# Deployment model starter

### Container: Build and run app with docker container
* <b>Dockerfile</b>: defines what goes on in the environment inside your container. Access to resources like networking interfaces and disk drives is virtualized inside this environment, and be specific about what files you want to “copy in” to that environment. <b>Dockerfile is built into an image</b>.
* `docker run -p 4000:80 friendlyhello`: Map host port 4000 to the container port 80 
* <b>Registry</b>: A registry is a collection of repositories, and a repository is a collection of images—sort of like a GitHub repository, except the code is already built. An account on a registry can create many repositories. The docker CLI uses <b><i>Docker’s public registry</i></b> by default.

****

### Services: Deploy app with docker dontainer as a distributed application in a single host 
* Services are really just “containers in production.” A service only runs one image, but it codifies the way that image runs—what ports it should use, how many replicas of the container should run so the service has the capacity it needs, and so on. Scaling a service changes the number of container instances running that piece of software, assigning more computing resources to the service in the process.
* <b>Compose files</b>: `docker-compose.yml` file tells Docker to do the following:
    * Pull the image we uploaded in step 2 from the registry.
    * Run 5 instances of that image as a service called web, limiting each one to use, at most, 10% of the CPU (across all cores), and 50MB of RAM.
    * Immediately restart containers if one fails.
    * Map port 4000 on the host to web’s port 80.
    * Instruct web’s containers to share port 80 via a load-balanced network called webnet.
    * Define the webnet network with the default settings (which is a load-balanced overlay network).
* A single container running in a service is called a task. Tasks are given unique IDs that numerically increment, up to the number of replicas you defined in docker-compose.yml.
* Docker performs an in-place update, no need to tear the stack down first or kill any containers.

****

### Swarms: A swarm is a group of machines that are running Docker and joined into a cluster. 
* <b>executed on a cluster by a swarm manager</b>. The machines in a swarm can be physical or virtual. After joining a swarm, they are referred to as <b>nodes</b>.
* <b>Swarm managers</b> can use several strategies to run containers, <b>such as “emptiest node” -- which fills the least utilized machines with containers. Or “global”, which ensures that each machine gets exactly one instance of the specified container.</b>
* <b>Swarm managers</b> are the only machines in a swarm that can execute your commands, or authorize other machines to join the swarm as workers. <b>Workers</b> are just there to provide capacity and do not have the authority to tell any other machine what it can and cannot do.
    * Docker can be switched into swarm mode, and that’s what enables the use of swarms. Enabling swarm mode instantly makes the current machine a swarm manager. 
    * `docker swarm init`: to enable swarm mode and make your current machine a swarm manage
    * `docker swarm join`: on other machines to have them join the swarm as workers
    * Always run `docker swarm init` and `docker swarm join` with port <b>2377</b> (the swarm management port), or no port at all and let it take the default.
* <b>Swarm Native Service Discovery</b>: Docker uses embedded DNS to provide service discovery for containers running on a single Docker Engine and tasks running in a Docker Swarm. Docker Engine has an internal DNS server that provides name resolution to all of the containers on the host in user-defined bridge, overlay, and MACVLAN networks.
    * Each Docker container (or task in Swarm mode) has a DNS resolver that forwards DNS queries to Docker Engine
    * Docker Engine then checks if the DNS query belongs to a container or service on network(s) that the requesting container belongs to. 
    * Docker Engine looks up the IP address that matches a container, task, or service's name in its key-value store and returns that IP or service Virtual IP (VIP) back to the requester.
    * `Only the nodes that have containers or tasks on a particular network store that network's DNS entries.`
    * If the destination container or service does not belong on the same network(s) as the source container, then Docker Engine forwards the DNS query to the configured default DNS server.
    * <img src="../images/devops/swarm-dns.png" width="450px">
        * DNS queries are initiated by client for docker.com and myservice.
        * The container's built-in resolver intercepts the DNS queries on 127.0.0.11:53 and sends them to Docker Engine's DNS server.
        * myservice resolves to the Virtual IP (VIP) of that service which is internally load balanced to the individual task IP addresses. Container names resolve as well, albeit directly to their IP addresses.
        * docker.com does not exist as a service name in the mynet network and so the request is forwarded to the configured default DNS server.
* <b>Docker Native Load Balancing</b>: Docker Swarm clusters have built-in internal and external load balancing capabilities that are built right in to the engine. Internal load balancing provides for load balancing between containers within the same Swarm or UCP cluster. External load balancing provides for the load balancing of ingress traffic entering a cluster.
    * <b>UCP Internal Load Balancing</b>: 
        * Internal load balancing is instantiated automatically when Docker services are created. 
        * When services are created in a Docker Swarm cluster, they are automatically assigned a Virtual IP (VIP) 
        * The VIP is returned when resolving the service's name. 
        * Traffic to that VIP is automatically sent to all healthy tasks of that service across the overlay network. This approach avoids any client-side load balancing because only a single IP is returned to the client. Docker takes care of routing and equally distributing the traffic across the healthy service tasks.
    * <b>UCP External L4 Load Balancing (Docker Routing Mesh)</b>: You can expose services externally by using the `--publish flag` when creating or updating the service. <b>Publishing ports in Docker Swarm mode means that every node in your cluster is listening on that port</b>. 
        * Routing mesh is a new feature in Docker 1.12 that combines ipvs and iptables to create a powerful cluster-wide transport-layer (L4) load balancer. It allows all the Swarm nodes to accept connections on the services' published ports. 
        * When any Swarm node receives traffic destined to the published TCP/UDP port of a running service, it forwards it to service's VIP using a pre-defined overlay network called `ingress`. 
        * `The ingress network` behaves similarly to other overlay networks but its sole purpose is to transport mesh routing traffic from external clients to cluster services. It uses the same <b>VIP-based internal load balancing</b>.
        * <img src="../images/devops/routing-mesh.png" width="400px">
            * A service is created with two replicas, and it is port mapped externally to port 8000.
            * The routing mesh exposes port 8000 on each host in the cluster.
            * Traffic destined for the app can enter on any host. In this case the external LB sends the traffic to a host without a service replica.
            * The kernel's IPVS load balancer redirects traffic on the ingress overlay network to a healthy service replica.
* <b>Swarm service useful ports</b>:
    * <b>TCP port 2377 for cluster management communications</b>
    * <b>TCP and UDP port 7946 for communication among nodes</b>
    * <b>UDP port 4789 for overlay network traffic</b>
* https://docs.docker.com/get-started/part4/

