Andreas/docker-cheat-sheet
1
0
Fork 0
mirror of https://github.com/wsargent/docker-cheat-sheet.git synced 2025-09-22 05:40:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'annafw-patch-1'

Browse source
This commit is contained in:
Will Sargent 2016-10-12 12:17:56 -07:00
commit 651f8c7100
No known key found for this signature in database
GPG key ID: A7F14872267A1666
1 changed files with 36 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

34
README.md
View file

@ -105,9 +105,9 @@ If you want a transient container, `docker run --rm` will remove the container a
If you want to map a directory on the host to a docker container, `docker run -v $HOSTDIR:$DOCKERDIR`. Also see [Volumes](https://github.com/wsargent/docker-cheat-sheet/#volumes).
If you want to remove also the volumes associated with the container, the deletion of the container must include the -v switch like in `docker rm -v`.
If you want to remove also the volumes associated with the container, the deletion of the container must include the `-v` switch like in `docker rm -v`.
There's also a [logging driver](https://docs.docker.com/engine/admin/logging/overview/) available for individual containers in docker 1.10. To run docker with a custom log driver (i.e. to syslog), use `docker run --log-driver=syslog`
There's also a [logging driver](https://docs.docker.com/engine/admin/logging/overview/) available for individual containers in docker 1.10. To run docker with a custom log driver (i.e., to syslog), use `docker run --log-driver=syslog`.
### Starting and Stopping
@ -165,7 +165,7 @@ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse sshfs
### Info
* [`docker ps`](https://docs.docker.com/engine/reference/commandline/ps) shows running containers.
* [`docker logs`](https://docs.docker.com/engine/reference/commandline/logs) gets logs from container. (You can use a custom log driver, but logs is only available for `json-file` and `journald` in 1.10)
* [`docker logs`](https://docs.docker.com/engine/reference/commandline/logs) gets logs from container. (You can use a custom log driver, but logs is only available for `json-file` and `journald` in 1.10).
* [`docker inspect`](https://docs.docker.com/engine/reference/commandline/inspect) looks at all the info on a container (including IP address).
* [`docker events`](https://docs.docker.com/engine/reference/commandline/events) gets events from container.
* [`docker port`](https://docs.docker.com/engine/reference/commandline/port) shows public facing port of container.
@ -179,7 +179,7 @@ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse sshfs
### Import / Export
* [`docker cp`](https://docs.docker.com/engine/reference/commandline/cp) copies files or folders between a container and the local filesystem..
* [`docker cp`](https://docs.docker.com/engine/reference/commandline/cp) copies files or folders between a container and the local filesystem.
* [`docker export`](https://docs.docker.com/engine/reference/commandline/export) turns container filesystem into tarball archive stream to STDOUT.
### Executing Commands
@ -242,7 +242,7 @@ Importing a container as an image using the `import` command creates a new image
## Networks
Docker has a [networks](https://docs.docker.com/userguide/networking/dockernetworks/) feature. Not much is known about it, so this is a good place to expand the cheat sheet. There is a note saying that it's a good way to configure docker containers to talk to each other without using ports. See [working with networks](https://docs.docker.com/engine/userguide/networking/work-with-networks/) for more details.
Docker has a [networks](https://docs.docker.com/engine/userguide/networking/dockernetworks/) feature. Not much is known about it, so this is a good place to expand the cheat sheet. There is a note saying that it's a good way to configure docker containers to talk to each other without using ports. See [working with networks](https://docs.docker.com/engine/userguide/networking/work-with-networks/) for more details.
### Lifecycle
@ -302,6 +302,7 @@ Here are some common text editors and their syntax highlighting modules you coul
* [Atom](https://atom.io/packages/language-docker)
* [Vim](https://github.com/ekalinin/Dockerfile.vim)
* [Emacs](https://github.com/spotify/dockerfile-mode)
* [TextMate](https://github.com/docker/docker/tree/master/contrib/syntax/textmate)
* For a most comprehensive list of editors and IDEs, check [Docker meets the IDE] (https://domeide.github.io/)
### Instructions
@ -344,7 +345,7 @@ Note that if you're using [aufs](https://en.wikipedia.org/wiki/Aufs) as your fil
## Links
Links are how Docker containers talk to each other [through TCP/IP ports](https://docs.docker.com/userguide/dockerlinks/). [Linking into Redis](https://docs.docker.com/engine/examples/running_redis_service/) and [Atlassian](https://blogs.atlassian.com/2013/11/docker-all-the-things-at-atlassian-automation-and-wiring/) show worked examples. You can also (in 0.11) resolve [links by hostname](https://docs.docker.com/userguide/dockerlinks/#updating-the-etchosts-file).
