You are here

Docker CLI managment, network and storage examples

Docker Managment basic commands:

List running containers
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 09:46)
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

List all containers running and stoped:
[liquid@liquid-ibm:~]$ S docker ps -a                                                                                                                                                    (09-12 09:46)
CONTAINER ID        IMAGE                 COMMAND                  CREATED             STATUS                   PORTS                  NAMES
6eccfa68da98        c1969a27a2d3          "/check-nickel-bin/do"   5 days ago          Exited (0) 5 days ago                           dock_HP-france-ok_PROJECT
0841bff28065        59c2784ab2dc          "/check-nickel-bin/do"   6 days ago          Exited (0) 5 days ago                           dock_FT-hpux_PROJECT
17c94cc0333b        xcgd/libreoffice      "/opt/libreoffice/sta"   9 days ago          Exited (0) 5 days ago                           big_swirles
e5fb092a9c5a        xcgd/libreoffice      "/opt/libreoffice/sta"   9 days ago          Exited (0) 9 days ago                           admiring_aryabhata
a40f69f628cc        b30ae38e6674          "/check-nickel-bin/do"   10 days ago         Exited (0) 5 days ago                           dock_HP-jazztel_PROJECT
00f16b59b64c        117093f593f0          "/check-nickel-bin/do"   2 weeks ago         Exited (0) 2 weeks ago                          dock_WedJun22-2016-1613
5102942e94c6        6f2f21e25346          "/check-nickel-bin/do"   5 weeks ago         Exited (0) 4 weeks ago   0.0.0.0:6568->80/tcp   dock_France_Telecom_PROJECT
ff4d6523b4b8        6f2f21e25346          "/check-nickel-bin/do"   5 weeks ago         Exited (0) 4 weeks ago   0.0.0.0:6565->80/tcp   dock_bl870c.ThuAug04-2016-1207

List last run container(we can allways use the -s option to list the size of the image):
[liquid@liquid-ibm:~]$ S docker ps -sl                                                                                                                                                   (09-12 09:47)
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                  PORTS               NAMES                       SIZE
6eccfa68da98        c1969a27a2d3        "/check-nickel-bin/do"   5 days ago          Exited (0) 5 days ago                       dock_HP-france-ok_PROJECT   103.1 MB (virtual 593.4 MB)

Working with Images:

List downloaded images on the host:
[liquid@liquid-ibm:~]$ S docker images                                                                                                                                                   (09-12 09:48)
REPOSITORY                               TAG                 IMAGE ID            CREATED             SIZE
registry.gitlab.com/liquidsmail/nickel   latest              dedb9d3ecd1c        5 days ago          490.2 MB
registry.gitlab.com/liquidsmail/nickel                 d0eb12c27a96        5 days ago          490.2 MB
fedora/v1.1                              latest              c25de3a8e30b        7 weeks ago         574 MB
hello-world                              latest              c54a2cc56cbb        10 weeks ago        1.848 kB

Remove/delete images from the host, we use the IMAGE ID:
[liquid@liquid-ibm:~]$ S docker rmi 1f617aec7dab                                                                                                                                         (09-12 09:51)
Untagged: registry.gitlab.com/liquidsmail/nickel@sha256:6f70f87143a786a47e8d92fc18f3096ab835e573aebf4513cb0c356eec5ab898
Deleted: sha256:1f617aec7dab1eed4c8f62f0a0d36e539f19fbf997f54b00097b9d002793cfa5
Deleted: sha256:b3f91a2750fd32054b621a70c09dd407e8d6d264a50c873c802291e13f9bc2e9
Deleted: sha256:0b89c9036f72a608664d27e12da39f830b269bd2a32aff449052fb0a94264942
Deleted: sha256:5bd9f23d5ccb5d2b4ed489d4c321609d28fee63b22ccbc21f00de374676cd4fa
Deleted: sha256:48739e7dfdd86de2713906d577e82d0616b46e34f8e5ad62eecf765b99574624
Deleted: sha256:021e18777f74db1678ce80b2280d5398ada8a5625280a0d0a894f8e42a95f9b2
Deleted: sha256:e7a00348fcc53e68a75b1c3d9f0dadd9b16956ecbc87ebc7352bdc03077605a7
Deleted: sha256:5de62f2d923df9b4f7570f309707fb78c9a12b060af9b66a5fd89b8fb7c1e9b2

We can search for images on docker hub using the search command:

