# Image Creation, Management, and Registry

#### Describe Dockerfile options [add, copy, volumes, expose, entrypoint, etc)

In [10]:
%%bash

touch dockerfile

#### Show the main parts of a Dockerfile

A dockerfile can build images automatically using the instructions within the file. 

The main parts of a dockerfile are the following 


FROM - initialises a new build stage and sets the base image for subsequent instructions 

RUN - execute any commands in a new layer on top of the current image and commit the results 

CMD - There can only be 1 CMD instruction, only the last CMD will take effect if there is multiple. 

LABEL - Adds metadata to an image, it is a key-value pair. 

EXPOSE - Informs docker that the container listens on the specified network ports at runtime. 

ENV - This sets the environment variable and works as key-value. 

ADD - Copies new files, directories or remote URLs from <src> and adds to the filesystem of the image

COPY - ADD and COPY have similarities and need to be taken into context what is being done. 

ENTRYPOINT - Allows you to configure a container that will run as an executable 

VOLUME - The volume creates a mount point with the specified name and makes it as externally mounted volumes 

USER - This instruction sets the user name (UID) and user group (GID) to use when running the image for RUN, CMD, ENTRYPOINT

WORKDIR - Instruction sets the working directory 

ARG - Defines a variable that users can pass at build-time to the builder with the docker build command

ONBUILD - Adds a trigger instruction to be executed at a later time, when the image is used as the base for another build. 

STOPSIGNAL - Sets the system call signal that will be sent to the container to exit. 

HEALTHCHECK - How to test a container to check that it is still working. 

SHELL - Allows the default shell used to be overwritten. 


FROM <image> 
ARG <variable_name=value>
RUN <command>
CMD <command> 
LABEL <metadata, key/value pair>
MAINTAINER <name of maintainer>
EXPOSE  

#### Give examples on how to create an efficient image via a Dockerfile

- Create ephemeral containers 
- If you specify the -f flag, regardless of where the file lives, all recursive contents of files are sent to docker daemon
- Use .dockerignore 
- Use multi-stage builds, reduce size of final image without struggling to reduce the number of layers and files 
- Don't install unnecessary packages 
- Decouple applications 
- Minimise the number of layers, you can do multi-stage builds and only copy the artifacts you need into final image. 
- Sort multi-line arguements, help avoid duplication of packages and make the list easier to update 
- Leverage build cache
- Alpine image is recommended as it is tightly controlled and small in size 
- Use labels to your image to help organise images by project, record licensing infomrmation, aid automation. 
- Split long or complex 
- Avoid Apt-Get 
- CMD should be used to run software contained by your image 
- EXPOSE and you should use the common, traditional ports
- COPY is preferred than ADD, it is more transparent. 
- ENTRYPOINT is used to set the image's main command i.e. s3cmd then CMD for --help 
- VOLUME should be used for any mutable and/or user-serviceable parts of your image. 
- USER to change to a non-root user 
- WORKDIR use absolute paths
- ONBUILD, instruction parent dockerfile gives the child dockerfile 

- Example - https://github.com/docker-library/golang/blob/ad773d11d0bdf21d1f4bc4adf7ea580e71f49d10/1.12-rc/stretch/Dockerfile 

#### Use CLI commands such as list, delete, prune, rmi, etc to manage images

In [13]:
%%bash 
docker build -t centos . 

Sending build context to Docker daemon  9.821MB
Step 1/1 : FROM centos
 ---> 1e1148e4cc2c
Successfully built 1e1148e4cc2c
Successfully tagged centos:latest


In [16]:
%%bash 

docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos              latest              1e1148e4cc2c        6 weeks ago         202MB


#### Inspect images and report specific attributes using filter and format

In [19]:
%%bash
docker inspect centos 

[
    {
        "Id": "sha256:1e1148e4cc2c148c6890a18e3b2d2dde41a6745ceb4e5fe94a923d811bf82ddb",
        "RepoTags": [
            "centos:latest"
        ],
        "RepoDigests": [
            "centos@sha256:184e5f35598e333bfa7de10d8fb1cebb5ee4df5bc0f970bf2b1e7c7345136426"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2018-12-06T00:21:07.135655444Z",
        "Container": "1fdbb0fcc184eb795364f7aa5fdc00299d0a2b90d8e26b4696217c22da7f983f",
        "ContainerConfig": {
            "Hostname": "1fdbb0fcc184",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "#(

In [24]:
%%bash
docker inspect centos --format "{{.Architecture}}"

amd64


In [25]:
%%bash
docker inspect centos --format="{{json .Config}}" | python -m json.tool