****

### Stack:  make multiple services relate to each other, and run them on multiple machines. 
* A stack is a group of interrelated services that share dependencies, and can be orchestrated and scaled together. A single stack is capable of defining and coordinating the functionality of an entire application.

****

# Architecture: https://success.docker.com/architectures

### Docker overview
* Docker is a platform for developers and sysadmins to develop, deploy, and run applications with containers. The use of Linux containers to deploy applications is called containerization.
    * <b>Images and containers</b>: 
        * <b>An image</b> is an executable package that includes everything needed to run an application--the code, a runtime, libraries, environment variables, and configuration files.
        * <b>A container</b> is a runtime instance of an image--what the image becomes in memory when executed. A container is launched by running an image.  
    * <b>Containers and virtual machines</b>
        * <b>containers based on operating-system-level virtualization rather than hardware virtualization</b>
        * A container runs natively on Linux and shares the kernel of the host machine with other containers. It runs a discrete process, taking no more memory than any other executable, making it lightweight.
        * A virtual machine (VM) runs a full-blown “guest” operating system with virtual access to host resources through a hypervisor. In general, VMs provide an environment with more resources than most applications need.
        * 虚拟机能存储状态信息，例如保持写文件的结果；容器不能保持状态信息，每次都会从基础镜像构建，任何容器内的状态修改都会被丢弃
        * mutable infrastructure是指服务器一旦创建，就不会被销毁，所有新的服务器修改都会登录到该服务器上进行修改，类似虚拟机有状态
        * immutable infrastructure是指每次服务器需要新的修改都会重新创建，并将老的关掉，类似容器无状态
        * 
        <table>
            <tr>
                <td><img src="../images/devops/Container.png" width="200px"></td>
                <td><img src="../images/devops/VM.png" width="200px"></td>
            </tr>
        </table>
* Docker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security allow you to run many containers simultaneously on a given host. 
* Containers are lightweight because they don’t need the extra load of a hypervisor, but run directly within the host machine’s kernel. This means you can run more containers on a given hardware combination than if you were using virtual machines. You can even run Docker containers within host machines that are actually virtual machines!

****

### Docker Engine is a client-server application with these major components:
* A server which is a type of long-running program called a <b>daemon process</b> (the dockerd command).
    * The daemon creates and manages Docker objects, such as images, containers, networks, and volumes.        
* A REST API which specifies interfaces that programs can use to talk to the daemon and instruct it what to do.
* A command line interface (CLI) client (the docker command).
* <img src="../images/devops/engine-components-flow.png" width="350px">
* The CLI uses the Docker REST API to control or interact with the Docker daemon through scripting or direct CLI commands. Many other Docker applications use the underlying API and CLI.

