### Docker for Application

#### Docker voulmes
* There are three types of docker volumes
  + tmpfs mount
    + used to store sensitive data
    + temporary storage
      + data stored in memory
  + named or anonymous volume
    + managed by docker by docker cli
    + `docker volume create [name of volume]`
    + `docker run --volume code-volume:/app`
      + if volume exists, it will be mounted, otherwise, a new volume is created
    + docker cli for named volume
      + docker volume ls
    + advantages
      + volume is a managed object
      + isolated from other host activity
      + easy to identify and backup
      + better performance when sing docker desktop
        + volume is stored in linux virtual machine rather than local system
    + disadvantage
      + owned by root user (must run docker as root user), which is not a good practice and should be avoided
  + bind mount directory inside docker to 
    + arbitary directory from host 
    + changes reflected on host
    + `docker run --volume /path/on/host:/path/in/container` (path must be absolut path)
    + not have to be root user
    + must have a docker container to run
    + must consider user and group id mismatch when using bind mounts
      + the user on local host has a specific user id and group id (uid 1000, gid: 1000)
      + for bind mounts, the user inside docker is root (uid:0, gid: 0)
        + when you create files or folders inside the docker, the corresponding files on local host can not be written/removed
          + these files/directories now belong to root
      + solution 1: create the corresponding uid and gid inside docker file
        + `RUN groupadd -r --gid 1000 user \
          && useradd -r --uid 1000 -g user user`
        + whe run docker then use
        `docker run --volume /src --user user myapp touch /src/created_in_container`
      + solution 2
        + similar to solution 1, instead of creating group and user id by RUN shell script with hard coded ids, using ARG
       
       ```yaml
        FROM debian
        
        ARG UID=1000
        ARG GID=1000
        RUN groupadd -r --gid &#36;   GID user \
         &&   useradd -r --uid &#36; UID -g user user
         
         ```
         
         In terminal, run
         `docker build --build-arg UID=1001 --build-arg GID=1001 -t myapp .`
       

#### A use case of using multi-stage builds
* with compiled programming languages
  + increased complexity
    + not trivial to code and hot reload with a bind mount as in interpretor languages
  + larger image size
    + development tools captured inside the container image, which is not needed after compilation to exe files
* solution: builder pattern
  + split the build step sequence from the run step sequence, wth separate Dockerfiles for each task 
  + we need to use bind mount to refer to the files/directories in the build stage when build the run docker
* multi-stage docker (put everything in the same docker with different stages using FROM)

    ```yaml
      FROM node:14 AS builder
      WORKDIR /deps
      COPY . .
      RUN npm install
      
      FROM gcr.io/distroless/nodejs
      COPY --from=builder /deps /app
      WORKDIR /app
      CMD ["server.js"]
      
    ```  
* for multi-stage docker, you can define to which stage the docker build command should execute and ignore stages after the specified stage
  + the target stage and predecessors are included in the build
  `docker build -t app-builder --target builder .`
  + samller image sizes attained by selective inclusion of content
* constructing a multi-stage Dockerfile
```yaml
# base stage
FROM golang:1.16 AS base
# lint stage
FROM base AS lint
COPY golangci-lint /go/bin/
WORKDIR /app
CMD["golangci-lint", "run"]
# build stage
FROM base as build
WORKDIR /app
COPY go.??? ./
RUN go mod download
COPY *.go ./
RUN go build -o mini .
# execution stage
FROM alpine:3
COPY --from=build /app/mini /
ENTRYPOINT ["./mini"]
```

* An image used only for linting can be built using the --target option
  + `docker build -t mini-lint:1.0 --target lint .`
  + the built docker image can then be used to lint the code using a bind mount        
  `docker run -it --rm -v $(pwd):/app mini-lint:1.0`  
    + CMD will be executed to lint the code in current folder of the host, which is mapped to /app inside docker
    $
* one problem of docker building process is that the process is linear
  + even though there is no dependency between lint and build, build stage will be on top of lint
  + buildkit can find out the dependency such as both build and lint are based on base, and there is no dependency between them
    + processes Dockerfile instructions and constructs a directed acyclic graph of depedencies
      + non-denpendency steps are build parallel
    +provides an optional extended Dockerfile instruction se for more advanced build features
    + buildkit is not the default build engine that is used when invoking a container image build
    + to enable buildkit, you can 
      + set the deamon.json file 
      ```json
        {
          <snip>
          "features": {"buildkit": true},
          <snip>
          }
       ```
       
       + for docker desktop, set this from settings
       + set DOCKER_BUILDKIT at any vlaue rather than 0 by
         `export DOCKER_BUILDKIT=1`
      

#### Oprimization of docker images
* anatomy of an image (using docker inspect cli)
  + image configuration object (meta data)    
    + command of docker run
    + port to expose
    + workingDir
  + RootFS (file system definition for derived containers)
    + content layer that make up the filesystem (Layers with an array of SHA)
  + the majority of docker instructions arefor adding metadata to image
    + what user to use to run a container
    + which command or program to execute
  + small portion of instructions to create content for the file system in the form of layers
    + COPY instruction (recommended if possible)
    + ADD instruction (can also apply to remote content copy)
    + RUN (executes commands to generate additional image content)
      + add utilities
      + install app's dependencies
      + create a user
    + whenever docker build execute COPY, ADD and RUN instructions, a new content layer is added to the image
* when a container is created, docker assembles the content in each layer by making a union of the layers in turn to present a homogeneous set of files and directories
  + the contents are read only
  + enable to build images from other images
  + to write to the docker, docker adds a final layer on top of layers on image
    + unique, temporary, writeable layer for every container instance
      + not part of the image and is removed when container is removed
      + if container need to create a new directory, it is created in this layer
      + to alter a content in the previous layer, it copy the content to the final layer (copy on write)
      + to delete a content, it is removed from the union of the content by a technique called whiteout