docker basics - avramukk

# Docker #docker ![[Arc 2024-10-21 16.38.04.png]][source](https://x.com/iximiuz/status/1840429494818975866) **Docker Daemon (dockerd)**: A background process running on the host, responsible for managing containers, networks, volumes, and images. It listens for Docker API requests and handles tasks like creating and running containers. **Docker Client (docker)**: A command-line tool or API that communicates with the Docker Daemon via REST APIs. It allows users to interact with Docker by sending commands (e.g., `docker run`, `docker build`) that the daemon executes. ### Key Internal Concepts of Docker Docker simplifies containerization, but understanding its internal mechanisms helps clarify how it efficiently manages resources. 1. **Namespaces**: Docker uses Linux namespaces (e.g., PID, net, mount, IPC, UTS) to isolate containers from one another and from the host system. Each container runs in its own isolated namespace, making it appear as if it has its own process tree, network interfaces, and file system. 2. **Control Groups (cgroups)**: Cgroups are used by Docker to manage resources such as CPU, memory, and disk I/O. This allows Docker to limit and allocate resources for each container, ensuring they don't overuse system resources. 3. **Union File Systems (UnionFS)**: Docker employs UnionFS (e.g., AUFS, OverlayFS) to create layers in images. This allows images to be lightweight and efficient by stacking layers, where only the top layer is writable, and all other layers are read-only. 4. **Container vs. VM**: Docker containers use the host OS kernel, unlike virtual machines (VMs) that emulate hardware. This leads to faster startup times and lower overhead since containers share the host's kernel, providing process-level isolation instead of full machine isolation. --- ### Dockerfile Structure The Dockerfile is a text file that defines the steps required to build a Docker image. Each instruction creates a new layer in the image. Here’s a breakdown of the key Dockerfile instructions: 1. **FROM**: Specifies the base image. For example: ```dockerfile FROM ubuntu:20.04 ``` 2. **RUN**: Executes commands in the image. Docker caches the results of `RUN` commands to avoid redundant operations on future builds. For example: ```dockerfile RUN apt-get update && apt-get install -y python3 ``` 3. **COPY** and **ADD**: Copy files from the host to the image. `COPY` is more straightforward, while `ADD` can extract archives. For example: ```dockerfile COPY . /app ``` 4. **CMD** and **ENTRYPOINT**: Define the default command to run inside the container. `ENTRYPOINT` sets the main command, while `CMD` provides arguments or can set a default executable if `ENTRYPOINT` is absent. For example: ```dockerfile ENTRYPOINT ["python3", "app.py"] CMD ["--debug"] ``` --- ### Multistage Builds in Docker **Multistage builds** are a technique to optimize image size by separating the build process into multiple stages. Each stage uses a different base image, and only necessary files are copied to the final image, eliminating build-time dependencies from the production environment. **Benefits**: - Smaller image sizes. - Cleaner production environments. - Improved security by avoiding unnecessary dependencies. **Example**: ```dockerfile # First stage: build the app FROM python:3.9 as builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . RUN python setup.py build # Second stage: final image FROM python:3.9-slim WORKDIR /app # Copy build artifacts from the builder stage COPY --from=builder /app . CMD ["python", "app.py"] ``` --- ### Image Layering and Storage Docker images consist of layers. Each instruction in a Dockerfile creates a new layer, and these layers are cached to speed up subsequent builds. Docker stores these layers using **UnionFS**. Key points: - **Layer Reuse**: If a layer hasn’t changed between builds, Docker reuses it, saving time. - **Layer Order**: Changes to earlier layers invalidate the cache for subsequent layers. - **Efficiency**: Docker uses a copy-on-write mechanism, meaning each container only adds changes to the writable layer on top of the read-only image layers. ### Deep Dive into Docker Components 1. **Container Runtime (runc)**: Docker uses `runc` under the hood to run containers. `runc` is a low-level runtime that creates and runs containers according to the OCI (Open Container Initiative) specification. Docker orchestrates these runtimes via the Docker Daemon. 2. **Networking**: Docker creates virtual networks using different drivers (bridge, overlay, host). Containers can communicate with each other over these networks, with the bridge driver being the default. Docker’s networking is isolated by namespaces, ensuring container separation. 3. **Volumes**: Docker uses volumes to persist data outside the container’s writable layer. This prevents data loss when containers are removed, allowing persistent storage. ### Useful links: https://labs.iximiuz.com/tutorials/container-networking-from-scratch