# Intro to Docker

## What is Docker?

- Docker is an open source project for building, shipping, and running programs.
- It is a commandline program, a background process, and a set of remote services that take a logistical approach to solving common software problems and simplifying your experience
installing, running, publishing, and removing software.
- It accomplishes this by using
an operating system technology called containers.

## Docker install

Povezava: `gcloud compute ssh docker-icta`

Za večino operacijskih sistemov
- Navodila najdemo na: https://docs.docker.com/engine/install/ubuntu/

Post-installation steps for Linux
- https://docs.docker.com/engine/install/linux-postinstall/
- Manage Docker as a non-root user
- Configure Docker to start on boot


## Preizkus delovanja

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/01fig06_alt.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_1-6.png" class="medium-zoom-image">

    docker –version

    docker run hello-world
    docker image ls
    docker ps --all
    docker rm $(sudo docker ps -aq)

- First, you use the docker run command. This tells Docker that you want to trigger
the sequence that installs and runs a program inside a container.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig01_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig01_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-1.png" class="medium-zoom-image">

- The second part specifies the program that you want Docker to run in a container. In
this example, that program is `hello_world`. This is called the image
(or repository) name.

- The image itself is a collection of files and metadata.
- That metadata includes the specific program to execute and other relevant configuration
details.

- Once the image is installed, Docker creates a new container and runs a single command.
In this case, the command is simple.

- After the echo command prints "hello world" to the terminal, the program exits, and the container is marked as stopped.

Understand that the running state of a container
is directly tied to the state of a single running program inside the container. **If a program
is running, the container is running. If the program is stopped, the container is
stopped.** Restarting a container will run the program again.

When you use docker run the second time, it
creates a second container from the same repository. This
means that if you repeatedly use docker run and create a bunch of containers, you’ll
need to get a list of the containers you’ve created and maybe at some point destroy
them. 

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig02_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig02_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-2.png" class="medium-zoom-image">

## Containers

Historically, UNIX-style operating systems have used the term jail to describe a modified
runtime environment that limits the scope of resources that a jailed program can access.
Jail features go back to 1979 and have been in evolution ever since. In 2005, with the
release of Sun’s Solaris 10 and Solaris Containers, container has become the preferred
term for such a runtime environment. The goal has expanded from limiting filesystem
scope to isolating a process from all resources except where explicitly allowed.

> Uporaba kontejnerjev je bila težavna, Docker to poenostavi 

Using containers has been a best practice for a long time. But manually building
containers can be challenging and easy to do incorrectly. This challenge has put them
out of reach for some. Others using misconfigured containers are lulled into a false
sense of security. This was a problem begging to be solved, and Docker helps. Any software
run with Docker is run inside a container. Docker uses existing container
engines to provide consistent containers built according to best practices. This puts
stronger security within reach for everyone.

With Docker, users get containers at a much lower cost. Running the example in
section 1.1.1 uses a container and does not require any special knowledge. As Docker
and its container engines improve, you get the latest and greatest isolation features.
Instead of keeping up with the rapidly evolving and highly technical world of building
strong containers, you can let Docker handle the bulk of that for you.

### Containers are not virtualization

In this cloud-native era, people tend to think about virtual machines as units of
deployment, where deploying a single process means creating a whole networkattached
virtual machine. Virtual machines provide virtual hardware (or hardware on
which an operating system and other programs can be installed). They take a long
time (often minutes) to create and require significant resource overhead because they
run a whole operating system in addition to the software you want to use. Virtual
machines can perform optimally once everything is up and running, but the startup
delays make them a poor fit for just-in-time or reactive deployment scenarios.

Unlike virtual machines, Docker containers don’t use any hardware virtualization.
**Programs running inside Docker containers interface directly with the host’s Linux
kernel.** Many programs can run in isolation without running redundant operating systems
or suffering the delay of full boot sequences. This is an important distinction.
Docker is not a hardware virtualization technology. Instead, it helps you use the container
technology already built into your operating system kernel.

Virtual machines provide hardware abstractions so you can run operating systems.
Containers are an operating system feature. So you can always run Docker in a virtual
machine if that machine is running a modern Linux kernel. Docker for Mac and Windows
users, and almost all cloud computing users, will run Docker inside virtual
machines. So these are really complementary technologies.

### Running software in containers for isolation

Containers and isolation features have existed for decades. Docker uses Linux namespaces
and cgroups, which have been part of Linux since 2007. **Docker doesn’t provide
the container technology, but it specifically makes it simpler to use.**

A basic computer stack running two programs that were started from the
command line

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig03_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig03_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-3.png" class="medium-zoom-image">

Notice that the command-line interface, or CLI, runs in what is called user space memory,
just like other programs that run on top of the operating system. Ideally, programs
running in user space can’t modify kernel space memory. Broadly speaking, the operating
system is the interface between all user programs and the hardware that the
computer is running on.