****

### Docker architecture
* <b>The Docker daemon</b>: The Docker daemon (`dockerd`) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.
* <b>The Docker client</b>: The Docker client (`docker`) is the primary way that many Docker users interact with Docker. When you use commands such as `docker` run, the client sends these commands to `dockerd`, which carries them out. The docker command uses the Docker API. The Docker client can communicate with more than one daemon.
* <b>Docker registries</b>: A Docker `registry stores` Docker images. Docker Hub is a public registry that anyone can use, and Docker is configured to look for images on Docker Hub by default.
* <b>Docker objects</b>
    * <b>IMAGES</b>: An image is a read-only template with instructions for creating a Docker container. Often, an image is based on another image, with some additional customization. For example, you may build an image which is based on the ubuntu image, but installs the Apache web server and your application, as well as the configuration details needed to make your application run.
        * A parent image is the image that your image is based on. It refers to the contents of the FROM directive in the Dockerfile. 
        * A base image either has no FROM line in its Dockerfile, or has FROM scratch.
    * <b>CONTAINERS</b>: A container is a runnable instance of an image. You can create, start, stop, move, or delete a container using the Docker API or CLI. You can connect a container to one or more networks, attach storage to it, or even create a new image based on its current state.
    * <b>SERVICES</b>: Services allow you to scale containers across multiple Docker daemons, which all work together as a swarm with multiple managers and workers. Each member of a swarm is a Docker daemon, and the daemons all communicate using the Docker API.
* <img src="../images/devops/architecture.svg" width="500px">

****

# Networking: 
* Container networking: https://docs.docker.com/config/containers/container-networking/
* Configure Docker to use a proxy server: https://docs.docker.com/network/proxy/
* <i>Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks</i>: https://success.docker.com/article/networking
* <b>Network drivers</b>:
    * <b>bridge</b>: The default network driver. If you don’t specify a driver, this is the type of network you are creating. Bridge networks are usually used when your applications run in standalone containers that need to communicate.
    * <b>host</b>: For standalone containers, remove network isolation between the container and the Docker host, and use the host’s networking directly. host is only available for swarm services on Docker 17.06 and higher. 
    * <b>overlay</b>: Overlay networks connect multiple Docker daemons together and enable swarm services to communicate with each other. You can also use overlay networks to facilitate communication between a swarm service and a standalone container, or between two standalone containers on different Docker daemons. This strategy removes the need to do OS-level routing between these containers. 
    * <b>macvlan</b>: Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on your network. The Docker daemon routes traffic to containers by their MAC addresses. Using the macvlan driver is sometimes the best choice when dealing with legacy applications that expect to be directly connected to the physical network, rather than routed through the Docker host’s network stack. 
    * <b>none</b>: For this container, disable all networking. Usually used in conjunction with a custom network driver. none is not available for swarm services. 
    * <b>Network plugins</b>: You can install and use third-party network plugins with Docker. These plugins are available from Docker Hub or from third-party vendors. 
* <b>Network driver summary</b>:
    * <b>User-defined bridge networks</b> are best when you need multiple containers to communicate on the same Docker host.
        * https://docs.docker.com/network/network-tutorial-standalone/
    * <b>Host networks</b> are best when the network stack should not be isolated from the Docker host, but you want other aspects of the container to be isolated.
        * https://docs.docker.com/network/network-tutorial-host/
    * <b>Overlay networks</b> are best when you need containers running on different Docker hosts to communicate, or when multiple applications work together using swarm services.
        * https://docs.docker.com/network/network-tutorial-overlay/
    * <b>Macvlan networks</b> are best when you are migrating from a VM setup or need your containers to look like physical hosts on your network, each with a unique MAC address.
        * https://docs.docker.com/network/network-tutorial-macvlan/
    * <b>Third-party network plugins</b> allow you to integrate Docker with specialized network stacks.
    
