IT operations admins tasked with learning Docker should start from the beginning -- which means knowledge of containers, images and the commands used to manage them.
Docker containers and images are two discrete items. A container image is built from a set of instructions required to run a software program, which can be written in Dockerfile. Containers bring an image into production so it can execute the software program's tasks. To ensure best practices around versions, security and other concerns, IT teams can start from a golden image -- a base design -- and add to it or create variations, as needed.
To get new users up and running, below are eight of the most common Docker commands.
1. Go live with docker run
IT admins can use docker run to deploy an image as a container and then manage that container with a wide range of commands. While one of the most complex commands, docker run is used frequently. The command requires certain variables, such as network port numbers, to run, depending on the makeup of the given image. A simple example is whalesay:
docker run docker/whalesay Hi
2. Manage user access with sudo vs. root
A sys admin can use the sudo command to grant users access to Docker containers. To prevent security risks, understand the implications of sudo, root access and Docker groups.
The root user accesses the Docker daemon and sockets on the host, with the ability to read and write images. Root users have free rein to alter the Docker container deployment. Attackers seek out insecurities in Docker setups to gain root access.
When admins set up Docker on host systems, they can create a docker group and add users to it. Those users gain root access.
Here, username represents the user to which you give access:
sudo usermod -G docker username
To activate this change, users must log out and back in so that the group configuration is reread.
Since membership in the docker group grants full unrestricted root access, it is a major security risk. To act as the root user for just certain commands, rely on sudo. Any Docker command prefaced with sudo works with administrator-level privileges, so the user can change the Docker environment without root access.
3. Retrieve images with docker pull
Another common Docker command, docker pull, pulls the container images to use from a repository or other designated source. A simple example is docker pull ubuntu:latest.
This command will pull the most recently updated image, by default, but it doesn't run a container instance. To pull the Ubuntu 16.04 image specifically, rather than the newest version, adjust the command to docker pull ubuntu:16.04.
4. Make a new container with docker create
This common Docker command generates a new container image, which creates a plain text manifest file, the construction of which follows certain conventions. An example of a manifest file is shown here.
Some elements in the manifest file are fairly self-explanatory; for example, FROM specifies on which Linux version to base the image.
The RUN commands describe the requirements for the container build process. For example, if apt-get update is listed, the container image updates when the build process runs. The CMD element -- not pictured -- provides the default parameters or command that a container will run when it deploys. Admins define CMD instructions in Dockerfiles. If the admin instructs a container to execute with a different command, it will ignore the CMD instruction.
5. Stop container instances with docker stop
This Docker command enables users to stop specified container instances, without deleting them, in a simple structure: docker stop (container ID).
One useful function is the -t switch, also written --time, which admins implement to dictate how long -- in seconds -- a system will wait for a container instance to stop running before it is killed.
6. Check container status with docker ps
This essential command provides the IT admin a list of currently available containers and their operational status. Combine docker ps with various filters to gain insights into the deployed environment, such as which containers can access a given networking port.
7. Use a Dockerfile to create an image with docker build
This command enables IT admins to create an image based on a Dockerfile. The -t switch assigns a tag to the build. Use the build command to test the Dockerfile build process, in a single step: docker build -t mydockertest dockerfile.
8. Control container versions with docker tag
Tags provide version control in a container build. By default, every successful build becomes the most recent image. Therefore, when admins use the docker pull command without specifying versions in a tag, they will pull this latest successful build -- provided the build is stored in a Docker repository.
Tags for container builds can be a numerical ID, or a name, such as dev or test.
To tag an image, use the following command: docker tag IMAGE ID image/TAG.
Substitute IMAGE ID for the numerical tag.
These common Docker commands are a mere introduction to Docker ecosystem fundamentals -- for example, we have not used or specified any network connectivity, which adds another layer of complexity on top of these basic functions.