{
    "ArgsEscaped": true,
    "AttachStderr": false,
    "AttachStdin": false,
    "AttachStdout": false,
    "Cmd": [
        "/bin/bash"
    ],
    "Domainname": "",
    "Entrypoint": null,
    "Env": [
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ],
    "Hostname": "",
    "Image": "sha256:b3a68d99a4a4195c6c97c2345b83cb2d6cfd1661247816ac403cf0b584437ad7",
    "Labels": {
        "org.label-schema.build-date": "20181205",
        "org.label-schema.license": "GPLv2",
        "org.label-schema.name": "CentOS Base Image",
        "org.label-schema.schema-version": "1.0",
        "org.label-schema.vendor": "CentOS"
    },
    "OnBuild": null,
    "OpenStdin": false,
    "StdinOnce": false,
    "Tty": false,
    "User": "",
    "Volumes": null,
    "WorkingDir": ""
}


#### Demonstrate tagging an image

In [4]:
%%bash 
docker tag ef1d httpd:adnan

In [7]:
%%bash 
docker images | grep ef1d

httpd               adnan               ef1dc54703e2        3 weeks ago         132MB


#### Utilize a registry to store an image

In [8]:
%%bash
docker tag centos localregistry:5000/centos 

#### Display layers of a Docker image

In [3]:
%%bash
docker history centos

IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
1e1148e4cc2c        6 weeks ago         /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B                  
<missing>           6 weeks ago         /bin/sh -c #(nop)  LABEL org.label-schema.sc…   0B                  
<missing>           6 weeks ago         /bin/sh -c #(nop) ADD file:6f877549795f4798a…   202MB               


#### Apply a file to create a Docker image

Applying the dockerfile to create a docker image 

In [23]:
%%bash
docker build -t testimage . 

Sending build context to Docker daemon  209.7MB
Step 1/3 : FROM python:3.4-alpine
3.4-alpine: Pulling from library/python
cd784148e348: Already exists
a5ca736b15eb: Already exists
920c43fa197c: Already exists
50047dbf0d94: Already exists
a10aaf904d5e: Pulling fs layer
a10aaf904d5e: Verifying Checksum
a10aaf904d5e: Download complete
a10aaf904d5e: Pull complete
Digest: sha256:1246fd45a53ad162cb23268b631212406661402fcc025725e042a2e6b5905f42
Status: Downloaded newer image for python:3.4-alpine
 ---> 7034971a4a59
Step 2/3 : ADD . app.py
 ---> 5f09289a6b62
Step 3/3 : CMD ["python", "app.py"]
 ---> Running in 318812889f75
Removing intermediate container 318812889f75
 ---> 3c7f9ea8ee19
Successfully built 3c7f9ea8ee19
Successfully tagged testimage:latest


#### Modify an image to a single layer

In [13]:
%%bash 
docker ps -a | grep nostalgic

fa5f79b4bf52        centos              "--network dbe"          2 days ago          Created                                              nostalgic_murdock


In [15]:
%%bash 
docker export nostalgic_murdock >> adnanbuild.tar

In [16]:
%%bash 
docker import adnanbuild.tar adnanbuild:import

sha256:fb3a9dd75fb037db37521f17a4be4e867ea7cde8ededee3b65662ee96a48e785


In [17]:
%%bash 
docker images | grep adnanbuild

adnanbuild                  import              fb3a9dd75fb0        20 seconds ago      202MB


In [18]:
%%bash
docker image history adnanbuild:import

IMAGE               CREATED             CREATED BY          SIZE                COMMENT
fb3a9dd75fb0        38 seconds ago                          202MB               Imported from -


#### Describe how image layers work

In [22]:
%%bash 
docker image history registry

IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
116995fd6624        7 days ago          /bin/sh -c #(nop)  CMD ["/etc/docker/registr…   0B                  
<missing>           7 days ago          /bin/sh -c #(nop)  ENTRYPOINT ["/entrypoint.…   0B                  
<missing>           7 days ago          /bin/sh -c #(nop) COPY file:507caa54f88c1f38…   155B                
<missing>           7 days ago          /bin/sh -c #(nop)  EXPOSE 5000                  0B                  
<missing>           7 days ago          /bin/sh -c #(nop)  VOLUME [/var/lib/registry]   0B                  
<missing>           7 days ago          /bin/sh -c #(nop) COPY file:4544cc1555469403…   295B                
<missing>           7 days ago          /bin/sh -c #(nop) COPY file:21256ff7df5369f7…   20.1MB              
<missing>           3 weeks ago         /bin/sh -c set -ex     && apk add --no-cache…   1.29MB              
<missing>   

Where it says missing, its not really missing, however the history of the image ID is not part of the build. It is not carried forward when you install an image from a remote repository. 