**** 

### Use bridge networks
* <b>Concepts</b>:
    * <b>a bridge network is a Link Layer device which forwards traffic between network segments. A bridge can be a hardware device or a software device running within a host machine’s kernel</b>.
        * On any host running Docker Engine, there is, by default, a local Docker network named bridge. This network is created using a bridge network driver which instantiates a Linux bridge called docker0
            * `bridge is the name of the Docker network`
            * `bridge is the network driver, or template, from which this network is created`
            * `docker0 is the name of the Linux bridge that is the kernel building block used to implement this network`
    * <b>In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network</b>. The Docker bridge driver automatically installs rules in the host machine so that containers on different bridge networks cannot communicate directly with each other.
    * <b>Bridge networks apply to containers running on the same Docker daemon host</b>. For communication among containers running on different Docker daemon hosts, you can either manage routing at the OS level, or you can use an overlay network.
    * <b>bridge networks structure</b>:
    <img src="../images/devops/bridge-network.png" width="400px">
    * <b>bridge networks traffic ingress (bottom arrow) and egress (top arrow)</b>: `docker run -d --name C2 --net my_bridge -p 5000:80 nginx`
    <img src="../images/devops/bridge-nat.png" width="400px">
* <b>Differences between user-defined bridges and the default bridge</b>
    * <b>User-defined bridges provide better isolation and interoperability between containerized applications</b>: Containers connected to the same user-defined bridge network automatically expose all ports to each other, and no ports to the outside world. This allows containerized applications to communicate with each other easily, without accidentally opening access to the outside world.
    * <b>User-defined bridges provide automatic DNS resolution between containers</b>: Containers on the default bridge network can only access each other by IP addresses, unless you use the --link option, which is considered legacy. On a user-defined bridge network, containers can resolve each other by name or alias.
    * <b>Containers can be attached and detached from user-defined networks on the fly</b>: During a container’s lifetime, you can connect or disconnect it from user-defined networks on the fly. To remove a container from the default bridge network, you need to stop the container and recreate it with different network options.
    * <b>Each user-defined network creates a configurable bridge</b>: 
        * If your containers use the default bridge network, you can configure it, but all the containers use the same settings, such as MTU and iptables rules. In addition, configuring the default bridge network happens outside of Docker itself, and requires a restart of Docker.
        * User-defined bridge networks are created and configured using docker network create. If different groups of applications have different network requirements, you can configure each user-defined bridge separately, as you create it.
    * <b>Linked containers on the default bridge network share environment variables</b>: Originally, the only way to share environment variables between two containers was to link them using the --link flag. This type of variable sharing is not possible with user-defined networks.
    * <i>The default bridge network is considered a legacy detail of Docker and is not recommended for production use</i>: If you do not specify a network using the --network flag, and you do specify a network driver, your container is connected to the default bridge network by default. Containers connected to the default bridge network can communicate, but only by IP address, unless they are linked using the legacy --link flag.
* <b>Commands</b>:
    * `docker network create my-net`
    * `docker network connect my-net my-nginx`
    * `docker network disconnect my-net my-nginx`
    
****

### Use overlay networks
* <b>The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits <b>on top of the host-specific networks</b>, allowing containers connected to it to communicate securely</b>.
    * `Before you can create an overlay network, you need to either initialize your Docker daemon as a swarm manager using docker swarm init or join it to an existing swarm using docker swarm join`.
* <b>Swarm services connected to the same overlay network effectively expose all ports to each other</b>. For a port to be accessible outside of the service, that port must be published using the `-p or --publish` flag on docker service create or docker service update.
* <b>Overlay Driver Network Architecture</b>
    * <img src="../images/devops/packetwalk.png" width="400px">
        * c1 does a DNS lookup for c2. Since both containers are on the same overlay network the Docker Engine local DNS server resolves c2 to its overlay IP address 10.0.0.3.
        * An overlay network is a L2 segment so c1 generates an L2 frame destined for the MAC address of c2.
        * The frame is encapsulated with a VXLAN header by the overlay network driver. The distributed overlay control plane manages the locations and state of each VXLAN tunnel endpoint so it knows that c2 resides on host-B at the physical address of 192.168.0.3. That address becomes the destination address of the underlay IP header.
        * Once encapsulated the packet is sent. The physical network is responsible of routing or bridging the VXLAN packet to the correct host.
        * The packet arrives at the eth0 interface of host-B and is decapsulated by the overlay network driver. The original L2 frame from c1 is passed to c2's eth0 interface and up to the listening application.
* <b>Overlay Driver Internal Architecture</b>
    * The Docker Swarm control plane automates all of the provisioning for an overlay network. The user or network operator only has to define the network (`docker network create -d overlay ...`) and attach containers to that network.
    * When initialize a swarm or join a Docker host to an existing swarm, two new networks are created on Docker host
    <img src="../images/devops/overlayarch.png" width="200px">
    * <b>overlay network called ingress, handles control and data traffic related to swarm services</b>: The ingress and egress point to the overlay network that VXLAN encapsulates and encrypts traffic going between containers on the same overlay network. It extends the overlay across all hosts participating in this particular overlay.
    * <b>docker_gwbridge connects the individual Docker daemon to the other daemons participating in the swarm</b>: The egress bridge for traffic leaving the cluster. Only one docker_gwbridge exists per host. Container-to-Container traffic is blocked on this bridge allowing ingress/egress traffic flows only.
* <b>External Access for Docker Services</b>
    * <b>Ingress Mode Service Publishing</b>: 
        * `docker service create --replicas 2 --publish mode=ingress,target=80,published=8080 nginx`
        * Ingress mode port publishing utilizes the Swarm Routing Mesh to apply load balancing across the tasks in a service. 
        * Ingress mode publishes the exposed port on every UCP/Swarm node. 
        * Ingress traffic to the published port is load balanced by the Routing Mesh and directed via round robin load balancing to one of the healthy tasks of the service. Even if a given host is not running a service task, the port is published on the host and is load balanced to a host that has a task.
    * <b>Host Mode Service Publishing</b>:
        * `docker service create --replicas 2 --publish mode=host,target=80,published=8080 nginx`
        * Host mode port publishing exposes ports only on the host where specific service tasks are running. 
        * The port is mapped directly to the container on that host. 
        * Only a single task of a given service can run on each host to prevent port collision.
    * <img src="../images/devops/ingress-vs-host.png" width="450px">
    