[liquid@liquid-ibm:~]$ S docker search ubuntu                                                                                                                                            (09-12 09:52)
NAME                              DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
ubuntu                            Ubuntu is a Debian-based Linux operating s...   4681      [OK]       
ubuntu-upstart                    Upstart is an event-based replacement for ...   66        [OK]       
rastasheep/ubuntu-sshd            Dockerized SSH service, built on top of of...   41                   [OK]
torusware/speedus-ubuntu          Always updated official Ubuntu docker imag...   27                   [OK]

We can also login to private registries, and pull images:

S docker login registry.gitlab.com                                                                                                                                (09-12 09:53)
Username (liquidsmail):         
Password: 
Login Succeeded

Now we can pull the image from this private registry:

[liquid@liquid-ibm:~]$ S docker pull registry.gitlab.com/liquidsmail/nickel                                                                                                              (09-12 09:54)
Using default tag: latest
latest: Pulling from liquidsmail/nickel

7c91a140e7a1: Already exists 
592923e9a3fd: Already exists 
20c36397bc25: Pull complete 
ae80bdcd2232: Pull complete 
8b9e79117b9a: Pull complete 
77fff0fe226d: Pull complete 
Digest: sha256:a899c55e34ee188dd0d516ab19c5966b63f03343f8b96b5709878e2ff78b4e4a
Status: Downloaded newer image for registry.gitlab.com/liquidsmail/nickel:latest

[liquid@liquid-ibm:~]$ S docker images  | grep nickel                                                                                                                                    (09-12 09:56)
registry.gitlab.com/liquidsmail/nickel   latest              dedb9d3ecd1c        5 days ago          490.2 MB


The Docker RUN command:

Start a container:

[liquid@liquid-ibm:~]$ S docker run hello-world                                                                                                                                          (09-12 09:57)

Hello from Docker!
This message shows that your installation appears to be working correctly.

As you know a container stops, once the process with PID exits, the process with PID one is normally the one that is specified with CMD or ENTRYPOINT in the dockerfile when you build the image, you can also override this process at runtime when executing the docker run command(if entrypoint is used, the command can't be overriden at runtime, and commands issued with docker run, are passed as arguments to the ENTRYPOINT specified.

So here is and example, were we run a fedora image and the command that get PID 1 is "echo "hello world", once the command finishes the docker container stops:

[liquid@liquid-ibm:~]$S docker run fedora echo "Hello World"                                                                                                                            (09-12 10:06)
Hello World
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 10:07)
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[liquid@liquid-ibm:~]$ S docker ps -l                                                                                                                                                    (09-12 10:08)
CONTAINER ID        IMAGE               COMMAND                CREATED              STATUS                          PORTS               NAMES
a788d93c42b9        fedora              "echo 'Hello World'"   About a minute ago   Exited (0) About a minute ago                       distracted_carson

Stop the a contailer with the CLI:

[liquid@liquid-ibm:~]$ S docker stop serene_meitner                                                                                                                                      (09-12 10:56)
serene_meitner

Delete/remove a container:

[liquid@liquid-ibm:~]$ S docker ps -a | grep serene_meitner                                                                                                                              (09-12 10:57)
c341467b0a7a        fedora                "dnf install iputils"    3 minutes ago       Exited (1) 3 minutes ago                              serene_meitner
[liquid@liquid-ibm:~]$ S docker rm serene_meitner                                                                                                                                        (09-12 10:58)
serene_meitner
[liquid@liquid-ibm:~]$ S docker ps -a | grep serene_meitner                                                                                                                              (09-12 10:58)
[liquid@liquid-ibm:~]$                                                                                                                                                                   (09-12 10:58)


Run container on interactive mode -i and with pseudo terminal tty attached -t , this gives us and interactive shell when run with /bin/bash command:

[liquid@liquid-ibm:~]$ S docker run -it fedora /bin/bash                                                                                                                                 (09-12 10:14)
[root@2d6b5c677b02 /]# cat /etc/redhat-release 
Fedora release 24 (Twenty Four)
[root@2d6b5c677b02 /]# 

We can leave the container without exiting the shell(stoping the container) using the key combination of "Ctrl+P+Q"

[root@2d6b5c677b02 /]# %                                                                                                                                                                               [liquid@liquid-ibm:~]$                                                                                                                                                                   (09-12 10:35)
[liquid@liquid-ibm:~]$                                                                                                                                                                   (09-12 10:35)
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 10:35)
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
2d6b5c677b02        fedora              "/bin/bash"         20 minutes ago      Up 20 minutes                           cocky_jepsen

We can then attach to the bash process again using the docker attach command, we can use the containerd ID or name:

[liquid@liquid-ibm:~]$ S docker attach cocky_jepsen                                                                                                                                      (09-12 10:35)
[root@2d6b5c677b02 /]# 

If we exit the shell , then PID 1 dies and the container stops:

[root@2d6b5c677b02 /]# exit
exit
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 10:52)
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Now, there is also the posibility to run another process on the container, so for example if we have a container running in detach mode, and we want to get shell access we can use the exec option, and example here:

First we install the ping tool in a container , we are going to run it in detach mode, and give it a name ping-test
[liquid@liquid-ibm:~]$ S docker run --name ping-test -d fedora /usr/bin/dnf -y install iputils                                                                                           (09-12 11:01)
45d1dcf9dcb60d49de4cdcd310b7aa3354c7989805057f398da98b79f197db2f

We can see it's running while the dnf command executes then it stops:

[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 11:02)
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
45d1dcf9dcb6        fedora              "/usr/bin/dnf -y inst"   6 seconds ago       Up 4 seconds                            ping-test
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 11:02)
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

We can see the output of the APP/comand we have running inside the container with the logs commands:

[liquid@liquid-ibm:~]$ S docker logs ping-test                                                                                                                                           (09-12 11:03)
Last metadata expiration check: 0:00:09 ago on Mon Sep 12 09:02:37 2016.
Dependencies resolved.
================================================================================
 Package         Arch           Version                   Repository       Size
================================================================================
Installing:
 iputils         x86_64         20160308-3.fc24           updates         157 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 157 k
Installed size: 347 k
Downloading Packages:
--------------------------------------------------------------------------------
Total                                            90 kB/s | 157 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Failed to connect to bus: No such file or directory
  Installing  : iputils-20160308-3.fc24.x86_64                              1/1 
  Verifying   : iputils-20160308-3.fc24.x86_64                              1/1 

Installed:
  iputils.x86_64 20160308-3.fc24                                                

Complete!

So the ping binary got installed ok, lets continue with the example

First we are going to commit the ping-test container and create and image called fedora:pingt from it:

[liquid@liquid-ibm:~]$ S docker commit ping-test fedora:pingt                                                                                                                            (09-12 11:10)
sha256:7ebd3a8c2c8b6f1ae2619bf58ce10fa540da3cbe22115cd85b2ac9302ddf4e79

Now we have and image in the fedora repo with TAG pingt, this image has installed the ping binary:

[liquid@liquid-ibm:~]$ S docker images                                                                                                                                                   (09-12 11:11)
REPOSITORY                               TAG                 IMAGE ID            CREATED             SIZE
fedora                                   pingt               7ebd3a8c2c8b        12 seconds ago      355.2 MB
registry.gitlab.com/liquidsmail/nickel   latest              dedb9d3ecd1c        5 days ago          490.2 MB

We run the image in detach mode and with the ping command. don't pay attention to the --cap-add, is just to permit the ping file capabilities to run the ping command , we will explain this in a while:

[liquid@liquid-ibm:~]$ S docker run -d --name ping-test --cap-add net_raw --cap-add net_admin fedora:pingt /usr/bin/ping 8.8.8.8                                                         (09-12 11:32)
6bebc89bff30ae44a5ab021741750f29dff9e1c83aef0d0eb2a914513f5b2e6d
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 11:32)
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
6bebc89bff30        fedora:pingt        "/usr/bin/ping 8.8.8."   3 seconds ago       Up 2 seconds                            ping-test

We check with the logs command what is happening in the container, we use the -f, is the  equivalent of the tail -f command:

[liquid@liquid-ibm:~]$ S docker logs -f ping-test                                                                                                                                        (09-12 11:32)
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=5.85 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=4.85 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=4.77 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=5.00 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=4.81 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=56 time=4.05 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=56 time=4.32 ms

Ok so imagine we need to access this container but we don't want to stop it, we can use the EXEC command:

[liquid@liquid-ibm:~]$ S docker exec -it ping-test /bin/bash
[root@6bebc89bff30 /]# ps -ef | grep -i ping
root         1     0  0 09:32 ?        00:00:00 /usr/bin/ping 8.8.8.8
[root@6bebc89bff30 /]# exit
exit
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 11:40)
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
6bebc89bff30        fedora:pingt        "/usr/bin/ping 8.8.8."   7 minutes ago       Up 7 minutes                            ping-test

So if you need shell access to a container that allready is running this is a good solution.

