# **Docker**

* **Concepts**: Containers, Images, Volumes, Networks.
* **Commands**:

  * `docker build`, `docker run`, `docker ps`, `docker stop`, `docker rm`, `docker exec -it`.
  * `docker-compose up/down` for multi-container apps.
* **Use Cases**:

  * Local development environments.
  * Microservices packaging.
  * Testing Kubernetes YAML manifests before production.
* **Example**:

  ```bash
  docker run -d -p 8080:80 nginx
  docker exec -it container_id bash
  ```

 

## Docker Architecture and Requirements

Docker requires Linux kernel features to run containers. On Windows, Docker integrates with WSL2 to provide a real Linux kernel. Docker containers are process-based and specific to applications, unlike VMs which create separate OS instances.

**Core Linux Features Used by Docker:**
- **Namespaces**: Provide isolation for processes, networks, filesystems
- **Cgroups**: Control resource allocation (CPU, memory, I/O)  
- **UnionFS/OverlayFS**: Layered filesystem for efficient storage

**Docker Engine Behavior:**
- Starts when containers are running
- Remains idle but running when no containers are active
- Only stops when Docker service itself is stopped

## Linux Kernel Features

### Namespaces
Isolate different aspects of the system. Each namespace type serves a specific purpose:

**Namespace Types:**
- **PID**: Isolates process IDs
- **NET**: Separate network stack (IP, interfaces)
- **MNT**: Isolates filesystem mount points
- **UTS**: Isolates hostname and domain name
- **IPC**: Isolates inter-process communication
- **USER**: Isolates user/group IDs
- **CGROUP**: Limits CPU, memory, I/O access
- **TIME**: Isolates time settings

### Cgroups (Control Groups)
Control and limit resource usage for processes:

**Resource Controllers:**
- **cpu**: Limits CPU usage
- **memory**: Controls RAM allocation
- **blkio**: Controls disk I/O speed
- **cpuset**: Assigns specific CPU cores
- **devices**: Restricts hardware access
- **net_cls/net_prio**: Network traffic control
- **pids**: Limits process creation
- **freezer**: Suspend/resume processes

### OverlayFS (Union Filesystem)
Combines multiple layers into a single virtual filesystem:

**Layer Structure:**
- **LowerDir**: Read-only base layers from image
- **UpperDir**: Writable layer for runtime changes
- **MergedDir**: Combined view of all layers
- **WorkDir**: Temporary workspace for operations

**Copy-on-Write Behavior:**
- Files are copied from lower to upper layer when modified
- Original layers remain unchanged
- Efficient storage through layer sharing

## Docker Images and Containers

### Docker Images
Immutable blueprints containing:
- **Layers**: Read-only segments from Dockerfile instructions
- **Base Image**: Starting image (ubuntu, alpine, etc.)
- **Filesystem Snapshot**: Complete file structure
- **Metadata**: Configuration, environment variables, exposed ports
- **Build Cache**: Cached layers for faster rebuilds

**Base Image Types:**
- **Minimal**: alpine, busybox, scratch
- **General Purpose**: ubuntu, debian, fedora
- **Language-Specific**: python:3.9-slim, node:18-slim
- **Security-Hardened**: distroless, ubi

### Docker Containers
Runtime instances with:
- **Writable Layer**: Top layer capturing runtime changes
- **Runtime State**: Active processes, environment
- **Container ID/Name**: Unique identifiers
- **Resource Limits**: CPU, memory, network constraints
- **Network Settings**: Container-specific networking
- **Logs**: Runtime output and events

### Image vs Container Comparison

**Shared Foundations:**
- Same read-only layers and filesystem
- Identical metadata and configuration
- Same base environment setup

**Key Differences:**
- **Images**: Immutable, static blueprints stored on disk
- **Containers**: Dynamic instances with writable layer and runtime state
- **Persistence**: Images permanent, container changes ephemeral unless committed

## Dockerfile Instructions

**Essential Instructions:**
- **FROM**: Specifies base image
- **RUN**: Executes commands during build
- **COPY**: Copies files from host to image
- **WORKDIR**: Sets working directory
- **ENV**: Sets environment variables
- **EXPOSE**: Documents port usage
- **CMD**: Default command when container starts
- **ENTRYPOINT**: Configures container as executable

**Additional Instructions:**
- **ADD**: Like COPY but supports URLs and archives
- **ARG**: Build-time variables
- **LABEL**: Adds metadata
- **USER**: Sets user for subsequent operations
- **VOLUME**: Creates mount points
- **HEALTHCHECK**: Defines health monitoring

**COPY Options:**
- `--from`: Copy from build stage
- `--chown`: Set file ownership
- `--chmod`: Set permissions
- `--exclude`: Exclude file patterns