****

### Use host networking
* If you use the host network driver for a container, that container’s network stack is not isolated from the Docker host. 
    * For instance, if you run a container which binds to port 80 and you use host networking, the container’s application will be available on port 80 on the host’s IP address.
* In Docker 17.06 and higher, you can also use a host network for a swarm service, by passing `--network host` to the docker container create command. In this case, control traffic is still sent across an overlay network, but the individual swarm service containers send data using the Docker daemon’s host network and ports. 
    * This creates some extra limitations. For instance, if a service container binds to port 80, only one service container can run on a given swarm node.
* Typically with other networking drivers, each container is placed in its own network namespace (or sandbox) to provide complete network isolation from each other. With the host driver containers are all in the same host network namespace and use the network interfaces and IP stack of the host. 
* All containers in the host network are able to communicate with each other on the host interfaces. From a networking standpoint this is equivalent to multiple processes running on a host without containers. Because they are using the same host interfaces, no two containers are able to bind to the same TCP port.
* <img src="../images/devops/host-driver.png" width="300px">

****

### Use Macvlan networks
* https://docs.docker.com/network/macvlan/
* https://success.docker.com/article/networking#macvlan
* Use the macvlan network driver to assign a MAC address to each container’s virtual network interface, making it appear to be a physical network interface directly connected to the physical network. In this case, you need to designate a physical interface on your Docker host to use for the Macvlan, as well as the subnet and gateway of the Macvlan. 
<table>
    <tr>
        <td><img src="../images/devops/macvlanarch.png" width="250px"></td>
        <td><img src="../images/devops/trunk-macvlan.png" width="250px"></td>
    </tr>
</table>

****

### None (Isolated) Network Driver
* Similar to the host network driver, the none network driver is essentially an unmanaged networking option. Docker Engine does not create interfaces inside the container, establish port mapping, or install routes for connectivity.
* A container using `--net=none` is completely isolated from other containers and the host. A container using none only has a loopback interface and no other interfaces.
* `the none driver` creates a separate namespace for each container. This guarantees container network isolation between any containers and the host.



****

# Storage

### Types of mount
* <img src="../images/devops/types-of-mounts.png" width="350px">
    * <b>Volumes</b> are stored in a part of the host filesystem which is managed by Docker (`/var/lib/docker/volumes/` on Linux). Non-Docker processes should not modify this part of the filesystem. Volumes are the best way to persist data in Docker.
        * Created and managed by Docker. You can create a volume explicitly using the `docker volume create` command, or Docker can create a volume during container or service creation.
        * When you create a volume, it is stored within a directory on the Docker host. When you mount the volume into a container, this directory is what is mounted into the container. This is similar to the way that bind mounts work, except that volumes are managed by Docker and are isolated from the core functionality of the host machine.
        * A given volume can be mounted into multiple containers simultaneously. When no running container is using a volume, the volume is still available to Docker and is not removed automatically. You can remove unused volumes using `docker volume prune`.
        * When you mount a volume, it may be named or anonymous. Anonymous volumes are not given an explicit name when they are first mounted into a container, so Docker gives them a random name that is guaranteed to be unique within a given Docker host. 
    * <b>Bind mounts</b> may be stored anywhere on the host system. They may even be important system files or directories. Non-Docker processes on the Docker host or a Docker container can modify them at any time.
        * Bind mounts have limited functionality compared to volumes. 
        * When you use a bind mount, a file or directory on the host machine is mounted into a container. The file or directory is referenced by its full path on the host machine. The file or directory does not need to exist on the Docker host already. It is created on demand if it does not yet exist. 
        * Bind mounts are very performant, but they rely on the host machine’s filesystem having a specific directory structure available. 
        * <b><i>If you are developing new Docker applications, consider using named volumes instead. You can’t use Docker CLI commands to directly manage bind mounts</i></b>.
    * <b>tmpfs mounts</b> are stored in the host system’s memory only, and are never written to the host system’s filesystem.
        * A tmpfs mount is not persisted on disk, either on the Docker host or within a container. 
        * It can be used by a container during the lifetime of the container, to store non-persistent state or sensitive information.
        