No we are going to stop and delete the container and the image:

[liquid@liquid-ibm:~]$ S docker stop ping-test && S docker rm ping-test                                                                                                             
ping-test
[liquid@liquid-ibm:~]$ S docker rmi fedora:pingt                                                                                                                                         (09-12 11:41)
Error response from daemon: conflict: unable to remove repository reference "fedora:pingt" (must force) - container e4f976db2fdb is using its referenced image 7ebd3a8c2c8b

So we can't delete the image because there is still containers started or stoped that are using this image:

[liquid@liquid-ibm:~]$ S docker ps -a | grep fedora:pingt                                                                                                                                (09-12 11:41)
e4f976db2fdb        fedora:pingt          "/bin/bash"              18 minutes ago      Exited (0) 12 minutes ago                             suspicious_murdock
62b7f33c8cd2        fedora:pingt          "/bin/bahs"              18 minutes ago      Created                                               adoring_morse

If we do a force delete of the image all containers that depend on the image get deleted:

liquid@liquid-ibm:~]$ S docker rmi -f fedora:pingt                                                                                                                                      (09-12 11:43)
Untagged: fedora:pingt
Deleted: sha256:7ebd3a8c2c8b6f1ae2619bf58ce10fa540da3cbe22115cd85b2ac9302ddf4e79
[liquid@liquid-ibm:~]$ S docker ps -a | grep fedora:pingt               

So more options from the docker run cli, port mapping, we can map exposed ports on the docker container to our host, using the -p option:

in this example we are going to use the httpd image from the apache project:

[liquid@liquid-ibm:~]$ S docker run -p 5050:80 -d httpd                                                                                                                                  (09-12 12:08)
f0e718d1992a57350f2f260d89742c5f65367d69c58fc626f745e1a3c2811f43
[liquid@liquid-ibm:~]$ S docker ps                                                                                                                                                       (09-12 13:21)
CONTAINER ID        IMAGE               COMMAND              CREATED              STATUS              PORTS                  NAMES
728144542f41        httpd               "httpd-foreground"   About a minute ago   Up About a minute   0.0.0.0:5050->80/tcp   adoring_easley

And also wit the docker port command:

[liquid@liquid-ibm:~]$ S docker port adoring_easley                                                                                                                                      (09-12 13:21)
80/tcp -> 0.0.0.0:5050


Ok so we have apache running on port 80 of the container, that is forwarded/published to por 5050 in our server:

[liquid@liquid-ibm:~]$ telnet localhost 80                                                                                                                                              (09-12 12:12)
Connected to 127.0.0.1
Escape character is '^]'.
get index.html


400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.
If we want to only listen on port 5050 of and interace not on all interfaces on the host we can use: [liquid@liquid-ibm:~]$ S docker run -p 192.168.122.1:5051:80 -d httpd (09-12 13:21) c8859cad5be3e6432a91cd7e85dfa7384b14a6519ae2aa397bd6892e85b9330b [liquid@liquid-ibm:~]$ S docker ps (09-12 13:23) CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c8859cad5be3 httpd "httpd-foreground" 6 seconds ago Up 5 seconds 192.168.122.1:5051->80/tcp gloomy_lamport 728144542f41 httpd "httpd-foreground" 3 minutes ago Up 3 minutes 0.0.0.0:5050->80/tcp adoring_easley [liquid@liquid-ibm:~]$ S docker port c8859cad5be3 (09-12 13:23) 80/tcp -> 192.168.122.1:5051 There is also the -P option that will map all exposed ports(in the docker file) on the image to random high number ports on the host: [liquid@liquid-ibm:~]$ S docker run -P -d httpd (09-12 13:24) 7f2841d6a3edec099c753ad954f24406c4979643c2f3827d23887f7a3784ae4a [liquid@liquid-ibm:~]$ S docker ps (09-12 13:28) CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7f2841d6a3ed httpd "httpd-foreground" 5 seconds ago Up 4 seconds 0.0.0.0:32768->80/tcp naughty_wescoff Linking containers, making the SRC docker exposed port(on the dockerfile) available to other Destionation containers: This is our SRC container: [liquid@liquid-ibm:~]$ S docker run --name web -d httpd (09-12 13:45) e9834b22f4b5fb0a1e801b91b17ef97fd28bef9744e6967893a180051e2aba66 [liquid@liquid-ibm:~]$ S docker ps (09-12 13:46) CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e9834b22f4b5 httpd "httpd-foreground" 6 seconds ago Up 5 seconds 80/tcp web Now our DEST container, we call it query, and we use the --link to link it back to our SRC web container: [liquid@liquid-ibm:~]$ S docker run --name=query --link=web:web -it fedora /bin/bash This creates several variables that we can use to automate things: [root@9d4df62e4127 /]# env | grep WEB WEB_ENV_HTTPD_PREFIX=/usr/local/apache2 WEB_ENV_HTTPD_VERSION=2.4.23 WEB_PORT_80_TCP_PORT=80 WEB_ENV_HTTPD_BZ2_URL=https://www.apache.org/dist/httpd/httpd-2.4.23.tar.bz2 WEB_PORT_80_TCP=tcp://172.17.0.2:80 WEB_NAME=/query/web WEB_PORT_80_TCP_PROTO=tcp WEB_PORT_80_TCP_ADDR=172.17.0.2 WEB_ENV_HTTPD_SHA1=5101be34ac4a509b245adb70a56690a84fcc4e7f WEB_PORT=tcp://172.17.0.2:80 We can also check that we can reach the src container port: [root@9d4df62e4127 /]# telnet 172.17.0.2 80 Trying 172.17.0.2... Connected to 172.17.0.2. Escape character is '^]'. get index.html

