted into a directory in the container’s filesystem
5. Anyhing written to that directory is stored in the volume
6. If you delete the container, the volume and its data will still exist.

<img src="./images/51.png" alt="drawing" width="800" align="left"/>

### Creating and managing Docker volumes

To create a volume using `local` driver:  
`$ docker volume create myvol`

Third-party volume drivers are available as plugins (Cloud, SAN, NAS, etc.)

<img src="./images/52.png" alt="drawing" width="800" align="left"/>

To Inspect a volume:  
`$ docker volume inspect myvol`

Two ways to delete a Docker volume:  
- Remove all volumes not used by any container: `$ docker volume prune`
- Choose which volume to remove: `$ docker volume rm <volume-name>`

#### Volumes in Dockerfiles

- it’s also possible to deploy volumes via Dockerfiles using the VOLUME instruction
- The format is `VOLUME <container-mount-point>`
- you cannot specify a directory on the host when defining a volume in a Dockerfile

#### Demonstrating volumes with containers and services

- `$ docker container run -dit --name voltainer --mount source=bizvol,target=/vol alpine`
- `$ docker volume ls`
- `$ docker volume rm bizvol`    /// error

Write something to volume:  
- `$ docker container exec -it voltainer sh`
    - `# echo "I Think Therefore I Am" > /vol/file1`
    - `# cat /vol/file1`
    - `# exit`
- `$ docker container rm voltainer -f`
- `$ docker volume ls`
- `$ ls -l /var/lib/docker/volumes/bizvol/_data/`

Create another container and attach it to the previous volume:  
- `$ docker run --name hellcat --mount source=bizvol,target=/vol alpine sleep 1d`

### Sharing storage across cluster nodes

<img src="./images/53.png" alt="drawing" width="800" align="left"/>

Docker Hub is the best place to find volume plugins

## Volumes and persistent data - The Commands

- `docker volume create`  /// create new volumes.
- `docker volume ls`  /// list all volumes on the local Docker host.
- `docker volume inspect`  /// shows detailed volume information.
- `docker volume prune`  /// delete all volumes that are not in use by a container or service replica. Use with caution!
- `docker volume rm`   /// deletes specific volumes that are not in use.
- `docker plugin install`  /// install new volume plugins from Docker Hub.
- `docker plugin ls`  /// lists all plugins installed on a Docker host.

----

# 14: Deploying apps with Docker Stacks

----

# 15: Security in Docker

# USED IMAGES

Microsoft Official Repo  
https://hub.docker.com/publishers/microsoftowner