****
        
### Use of mounts
* <b>Use volumes</b>: https://docs.docker.com/storage/volumes/
* <b>Use bind mounts</b>: https://docs.docker.com/storage/bind-mounts/
* <b>Use tmpfs mounts</b>: https://docs.docker.com/storage/tmpfs/
* <i>Troubleshoot volume errors</i>: https://docs.docker.com/storage/troubleshooting_volume_errors/

****

### Docker storage drivers
* <b>Storage driver</b> manage the contents of the image layers and the writable container layer. Each storage driver handles the implementation differently, but all drivers use stackable image layers and the copy-on-write (CoW) strategy.
    * <b>Stackable image layers</b>: Two containers started from the same image share 100% of the read-only data, while two containers with different images which have layers in common share those common layers.
    * <b>The copy-on-write (CoW) strategy</b>: If a file or directory exists in a lower layer within the image, and another layer needs read access to it, it just uses the existing file. The first time another layer needs to modify the file, the file is copied into that layer and modified. 
        * https://docs.docker.com/storage/storagedriver/#the-copy-on-write-cow-strategy
    * <b>Types of the storage drivers</b>: https://docs.docker.com/storage/storagedriver/select-storage-driver/
        * `overlay2` is the preferred storage driver, for all currently supported Linux distributions, and requires no extra configuration.
        * `aufs` is the preferred storage driver for Docker 18.06 and older, when running on Ubuntu 14.04 on kernel 3.13 which has no support for overlay2.
        * `devicemapper` is supported, but requires direct-lvm for production environments, because loopback-lvm, while zero-configuration, has very poor performance. devicemapper was the recommended storage driver for CentOS and RHEL, as their kernel version did not support overlay2. However, current versions of CentOS and RHEL now have support for overlay2, which is now the recommended driver.
        * The `btrfs` and `zfs` storage drivers are used if they are the backing filesystem (the filesystem of the host on which Docker is installed). These filesystems allow for advanced options, such as creating “snapshots”, but require more maintenance and setup. Each of these relies on the backing filesystem being configured correctly.
        * The `vfs` storage driver is intended for testing purposes, and for situations where no copy-on-write filesystem can be used. Performance of this storage driver is poor, and is not generally recommended for production use.
* <b>Images and layers</b>
    * A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile. Each layer except the very last one is read-only.
    * Each layer is only a set of differences from the layer before it. The layers are stacked on top of each other. <b>When you create a new container, you add a new writable layer on top of the underlying layers. This layer is often called the “container layer”</b>. All changes made to the running container, such as writing new files, modifying existing files, and deleting files, are written to this thin writable container layer.
        * 
        ```python
            FROM ubuntu:15.04
            COPY . /app
            RUN make /app
            CMD python /app/app.py
        ```
        * <i>The FROM statement starts out by creating a layer from the ubuntu:15.04 image. The COPY command adds some files from your Docker client’s current directory. The RUN command builds your application using the make command. Finally, the last layer specifies what command to run within the container.</i>
        <img src="../images/devops/container-layers.jpg" width="300px">
* <b>Container and layers</b>
    * The major difference between a container and an image is the top writable layer. All writes to the container that add new or modify existing data are stored in this writable layer. When the container is deleted, the writable layer is also deleted. The underlying image remains unchanged.
        <img src="../images/devops/sharing-layers.jpg" width="350px">



****

# Develop with Docker

### 参考手册: https://docs.docker.com/reference/
* File formats: <b>Dockerfile reference</b>, <b>Compose file</b>, <b>Docker Hub</b>
* Command-Line Interfaces (CLIs): <b>Docker CLI (docker)</b>, <b>Daemon CLI (dockerd)</b>, <b>Docker Machine CLI (docker-machine)</b>, <b>Docker Compose CLI (docker-compose)</b>, <i>DTR CLI</i>, <i>UCP CLI</i>
* Application Programming Interfaces (APIs): <b>Docker Engine API</b>, <b>Registry API</b>, <i>DTR API</i>, <i>UCP API</i>
* Drivers and specifications: <b>Image specification</b>, <i>Machine drivers</i>, <i>Registry token authentication</i>, <i>Registry storage drivers</i>