400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.
Quick info on the networking side: On the host when docker starts, it creates a bridge called docker0: [liquid@liquid-ibm:~]$ip a 9: docker0: mtu 1500 qdisc noqueue state UP group default link/ether 02:42:1d:5d:75:a1 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 Docker checks the network for ip networks that are not in use and asignes the first ip of the network to the bridge, this will give the containers access to the outside world: [liquid@liquid-ibm:~]$ brctl show (09-12 12:14) bridge name bridge id STP enabled interfaces docker0 8000.02421d5d75a1 no When a container starts it get's its veth interface conected to the bridge, here we run a container and the detach: [liquid@liquid-ibm:~]$ S docker run -it fedora /bin/bash (09-12 12:19) [root@a7d4708c8997 /]# The veth gets created, this is the NIC of the Container on the host side: 55: vethed82f68@if54: mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 52:73:c1:1d:36:36 brd ff:ff:ff:ff:ff:ff link-netnsid 0 And the eth is the NIC of the container on the container side: [liquid@liquid-ibm:~]$ S docker attach hopeful_visvesvaraya (09-12 12:29) [root@a7d4708c8997 /]# ip a 54: eth0@if55: mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:2/64 scope link valid_lft forever preferred_lft forever As we can see the interface vethed82f68 is connected to the docker0 bridge, so it has access to the outside world: [root@a7d4708c8997 /]# liquid@liquid-ibm:~]$ brctl show (09-12 12:21) bridge name bridge id STP enabled interfaces docker0 8000.02421d5d75a1 no vethed82f68 We can check all the network detail of our container with the inspect command: [liquid@liquid-ibm:~]$ S docker inspect hopeful_visvesvaraya | grep -A 40 NetworkSettings (09-12 12:47) "NetworkSettings": { "Bridge": "", "SandboxID": "178bf4bf5a44c8aec8739901aeb7363a2286a3536482f2403db675243b72a6be", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/var/run/docker/netns/178bf4bf5a44", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "5126951723a53b95cdb8eac5d0524ca26af360639d24a7043c0ed3ad9fcf030d", "Gateway": "172.17.0.1", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "MacAddress": "02:42:ac:11:00:02", "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "7cb326b0333531ad589f07c95d9afb284b958a72612153fd5ec9e08c4ff1b83d", "EndpointID": "5126951723a53b95cdb8eac5d0524ca26af360639d24a7043c0ed3ad9fcf030d", "Gateway": "172.17.0.1", "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:11:00:02" We can also check network config files for our container in the /var/lib/docker/containers dir, we get our container id: [liquid@liquid-ibm:~]$ S docker ps (09-12 12:47) CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a7d4708c8997 fedora "/bin/bash" 31 minutes ago Up 31 minutes hopeful_visvesvaraya And check the dir: [root@liquid-ibm ~]# cd /var/lib/docker/containers/a7d4708c89970d385d610dd4e840500ad3564f6abe3ad8652a4cc342d7332c05/ [root@liquid-ibm a7d4708c89970d385d610dd4e840500ad3564f6abe3ad8652a4cc342d7332c05]# ls -l total 60 -rw-r----- 1 root root 33212 Sep 12 12:44 a7d4708c89970d385d610dd4e840500ad3564f6abe3ad8652a4cc342d7332c05-json.log -rw-rw-rw- 1 root root 2446 Sep 12 12:19 config.v2.json -rw-rw-rw- 1 root root 1059 Sep 12 12:19 hostconfig.json -rw-r--r-- 1 root root 13 Sep 12 12:19 hostname -rw-r--r-- 1 root root 174 Sep 12 12:19 hosts -rw-r--r-- 1 root root 223 Sep 12 12:19 resolv.conf -rw-r--r-- 1 root root 71 Sep 12 12:19 resolv.conf.hash drwxrwxrwt 2 root root 40 Sep 12 12:19 shm We are interested in resolv.conf and hosts file, the resolv.conf file is a direct copy from the docker host server: [root@liquid-ibm a7d4708c89970d385d610dd4e840500ad3564f6abe3ad8652a4cc342d7332c05]# cat resolv.conf | grep -i name nameserver 9.0.13.5 [root@liquid-ibm a7d4708c89970d385d610dd4e840500ad3564f6abe3ad8652a4cc342d7332c05]# cat /etc/resolv.conf | grep -i name nameserver 9.0.13.5 The hosts file: [root@liquid-ibm a7d4708c89970d385d610dd4e840500ad3564f6abe3ad8652a4cc342d7332c05]# cat hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 a7d4708c8997 We can edit this files rigth here and it would work, but the change is not persistent, the next time a we start the container it would be lost. We can also add them at run time with the docker run command: [root@liquid-ibm ~]# docker run -it --dns=8.8.8.8 fedora /bin/bash [root@307dab8c4540 /]# cat /etc/resolv.conf nameserver 8.8.8.8 We can also check on the host: [root@liquid-ibm ~]# cat /var/lib/docker/containers/307dab8c4540690e0ab7e27bc27e0b3e1a9bbb25b038d53093e648b6e2152345/resolv.conf nameserver 8.8.8.8 On the host side of things we have several options when we start the daemon --icc and --iptables, both of them are true by default. icc, inter container comunication, is enable is set to false, a drop rule gets inserted into iptables, that doesn't permit containers to comunicate via ip: [root@docker-host1 ~]# iptables -v -L Chain INPUT (policy ACCEPT 