Links are how Docker containers talk to each other [through TCP/IP ports](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/). [Linking into Redis](https://docs.docker.com/engine/examples/running_redis_service/) and [Atlassian](https://blogs.atlassian.com/2013/11/docker-all-the-things-at-atlassian-automation-and-wiring/) show worked examples. You can also (in 0.11) resolve [links by hostname](https://docs.docker.com/userguide/dockerlinks/#updating-the-etchosts-file).
NOTE: If you want containers to ONLY communicate with each other through links, start the docker daemon with `-icc=false` to disable inter process communication.
@ -369,7 +370,7 @@ $ALIAS_PORT_1337_TCP_ADDR
And you can connect to it that way.
To delete links, use `docker rm --link `.
To delete links, use `docker rm --link`.
If you want to link across docker hosts then you should look at [Swarm](https://docs.docker.com/engine/swarm/). This [link on stackoverflow](https://stackoverflow.com/questions/21283517/how-to-link-docker-services-across-hosts) provides some good information on different patterns for linking containers across docker hosts.
@ -401,7 +402,7 @@ You can [map MacOS host directories as docker volumes](https://docs.docker.com/u
docker run -v /Users/wsargent/myapp/src:/src
```
You can also use remote NFS volumes if you're [feeling brave](https://docs.docker.com/engine/tutorials/dockervolumes/#/mount-a-shared-storage-volume-as-a-data-volume).
You can use remote NFS volumes if you're [feeling brave](https://docs.docker.com/engine/tutorials/dockervolumes/#/mount-a-shared-storage-volume-as-a-data-volume).
You may also consider running data-only containers as described [here](http://container42.com/2013/12/16/persistent-volumes-with-docker-container-as-volume-pattern/) to provide some data portability.
@ -421,13 +422,13 @@ You can tell Docker that the container listens on the specified network ports at
EXPOSE <CONTAINERPORT>
```
But note that EXPOSE does not expose the port itself, only `-p` will do that. To expose the container's port on your localhosts port:
Note that EXPOSE does not expose the port itself -- only `-p` will do that. To expose the container's port on your localhost's port:
```
iptables -t nat -A DOCKER -p tcp --dport <LOCALHOSTPORT> -j DNAT --to-destination <CONTAINERIP>:<PORT>
```
If you're running Docker in Virtualbox, you then need to forward the port there as well, using [forwarded_port](https://docs.vagrantup.com/v2/networking/forwarded_ports.html). It can be useful to define something in Vagrantfile to expose a range of ports so that you can dynamically map them:
If you're running Docker in Virtualbox, you then need to forward the port there as well, using [forwarded_port](https://docs.vagrantup.com/v2/networking/forwarded_ports.html). Define a range of ports in your Vagrantfile like this so you can dynamically map them:
```
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
@ -460,7 +461,7 @@ This is where general Docker best practices and war stories go:
## Security
This is where security tips about Docker go. The Docker [security](https://docs.docker.com/articles/security/) page goes into more detail.
This is where security tips about Docker go. The Docker [security](https://docs.docker.com/engine/security/security/) page goes into more detail.
First things first: Docker runs as root. If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host). If you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html).
@ -486,7 +487,7 @@ Since docker 1.11 you can easily limit the number of active processes running in
docker run --pids-limit=64
```
Also available since docker 1.11 is the ability to prevent processes to gain new privileges. This feature is in the linux kernel since version 3.5. You can read more about it in [this](http://www.projectatomic.io/blog/2016/03/no-new-privs-docker/) blog post.
Also available since docker 1.11 is the ability to prevent processes from gaining new privileges. This feature have been in the linux kernel since version 3.5. You can read more about it in [this](http://www.projectatomic.io/blog/2016/03/no-new-privs-docker/) blog post.
```
docker run --security-opt=no-new-privileges
@ -575,7 +576,7 @@ or install [jq](https://stedolan.github.io/jq/):
docker inspect $(dl) | jq -r '.[0].NetworkSettings.IPAddress'
```
or using a [go template](https://docs.docker.com/engine/reference/commandline/inspect)
or using a [go template](https://docs.docker.com/engine/reference/commandline/inspect):
```
docker inspect -f '{{ .NetworkSettings.IPAddress }}' <container_name>
@ -645,16 +646,19 @@ In 1.9.0, the filter `dangling=false` does _not_ work - it is ignored and will l
docker images -viz | dot -Tpng -o docker.png
```
### Slimming down Docker containers [Intercity Blog](http://bit.ly/1Wwo61N)
### Slimming down Docker containers (see [Intercity Blog](http://bit.ly/1Wwo61N))
- Cleaning APT in a RUN layer
This should be done in the same layer as other apt commands.
Otherwise, the previous layers still persist the original information and your images will still be fat.
```
RUN {apt commands} \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
```
- Flatten an image
```
ID=$(docker run -d image-name /bin/bash)
@ -670,7 +674,7 @@ gzip -dc image.tgz | docker import - flat-image-name
### Monitor system resource utilization for running containers
To check the CPU, memory, and network i/o usage of a single container, you can use:
To check the CPU, memory, and network I/O usage of a single container, you can use:
```
docker stats <container>