You can see in figure 1.4 that running Docker means running two programs in
user space. The first is the Docker engine. If installed properly, this process should
always be running. The second is the Docker CLI. This is the Docker program that
users interact with. If you want to start, stop, or install software, you’ll issue a command
by using the Docker program.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig04_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig04_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-4.png" class="medium-zoom-image">

Figure 1.4 also shows three running containers. Each is running as a child process
of the Docker engine, wrapped with a container, and the delegate process is running
in its own memory subspace of the user space. Programs running inside a container
can access only their own memory and resources as scoped by the container.

Docker builds containers using 10 major system features. Part 1 of this book uses
Docker commands to illustrate how these features can be modified to suit the needs
of the contained software and to fit the environment where the container will run.
The specific features are as follows:
- PID namespace—Process identifiers and capabilities
- UTS namespace—Host and domain name
- MNT namespace—Filesystem access and structure
- IPC namespace—Process communication over shared memory
- NET namespace—Network access and structure
- USR namespace—User names and identifiers
- chroot syscall—Controls the location of the filesystem root
- cgroups—Resource protection
- CAP drop—Operating system feature restrictions
- Security modules—Mandatory access controls

Docker uses those to build containers at runtime, but it uses another set of technologies
to package and ship containers.

### Shipping containers

You can think of a Docker container as a physical shipping container. It’s a box where you
store and run an application and all of its dependencies (excluding the running operating
system kernel). Just as cranes, trucks, trains, and ships can easily work with shipping
containers, so can Docker run, copy, and distribute containers with ease. Docker completes
the traditional container metaphor by including a way to package and distribute
software. The component that fills the shipping container role is called an image.

More generally, a Docker image is a bundled snapshot of all the files that should be available to a program
running inside a container. You can create as many containers from an image as
you want. But when you do, containers that were started from the same image don’t
share changes to their filesystem. When you distribute software with Docker, you distribute
these images, and the receiving computers create containers from them.
**Images are the shippable units in the Docker ecosystem.**

Docker provides a set of infrastructure components that simplify distributing
Docker images. These components are registries and indexes. You can use publicly available
infrastructure provided by Docker Inc., other hosting companies, or your own
registries and indexes.

## What problems does Docker solve?

- What happens if one application needs an upgraded dependency, but the other
does not?
- What happens when you remove an application? Is it really gone?
- Can you remove old dependencies?
- Can you remember all the changes you had to make to install the software you
now want to remove?

The truth is that the more software you use, the more difficult it is to manage. Even if
you can spend the time and energy required to figure out installing and running applications,
how confident can you be about your security? Open and closed source programs
release security updates continually, and being aware of all the issues is often
impossible. The more software you run, the greater the risk that it’s vulnerable to attack.

### Getting organized

Without Docker, a computer can end up looking like a junk drawer. Applications have
all sorts of dependencies. Some applications depend on specific system libraries for
common things like sound, networking, graphics, and so on. Others depend on standard
libraries for the language they’re written in. Some depend on other applications,
such as the way a Java program depends on the Java Virtual Machine, or a web application
might depend on a database. It’s common for a running program to require
exclusive access to a scarce resource such as a network connection or a file.

Today, without Docker, applications are spread all over the filesystem and end up
creating a messy web of interactions.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig05_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig05_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-5.png" class="medium-zoom-image">

In contrast, the example in section 1.1.1 installed the required software automatically,
and that same software can be reliably removed with a single command. Docker keeps
things organized by isolating everything with containers and images.

Figure 1.6 illustrates these same applications and their dependencies running
inside containers. With the links broken and each application neatly contained,
understanding the system is an approachable task. At first it seems like this would
introduce storage overhead by creating redundant copies of common dependencies
such as gcc. Chapter 3 describes how the Docker packaging system typically reduces
the storage overhead.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig06_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig06_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-6.png" class="medium-zoom-image">

### Improving portability

Another software problem is that an application’s dependencies typically include a
specific operating system. Portability between operating systems is a major problem
for software users. Although it’s possible to have compatibility between Linux software
and macOS, using that same software on Windows can be more difficult. Doing
so can require building whole ported versions of the software. Even that is possible
only if suitable replacement dependencies exist for Windows. This represents a
major effort for the maintainers of the application and is frequently skipped. Unfortunately
for users, a whole wealth of powerful software is too difficult or impossible
to use on their system.

At present, Docker runs natively on Linux and comes with a single virtual machine
for macOS and Windows environments. **This convergence on Linux means that
software running in Docker containers need be written only once against a consistent
set of dependencies.**

This new portability helps users in a few ways. First, it unlocks a whole world of
software that was previously inaccessible. Second, it’s now feasible to run the same
software—exactly the same software—on any system. That means your desktop, your
development environment, your company’s server, and your company’s cloud can all
run the same programs. Running consistent environments is important. Doing so
helps minimize any learning curve associated with adopting new technologies. It helps
software developers better understand the systems that will be running their programs.
It means fewer surprises. Third, when software maintainers can focus on writing their
programs for a single platform and one set of dependencies, it’s a huge time-saver for
them and a great win for their customers.

Docker improves the portability of every program regardless
of the language it was written in, the operating system it was designed for, or the state of
the environment where it’s running.