2919 packets, 50M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION all -- any any anywhere anywhere 0 0 DOCKER all -- any docker0 anywhere anywhere 0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere Now we add the --icc option to false: [root@docker-host1 ~]# cat /etc/sysconfig/docker | grep -i icc OPTIONS='--icc=false --selinux-enabled --log-driver=journald' [root@docker-host1 ~]# systemctl restart docker No we can see the drop rule inserted: [root@docker-host1 ~]# iptables -v -L Chain INPUT (policy ACCEPT 32 packets, 2184 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION all -- any any anywhere anywhere 0 0 DOCKER all -- any docker0 anywhere anywhere 0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere 0 0 DROP all -- docker0 docker0 anywhere anywhere As you can imagine there is also some DNAT going on in the host iptables, to get things working: [root@docker-host1 ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 anywhere Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere A little bit into Volumes and storage, on ubuntu/debian they use the aufs file system , but for centos/rhel it wasn't a possibility because it wasn't in the kernel they provided, so they developed the devicemapper driver, the devicemapper uses lvm, for non production you can use it in loopback mode, because of performance issued this is stronly discouraged for production use The devicemapper driver stores every image and container on its own virtual device. These devices are thin-provisioned copy-on-write snapshot devices. Device Mapper technology works at the block level rather than the file level. This means that devicemapper storage driver’s thin provisioning and copy-on-write operations work with blocks rather than entire files. With devicemapper the high level process for creating images is as follows: The devicemapper storage driver creates a thin pool. The pool is created from block devices or loop mounted sparse files (more on this later). Next it creates a base device. A base device is a thin device with a filesystem. You can see which filesystem is in use by running the docker info command and checking the Backing filesystem value. Each new image (and image layer) is a snapshot of this base device. These are thin provisioned copy-on-write snapshots. This means that they are initially empty and only consume space from the pool when data is written to them. With devicemapper, container layers are snapshots of the image they are created from. Just as with images, container snapshots are thin provisioned copy-on-write snapshots. The container snapshot stores all updates to the container. The devicemapper allocates space to them on-demand from the pool as and when data is written to the container. Each image layer is a snapshot of the layer below it. The lowest layer of each image is a snapshot of the base device that exists in the pool. This base device is a Device Mapper artifact and not a Docker image layer.And also a container is a snapshot of the image it is created from. here is and examplo of a fedora host with devicempper storage driver and using loopback devices: [liquid@liquid-ibm:~]$ S docker info (09-12 18:08) Containers: 48 Running: 1 Paused: 0 Stopped: 47 Images: 282 Server Version: 1.12.1 Storage Driver: devicemapper Pool Name: docker-253:2-201326807-pool Pool Blocksize: 65.54 kB Base Device Size: 10.74 GB Backing Filesystem: xfs Data file: /dev/loop0 ------------> loop devices Metadata file: /dev/loop1 [liquid@liquid-ibm:~]$ losetup (09-12 18:20) NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE DIO /dev/loop0 0 0 1 0 /var/lib/docker/devicemapper/devicemapper/data 0 /dev/loop1 0 0 1 0 /var/lib/docker/devicemapper/devicemapper/metadata 0 So it creates 2 sparse files, and loopback mounts it on /dev/loop0 and /dev/loop1: [liquid@liquid-ibm:~]$ S du -h /var/lib/docker/devicemapper/devicemapper/data (09-12 19:00) 17G /var/lib/docker/devicemapper/devicemapper/data [liquid@liquid-ibm:~]$ S du -h --apparent-size /var/lib/docker/devicemapper/devicemapper/data (09-12 19:01) 100G /var/lib/docker/devicemapper/devicemapper/data And the it uses the loop devices to create 2 thin provisioning pools: S lsblk (09-12 19:01) NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 477G 0 disk ├─sda1 8:1 0 8.6M 0 part ├─sda2 8:2 0 943.2M 0 part /boot └─sda3 8:3 0 476G 0 part └─luks-350c51ff-4983-4805-a783-26c801a5cbf2 253:0 0 476G 0 crypt ├─fedora-swap 253:1 0 8G 0 lvm [SWAP] ├─fedora-root 253:2 0 100G 0 lvm / └─fedora-liquid 253:3 0 300G 0 lvm /home/liquid loop0 7:0 0 100G 0 loop └─docker-253:2-201326807-pool 253:4 0 100G 0 dm -------------------> Pool └─docker-253:2-201326807-0fe822acea899b0705c14d359451c9cb8d80ad835c5cb0c694483a2c73465c05 253:5 0 10G 0 dm /var/lib/docker/devicemapper/mnt/0fe822acea899b0705c14d359451c9cb8d80ad835c5cb0c694483a2c73465c05 loop1 7:1 0 2G 0 loop └─docker-253:2-201326807-pool 253:4 0 100G 0 dm --------------------> Pool └─docker-253:2-201326807-0fe822acea899b0705c14d359451c9cb8d80ad835c5cb0c694483a2c73465c05 253:5 0 10G 0 dm /var/lib/docker/devicemapper/mnt/0fe822acea899b0705c14d359451c9cb8d80ad835c5cb0c694483a2c73465c05 We can check the thin device created on the pool ending with 3a2c73465c05 es the one used in our running docker containter: [liquid@liquid-ibm:~]$ S docker ps (09-13 07:44) CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ca65fc5d7b96 fedora "sleep 3000" 10 seconds ago Up 9 seconds pensive_mirzakhani e9834b22f4b5 httpd "httpd-foreground" 17 hours ago Up 17 hours 80/tcp web [liquid@liquid-ibm:~]$ S docker inspect web | grep c694483a2c73465c05 (09-13 07:44) "DeviceName": "docker-253:2-201326807-0fe822acea899b0705c14d359451c9cb8d80ad835c5cb0c694483a2c73465c05", [liquid@liquid-ibm:~]$ S docker inspect web | grep -B 2 -A 2 c694483a2c73465c05 (09-13 07:45) "Data": { "DeviceId": "995", "DeviceName": "docker-253:2-201326807-0fe822acea899b0705c14d359451c9cb8d80ad835c5cb0c694483a2c73465c05", "DeviceSize": "10737418240" } The preferred configuration for production deployments is direct-lvm. This mode uses block devices to create the thin pool. The following procedure shows you how to configure a Docker host to use the devicemapper storage driver in a direct-lvm configuration. There are many docker drivers for managing volumes, flocker for example is interesting to mount shared cifs/nfs volumes on the containers independent of te hosts. Here is And example using volumes with the docker run command,with the local driver, we have to use the -v option: liquid@liquid-ibm:~]$ S docker run -it -v /data fedora /bin/bash (09-13 07:57) [root@852983d37810 /]# [root@852983d37810 /]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/docker-253:2-201326807-a1f8140e26bc37a0f91eb0484d4bf379baf557581a9abbe2f8c4532878e7af1b 10G 260M 9.8G 3% / tmpfs 7.7G 0 7.7G 0% /dev tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup /dev/mapper/fedora-root 100G 60G 41G 60% /data to remove a volume that’s no longer needed. We can also use the --volumes-from option to mount volumes on a container from other containers, in this example we mount on container datacont2 the /data volume from datacont container [root@liquid-ibm _data]# docker ps -l CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f339615ddea3 fedora "/bin/bash" 2 minutes ago Exited (127) About a minute ago datacont [root@liquid-ibm _data]# docker start datacont datacont [root@liquid-ibm _data]# docker attach datacont [root@f339615ddea3 /]# [root@f339615ddea3 /]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/docker-253:2-201326807-783f949a72cae87f69a6fad667d24c10b4ecd65de1c3ca2d26132995484085dd 10G 260M 9.8G 3% / tmpfs 7.7G 0 7.7G 0% /dev tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup /dev/mapper/fedora-root 100G 60G 41G 60% /data shm 64M 0 64M 0% /dev/shm [root@f339615ddea3 /]# touch /data/test-ok-file [root@f339615ddea3 /]# exit exit [root@liquid-ibm _data]# docker run --volumes-from datacont --name datacont2 -it fedora /bin/bash [root@f60f77dc693f /]# ls /data test-ok-file [root@f60f77dc693f /]# Mount a host directory as a data volume In addition to creating a volume using the -v flag you can also mount a directory from your Docker engine’s host into a container. The container-dir must always be an absolute path such as /src/docs. The host-dir can either be an absolute path or a name value. If you supply an absolute path for the host-dir, Docker bind-mounts to the path you specify. If you supply a name, Docker creates a named volume by that name. The host directory is, by its nature, host-dependent. For this reason, you can’t mount a host directory from Dockerfile because built images should be portable. A host directory wouldn’t be available on all potential hosts. [root@liquid-ibm _data]# docker run -v /home/liquid:/data --name homecont -it fedora /bin/bash [root@8cc9b3ca6820 /]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/docker-253:2-201326807-c62a8ee4f4db9e170f3c40e919800f9487ffdbbb942662ba71d09fedb909210b 10G 260M 9.8G 3% / tmpfs 7.7G 0 7.7G 0% /dev tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup /dev/mapper/fedora-liquid 300G 140G 161G 47% /data /dev/mapper/fedora-root 100G 60G 41G 60% /etc/hosts shm 64M 0 64M 0% /dev/shm [root@8cc9b3ca6820 /]# ls -l /data | wc -l 2521 [root@e4f976db2fdb /]# getcap /usr/bin/ping /usr/bin/ping = cap_net_admin,cap_net_raw+ep [root@e4f976db2fdb /]# setcap cap_net_raw,cap_net_admin+p /usr/bin/ping [root@e4f976db2fdb /]# /usr/bin/ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=4.22 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=4.97 ms docker run -i -t --cap-add net_raw --cap-add net_admin registry.access.redhat.com/rhel7:0-21 bash # ping google.com PING google.com (74.125.228.3) 56(84) bytes of data. 64 bytes from iad23s05-in-f3.1e100.net (74.125.228.3): icmp_seq=1 ttl=47 time=11.0 ms 64 bytes from iad23s05-in-f3.1e100.net (74.125.228.3): icmp_seq=2 ttl=47 time=11.1 ms ^C