Docker users a union file system, which allows overlaying to form a single filesystem. 

You can also see the size of each of the layers

#### Deploy and configure a  registry

Prepare for secure registry

In [28]:
%%bash
mkdir certs
mkdir auth
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/dockerrepo.key -x509 -days 365 -out certs/dockerrepo.crt -subj /CN=myregistrydomain.com

Generating a 4096 bit RSA private key
......................................................................................................................++
............................................++
writing new private key to 'certs/dockerrepo.key'
-----


In [31]:
%%bash 
sudo mkdir -p /etc/docker/certs.d/myregistrydomain.com:5000 

In [35]:
%%bash 
cd /etc/docker/certs.d/myregistrydomain.com\:5000/
sudo cp /home/centos/DCA/certs/dockerrepo.crt ca.crt 

In [37]:
%%bash 
docker pull registry:2

2: Pulling from library/registry
Digest: sha256:a54bc9be148764891c44676ce8c44f1e53514c43b1bfbab87b896f4b9f0b5d99
Status: Image is up to date for registry:2


In [38]:
%%bash 
docker run --entrypoint htpasswd registry:2 -Bbn test password > auth/htpasswd 

In [39]:
%%bash 
cat auth/htpasswd

test:$2y$05$g8RcUZ/yR0LVlzSxAbGBMe57tYQG2wpVqhm8OvRGdX0v2FkeK9H8a



Launch Registry

In [69]:
%%bash 
docker run -d -p 5000:5000 -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key -v `pwd`/auth:/auth -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2

219895035b09189f0e1f9d055feafd9bf0bc20f509928f2ebc531e10ce895254


In [48]:
%%bash
docker pull busybox:latest

latest: Pulling from library/busybox
57c14dd66db0: Pulling fs layer
57c14dd66db0: Download complete
57c14dd66db0: Pull complete
Digest: sha256:7964ad52e396a6e045c39b5a44438424ac52e12e4d5a25d94895f2058cb863a0
Status: Downloaded newer image for busybox:latest


Tag image 

In [70]:
%%bash 
docker tag busybox myregistrydomain.com:5000/my-busybox

#### Log into a registry

In [47]:
%%bash
docker login myregistrydomain.com:5000/my-busybox 

Authenticating with existing credentials...
Login Succeeded


https://docs.docker.com/engine/reference/commandline/login/#credentials-store



#### Push an image to a registry

In [71]:
%%bash 
docker push myregistrydomain.com:5000/my-busybox

The push refers to repository [myregistrydomain.com:5000/my-busybox]
683f499823be: Preparing
683f499823be: Pushed
latest: digest: sha256:bbb143159af9eabdf45511fd5aab4fd2475d4c0e7fd4a5e154b98e838488e510 size: 527


#### Utilize search in a registry

In [72]:
%%bash 
curl --insecure -u "test:password" https://myregistrydomain.com:5000/v2/_catalog

{"repositories":["my-busybox"]}


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100    32  100    32    0     0    223      0 --:--:-- --:--:-- --:--:--   225


#### Sign an image in a registry

#### Pull an image from a registry

In [55]:
%%bash 
docker images

REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
testimage                   latest              3c7f9ea8ee19        38 minutes ago      276MB
adnanbuild                  import              fb3a9dd75fb0        45 minutes ago      202MB
python                      3.4-alpine          7034971a4a59        6 hours ago         65.9MB
httpd                       <none>              dc917399d59d        4 days ago          132MB
centos                      2                   63831d5f413c        5 days ago          306MB
registry                    2                   116995fd6624        7 days ago          25.8MB
registry                    latest              116995fd6624        7 days ago          25.8MB
httpd                       adnan               ef1dc54703e2        4 weeks ago         132MB
redis                       <none>              5d2989ac9711        4 weeks ago         95MB
redis                       <none>              b42dc832c85

In [57]:
%%bash 
docker pull myregistrydomain.com:5000/my-busybox

Using default tag: latest
latest: Pulling from my-busybox
57c14dd66db0: Pulling fs layer
57c14dd66db0: Verifying Checksum
57c14dd66db0: Download complete
57c14dd66db0: Pull complete
Digest: sha256:bbb143159af9eabdf45511fd5aab4fd2475d4c0e7fd4a5e154b98e838488e510
Status: Downloaded newer image for myregistrydomain.com:5000/my-busybox:latest


#### Describe how image deletion works

#### Delete an image from a registry