## Docker Repository Concepts

**Repository Terminology:**
- **Repository**: Collection of related images under one name
- **Image Tag**: Version label (latest, v1.0, stable)
- **Image ID**: Unique SHA256 hash for image content
- **Repo Digest**: Content-addressable identifier in registry
- **Build Context**: Directory containing Dockerfile and related files

## Container Management Commands

**Basic Operations:**
```bash
docker run <image>              # Create and start container
docker run -d <image>           # Run in background
docker run -it <image> bash     # Interactive with shell
docker stop <container>         # Stop running container
docker start <container>        # Start stopped container
docker restart <container>      # Restart container
docker rm <container>          # Remove container
docker logs <container>        # View container logs
docker exec -it <container> bash # Access running container
```

**Image Operations:**
```bash
docker images                   # List all images
docker pull <image>            # Download image
docker push <image>            # Upload image
docker rmi <image>             # Remove image
docker build -t <tag> .        # Build image from Dockerfile
docker history <image>         # Show image layers
docker inspect <image>         # Detailed image information
```

**System Cleanup:**
```bash
docker system prune           # Remove unused data
docker container prune        # Remove stopped containers
docker image prune           # Remove unused images
docker volume prune          # Remove unused volumes
docker network prune         # Remove unused networks
```

## Docker Compose

**Purpose**: Define and manage multi-container applications using YAML files.

**Common Keywords:**
- **version**: Compose file format version
- **services**: Container definitions
- **image**: Specifies container image
- **build**: Build from Dockerfile
- **ports**: Port mapping between host and container
- **volumes**: Persistent storage and bind mounts
- **environment**: Environment variables
- **depends_on**: Service dependencies
- **networks**: Custom networking
- **restart**: Restart policies

**Compose Commands:**
```bash
docker-compose up              # Start services
docker-compose up --build      # Rebuild and start
docker-compose down            # Stop and remove services
docker-compose logs           # View service logs
docker-compose ps             # List running services
```

## Configuration Management

**Configuration Approaches:**
- **Build-time**: Copy config files into image with COPY
- **Runtime**: Mount external config files as volumes
- **Environment Variables**: Pass settings via ENV or docker run -e

**Volume Mounting Benefits:**
- Same image, different configurations per container
- No need to rebuild images for config changes
- Separation of code and configuration

## Storage and Volumes

**Volume Types:**
- **Named Volumes**: Docker-managed persistent storage
- **Bind Mounts**: Direct host directory mapping
- **Anonymous Volumes**: Temporary storage for container lifetime

**Volume Commands:**
```bash
docker volume ls               # List volumes
docker volume create <name>    # Create named volume
docker volume inspect <name>   # Volume details
docker volume rm <name>       # Remove volume
```

## Networking

Docker provides isolated networking for containers:

**Network Types:**
- **Bridge**: Default network for single host
- **Host**: Use host's network directly
- **None**: No networking
- **Custom**: User-defined networks for service discovery

**Network Commands:**
```bash
docker network ls              # List networks
docker network create <name>   # Create network
docker network inspect <name>  # Network details
docker network connect <network> <container>  # Connect container
```

## Container Dependencies

**Dependency Types:**
- **Functional**: Service stops working without dependency
- **Operational**: Service continues running but fails to operate correctly

**Example**: Sensor container operationally depends on gateway. It keeps retrying connection but remains running when gateway is down.

## Troubleshooting Common Issues

**Port Conflicts:**
```bash
sudo lsof -i :4840            # Check what's using port 4840
sudo fuser -k 4840/tcp        # Kill processes on port 4840
```

**Complete Cleanup:**
```bash
docker stop $(docker ps -aq) && docker system prune -a --volumes -f
```

**Network Issues:**
- Check container can reach other services
- Install network tools: `apt-get install iputils-ping mosquitto-clients`
- Verify DNS resolution between containers

**Container Access:**
```bash
docker exec -it <container> sh    # Access running container
docker restart <container> && docker exec -it <container> bash
```

## Best Practices

**Image Building:**
- Use multi-stage builds for smaller images
- Minimize layers by combining RUN commands
- Use .dockerignore to exclude unnecessary files
- Choose appropriate base images (alpine for size, ubuntu for compatibility)

**Container Management:**
- Use health checks to monitor container status
- Implement proper logging with structured output
- Set resource limits to prevent resource exhaustion
- Use volumes for persistent data

**Security:**
- Run containers as non-root users when possible
- Keep base images updated
- Use security-hardened base images for production
- Limit container capabilities and access

**Development Workflow:**
- Use Docker Compose for multi-service development
- Mount source code as volumes for live development
- Separate configuration from application code
- Use environment-specific compose files