****

### 应用实战
* <b>Run your app in production</b>: https://docs.docker.com/config/labels-custom-metadata/
* <b>Docker app examples</b>: https://docs.docker.com/samples/
* <b>Docker for Java Developers</b>: https://github.com/docker/labs/tree/master/developer-tools/java/ 
* <b>Docker development best practices</b>: https://docs.docker.com/develop/dev-best-practices/
* <b>Best practices for writing Dockerfiles</b>
    * <b><i>Dockerfile reference: https://docs.docker.com/engine/reference/builder/</i></b>
    * <b>build context</b>: When you issue a docker build command, the current working directory is called the build context. all recursive contents of files and directories in the current directory are sent to the Docker daemon as the build context.
        * By default the docker build command will look for a Dockerfile at the root of the build context. 
        * Use `-f` to point to the Dockerfile
        * `docker build [OPTIONS] PATH | URL | -`: using `PATH | URL` specify the build context
    * `.dockerignore`: To exclude files not relevant to the build use a .dockerignore file. This file supports exclusion patterns similar to .gitignore files. https://docs.docker.com/engine/reference/builder/#dockerignore-file
    * <b>multi-stage builds</b>: allow you to drastically reduce the size of your final image, without struggling to reduce the number of intermediate layers and files.
        * With multi-stage builds, you use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and each of them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image. 
        * 
        ```python
            FROM golang:1.7.3 as builder
            WORKDIR /go/src/github.com/alexellis/href-counter/
            RUN go get -d -v golang.org/x/net/html  
            COPY app.go    .
            RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

            FROM alpine:latest  
            RUN apk --no-cache add ca-certificates
            WORKDIR /root/
            COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
            CMD ["./app"]  
        ```
        * When using multi-stage builds, you are not limited to copying from stages you created earlier in your Dockerfile. You can use the COPY --from instruction to copy from a separate image, either using the local image name, a tag available locally or on a Docker registry, or a tag ID. The Docker client pulls the image if necessary and copies the artifact from there. 
            * `COPY --from=nginx:latest /etc/nginx/nginx.conf /nginx.conf`
* <i>Develop with Docker Engine SDKs and API</i>: https://docs.docker.com/develop/sdk/

****

### 应用场景
* <b>Docker for AWS</b>: https://docs.docker.com/docker-for-aws/
    * Create AWS instances using Docker Container
        * The CloudFormation template first creates a new VPC along with subnets and security groups. 
        * After the networking set-up completes, two Auto Scaling Groups are created, one for the managers and one for the workers, and the configured capacity setting is applied. 
        * Managers start first and create a quorum using Raft, then the workers start and join the swarm one at a time. 
        * At this point, the swarm is comprised of X number of managers and Y number of workers, and you can deploy your applications. 
        * You can scale the worker count using the AWS Auto Scaling group. Docker automatically joins or removes new instances to the Swarm.
        * There are currently two ways to scale your worker group. You can “update” your stack, and change the number of workers in the CloudFormation template parameters, or you can manually update the Auto Scaling group in the AWS console for EC2 auto scaling groups.
* <b>Docker for Azure</b>: https://docs.docker.com/docker-for-azure/
* <b>Linux</b>:
    * Docker CE for CentOS: https://docs.docker.com/install/linux/docker-ce/centos/
    * Docker CE for Debian: https://docs.docker.com/install/linux/docker-ce/debian/
    * Docker CE for Fedora: https://docs.docker.com/install/linux/docker-ce/fedora/
    * Docker CE for Ubuntu: https://docs.docker.com/install/linux/docker-ce/ubuntu/
* <b>Docker for Mac</b>: https://docs.docker.com/docker-for-mac/
    * Docker for Mac uses HyperKit instead of Virtual Box. Hyperkit is a lightweight macOS virtualization solution built on top of Hypervisor.framework in macOS 10.10 Yosemite and higher.
    * <b>Docker命令行工具负责与Dokcer daemon守护进程进行通信，Docker daemon守护进程负责分发命令并执行Docker命令</b>
    * Docker for Mac does not use docker-machine to provision its VM. The Docker Engine API is exposed on a socket available to the Mac host at /var/run/docker.sock. This is the default location Docker and Docker Compose clients use to connect to the Docker daemon, so you can use docker and docker-compose CLI commands on your Mac.
* Docker for Windows: https://docs.docker.com/docker-for-windows/
* <b>Docker在mac和windows上会创建一个linux虚拟机，然后所有的容器都会将这个虚拟机当做宿主机，进入该虚拟机的方法有</b>:
    * https://gist.github.com/BretFisher/5e1a0c7bcca4c735e716abf62afad389
    * `screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty`  
    * disconnect that session but leave it open in background：`Ctrl-a d`
    * list that session that's still running in background：`screen -ls`
    * reconnect to that session (don't open a new one, that won't work and 2nd tty will give you garbled screen)：`screen -r`
    * kill this session (window) and exit `Ctrl-a k`
    * `docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh`