### Protecting your computer

Most of what we’ve mentioned so far have been problems from the perspective of
working with software and the benefits of doing so from outside a container. But containers
also protect us from the software running inside a container. There are all
sorts of ways that a program might misbehave or present a security risk:
- A program might have been written specifically by an attacker.
- Well-meaning developers could write a program with harmful bugs.
- A program could accidentally do the bidding of an attacker through bugs in its
input handling.

Any way you cut it, running software puts the security of your computer at risk.
Because running software is the whole point of having a computer, it’s prudent to
apply the practical risk mitigations.

Like physical jail cells, anything inside a container can access only things that are
inside it as well. Exceptions to this rule exist, but only when explicitly created by the
user. Containers limit the scope of impact that a program can have on other running
programs, the data it can access, and system resources. Figure 1.7 illustrates the difference
between running software outside and inside a container.

What this means for you or your business is that the scope of any security threat
associated with running a particular application is limited to the scope of the application
itself. Creating strong application containers is complicated and a critical component
of any in-depth defense strategy. It is far too commonly skipped or implemented
in a half-hearted manner.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig07_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig07_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-7.png" class="medium-zoom-image">

What this means for you or your business is that the scope of any security threat
associated with running a particular application is limited to the scope of the application
itself. Creating strong application containers is complicated and a critical component
of any in-depth defense strategy. It is far too commonly skipped or implemented
in a half-hearted manner.

## Why is Docker important?

Docker provides an abstraction. Abstractions allow you to work with complicated things
in simplified terms. So, in the case of Docker, instead of focusing on all the complexities
and specifics associated with installing an application, all we need to consider is
what software we’d like to install.

This is also the case for application removal. When you want to remove software,
you simply tell Docker which software to remove.

Docker is important because it makes containers available to everyone. Using it saves
time, money, and energy.

The second reason Docker is important is that there is significant push in the software
community to adopt containers and Docker.

## Primer: Primerjava namestitve 2 instanc nginx

### Brez dockerja

Želimo namesti in stestorati delovanje nginx:
- sudo apt-get update 
- sudo apt-get install nginx
- nginx -v
- sudo systemctl start nginx
- sudo systemctl status nginx
- curl http://127.0.0.1 ali IP virtualke

**Kaj pa če želimo namestiti dve instance nginx**
- `sudo apt-get install nginx` - > že obstaja
- `sudo systemctl start nginx` -> vidmo da še vedno samo ena instanca je delujoča
- `sudo ps aux | grep nginx`
- Če želimo namestit dve instance moramo spremeniti init scripte
    - cat /etc/init/nginx.conf
    - To je komplicirani delo, pa še skoraj nemogoče za dve različne verzije
- `sudo systemctl stop nginx`
- Problem da ko namestimo mi eno verzijo spodaj imamo odvisnosti ki so različne od verzije
- To nam kontejnerji poenostavijo




### S Dockerjem


Pokažemo DockerHub in kako dobimo sliko na računalnik:
    
    docker pull nginx

<div class="index-module--markdown--2MdcR ureact-markdown "><h2 id="commands-to-run-on-the-vm-instance-">Commands to run (on the VM Instance)</h2>



```shell    
# Run the first instance
docker run -d nginx

# Check if it's up
sudo docker ps

# Run a different version of nginx
sudo docker run -d nginx:1.9.3
sudo docker run -d nginx:1.10.0

# Check how many instances are running
sudo docker ps
sudo ps aux | grep nginx

```

If you don't specify a name, Docker gives a container a random name, such as "stoic_williams," "sharp_bartik," "awesome_murdock," or "evil_hawking." (Stephen Hawking got no love on this one.)

<p>These are generated from a list of adjectives and names of famous scientists and hackers. The combination of the names and adjectives is random, except for one case. Want to see what the exception is? Check it out in the <a target="_blank" href="https://github.com/docker/docker/blob/master/pkg/namesgenerator/names-generator.go">Docker source code</a>!</p>

**List all running container processes**

    sudo docker ps

For use in shell scripts you might want to just get a list of container IDs (-a stands for all instances, not just running, and -q is for "quiet" - show just the numeric ID):

    sudo docker ps -aq

**Inspect the container**

You can use either CONTAINER ID or NAMES field, for example for a sudo docker ps output like this:

    CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
    f86cf066c304        nginx:1.10.0        "nginx -g 'daemon off"   8 minutes ago       Up 8 minutes        80/tcp, 443/tcp     sharp_bartik

You can use either of the following commands:

    sudo docker inspect f86cf066c304

or
    sudo docker inspect sharp_bartik

Ustavimo vse kontejnerje: `sudo docker stop $(sudo docker ps -aq)`

Odstranimo vse kontejnerje: `sudo docker rm $(sudo docker ps -aq)`

**Izpostavimo kontejner**
- `docker run -d -p "80:80" nginx`

Ustavimo vse kontejnerje: `sudo docker stop $(sudo docker ps -aq)`

Odstranimo vse kontejnerje: `sudo docker rm $(sudo docker ps -aq)`