Unix Systems: 

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.
Error | HP-UX Tips & Tricks Site

Error

Error message

  • Warning: Cannot modify header information - headers already sent by (output started at /homepages/37/d228974590/htdocs/includes/common.inc:2567) in drupal_send_headers() (line 1207 of /homepages/37/d228974590/htdocs/includes/bootstrap.inc).
  • PDOException: SQLSTATE[42000]: Syntax error or access violation: 1142 INSERT command denied to user 'dbo229817041'@'217.160.155.192' for table 'watchdog': INSERT INTO {watchdog} (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5, :db_insert_placeholder_6, :db_insert_placeholder_7, :db_insert_placeholder_8, :db_insert_placeholder_9); Array ( [:db_insert_placeholder_0] => 0 [:db_insert_placeholder_1] => cron [:db_insert_placeholder_2] => Attempting to re-run cron while it is already running. [:db_insert_placeholder_3] => a:0:{} [:db_insert_placeholder_4] => 4 [:db_insert_placeholder_5] => [:db_insert_placeholder_6] => http://www.hpuxtips.es/?q=content/docker-cli-managment-network-and-storage-examples [:db_insert_placeholder_7] => [:db_insert_placeholder_8] => 54.90.207.75 [:db_insert_placeholder_9] => 1512951057 ) in dblog_watchdog() (line 157 of /homepages/37/d228974590/htdocs/modules/dblog/dblog.module).
The website encountered an unexpected error. Please try again later.