****

# Docker CE Cheat Sheet

### Commands: https://docs.docker.com/reference/
```python
## List Docker CLI commands
docker
docker container --help

## Display Docker version and info
docker --version
docker version
docker info

## Execute Docker image
docker run hello-world

## List Docker images
docker image ls

## List Docker containers (running, all, all in quiet mode)
docker container ls
docker container ls --all
docker container ls -aq

## Remove containers and images
docker container stop <hash>           # Gracefully stop the specified container
docker container kill <hash>         # Force shutdown of the specified container
docker container rm <hash>        # Remove specified container from this machine
docker container rm $(docker container ls -a -q)         # Remove all containers
docker image ls -a                             # List all images on this machine
docker image rm <image id>            # Remove specified image from this machine
docker image rm $(docker image ls -a -q)   # Remove all images from this machine

## Build and run app with docker container
docker build -t friendlyhello .  # Create image using this directory's Dockerfile
docker run -p 4000:80 friendlyhello  # Run "friendlyname" mapping port 4000 to 80
docker run -d -p 4000:80 friendlyhello         # Same thing, but in detached mode
docker login             # Log in this CLI session using your Docker credentials
docker tag <image> username/repository:tag  # Tag <image> for upload to registry
docker push username/repository:tag            # Upload tagged image to registry
docker run username/repository:tag                   # Run image from a registry
docker run -p 4000:80 username/repo:tag

## Deploy app with docker dontainer as a distributed application in a single host
docker stack ls                                            # List stacks or apps
docker stack deploy -c <composefile> <appname>  # Run the specified Compose file
docker service ls                 # List running services associated with an app
docker service ps <service>                  # List tasks associated with an app
docker inspect <task or container>                   # Inspect task or container
docker container ls -q                                      # List container IDs
docker stack rm <appname>                             # Tear down an application
docker swarm leave --force      # Take down a single node swarm from the manager

## Deploy app with docker dontainer as a distributed application in a cluster
docker-machine create --driver virtualbox myvm1 # Create a VM (Mac, Win7, Linux)
docker-machine create -d hyperv --hyperv-virtual-switch "myswitch" myvm1 # Win10
docker-machine env myvm1                # View basic information about your node
docker-machine ssh myvm1 "docker node ls"         # List the nodes in your swarm
docker-machine ssh myvm1 "docker node inspect <node ID>"        # Inspect a node
docker-machine ssh myvm1 "docker swarm join-token -q worker"   # View join token
docker-machine ssh myvm1   # Open an SSH session with the VM; type "exit" to end
docker node ls                # View nodes in swarm (while logged on to manager)
docker-machine ssh myvm2 "docker swarm leave"  # Make the worker leave the swarm
docker-machine ssh myvm1 "docker swarm leave -f" # Make master leave, kill swarm
docker-machine ls # list VMs, asterisk shows which VM this shell is talking to
docker-machine start myvm1            # Start a VM that is currently not running
docker-machine env myvm1      # show environment variables and command for myvm1
eval $(docker-machine env myvm1)         # Mac command to connect shell to myvm1
& "C:\Program Files\Docker\Docker\Resources\bin\docker-machine.exe" env myvm1 | Invoke-Expression   # Windows command to connect shell to myvm1
docker stack deploy -c <file> <app>  # Deploy an app; command shell must be set to talk to manager (myvm1), uses local Compose file
docker-machine scp docker-compose.yml myvm1:~ # Copy file to node's home dir (only required if you use ssh to connect to manager and deploy the app)
docker-machine ssh myvm1 "docker stack deploy -c <file> <app>"   # Deploy an app using ssh (you must have first copied the Compose file to myvm1)
eval $(docker-machine env -u)     # Disconnect shell from VMs, use native docker
docker-machine stop $(docker-machine ls -q)               # Stop all running VMs
docker-machine rm $(docker-machine ls -q) # Delete all VMs and their disk images
```

### Compose files: docker-compose.yml, https://docs.docker.com/compose/compose-file/
```python
version: "3"
services:
  web:
    # replace username/repo:tag with your name and image details
    image: username/repo:tag
    deploy:
      replicas: 5
      restart_policy:
        condition: on-failure
      resources:
        limits:
          cpus: "0.1"
          memory: 50M
    ports:
      - "80:80"
    networks:
      - webnet
  visualizer:
    image: dockersamples/visualizer:stable
    ports:
      - "8080:8080"
    # giving the visualizer access to the host’s socket file for Docker
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    deploy:
      # ensuring that this service only ever runs on a swarm manager -- never a worker
      placement:
        constraints: [node.role == manager]
    networks:
      - webnet
  redis:
    image: redis
    ports:
      - "6379:6379"
    volumes:
      - "/home/docker/data:/data"
    deploy:
      placement:
        constraints: [node.role == manager]
    command: redis-server --appendonly yes
    networks:
      - webnet
networks:
  webnet:
```