2808ICT/7623ICT Secure Development Operations

Docker

Slides made by Zahra Jadidi

Outline

• Containers

• Introduction to Docker

• Docker Basics
 What is software containerisation?
• Software containerisation is an OS virtualisation method that is used to deploy and run containers without using a
virtual machine (VM).

• Containers are isolated from each other, and multiple containers can run on the same hardware. This
configuration helps us use hardware more efficiently and can help improve our application's security.

• Containers can run on physical hardware, in the cloud, VMs, and across multiple OSs.
Containers
VMs are great at providing full process isolation for applications. But this isolation comes at great cost — the computational overhead spent
virtualizing hardware for a guest OS to use is substantial.

Containers take a different approach by leveraging the low-level mechanics of the host operating system, containers provide most of the
isolation of virtual machines at a fraction of the computing power. A container allows us to build and run software packages. These
software packages include the code and all dependencies to run applications quickly and reliably on any computing environment.

Multiple containers can run on the same machine and share the OS kernel with other containers, each running as isolated processes in user
space. Containers take up less space than VMs (container images are typically tens of MBs in size), can handle more applications and
require fewer VMs and Operating systems.
Containers and Virtual Machines Together
• Containers and VMs used together provide a great deal of flexibility in
deploying and managing app
Introduction to Docker
• Docker is a tool that allows developers, sys-admins etc. to easily deploy their applications in a sandbox
(called containers) to run on the host operating system i.e. Linux.

• The key benefit of Docker is that it allows users to package an application with all of its dependencies into a
standardised unit for software development.

• One of the strengths of containerisation is that you don't have to configure hardware and spend time installing
operating systems and software to host a deployment.
Docker
• Docker is an open-source project for automating the deployment of applications as portable, self-sufficient containers
that can run on the cloud or on-premises. Docker is also a company that promotes and evolves this technology,
working in collaboration with cloud, Linux, and Windows vendors, including Microsoft.

• Docker is a way to package software so you can run it on any hardware.

https://docs.microsoft.com/en-
us/dotnet/architecture/microservices/contai
ner-docker-introduction/docker-defined
 Docker
• Docker is a containerisation platform used to develop, ship, and run containers.

• Docker doesn't use a hypervisor, and you can run Docker on your desktop or laptop if you're
developing and testing applications.

• Many clouds, including Azure, support Docker.

 Comparing Docker with virtual machines
While virtual machine abstract
the entire hardware server,
container abstracts OS kernel.
These are different approach for
virtualisation and result in much
faster and more light weight
instances.

https://www.youtube.com
/watch?v=sNxli6VwQTs
Docker architecture
• The Docker platform consists of several components that we use to build, run, and manage our containerised applications.

• The Docker Engine consists of several components configured as a client-server implementation where the client and server
run simultaneously on the same host. The client communicates with the server using a REST API, which enables the client to
also communicate with a remote server instance.
Docker Engine
• The Docker client is a command-line application that interact with a Docker server.

• The Docker server responds to requests from the client via the Docker REST API. The Docker server is also responsible for tracking the
lifecycle of our containers.

• Docker objects

• There are several objects that you'll create and configure to support your container deployments. These include networks, storage volumes,
plugins, and other service objects. These objects are items that we can create and deploy as needed.
 Docker images
• A Docker image is a read-only template that contains a set of instructions for creating a container that can run on the
Docker platform.

• A Docker image is made up of a collection of files that bundle together all the essentials – such
as installations, application code, and dependencies – required to configure a fully operational container
environment. You can create a Docker image by using one of two methods:

• Interactive: By running a container from an existing Docker image, manually changing that container environment
through a series of live steps, and saving the resulting state as a new image.

• Dockerfile: By constructing a plain-text file, known as a Dockerfile, which provides the specifications for creating
a Docker image.
What is a container image?
• A container image is a portable package that contains software. It's
the image that, when run, becomes our container. The container is the
in-memory instance of an image.
Docker Hub
• Docker Hub is a hosted repository service provided by Docker for finding and sharing
container images with your team.

• Docker Hub is a Software as a Service (SaaS) Docker container registry. Docker

registries are repositories that we use to store and distribute the container images we
create.
Install Docker Desktop on Windows
• If you haven’t already downloaded the installer (Docker Desktop Installer.exe), you can get
it from Docker Hub.

• Docker Desktop does not start automatically after installation. To start Docker Desktop search
for Docker, and select Docker Desktop in the search results.

Docker Cheatsheet

https://github.com/wsargent/docker-
cheat-sheet
Start Docker Desktop

Once installed, open powershell as administrator and run:

Quick Start Guide
• When the initialisation is complete, Docker Desktop launches the Quick Start Guide. Now, you can
build a Docker image, run it as a container, push and save the image to Docker Hub.

• To run the Quick Start Guide on demand, right-click the Docker icon in the Notifications area (or
System tray) to open the Docker Desktop menu and then select Quick Start Guide.

• Congratulations! You are now successfully running Docker Desktop on Windows.

What is the host OS?

• The host OS is the OS on which the Docker engine runs.

What is the container OS?

• The container OS is the OS that is part of the packaged image. We have

the flexibility to include different versions of Linux or Windows OSs in
a container. This flexibility allows us to access specific OS features or
install additional software our applications may use.

• The container OS is isolated from the host OS and is the environment in

which we deploy and run our application.
How to manage Docker images
• Docker images are large files that initially get stored on your PC and we need tools to manage these
files.

• The Docker CLI allows us to manage images by building, listing, removing, and running them. We
manage Docker images by using the docker client. The client doesn't execute the commands
directly and sends all queries to the docker server.
• How to build an image

• We use the docker build command to build Docker images. Let's assume we use the Dockerfile
definition from earlier to build an image. Here is an example that shows the build command.
 How to manage Docker containers
• To place a container in the run state, use the run command. You can
also restart a container that is already running.

• A container is considered in a running state until it's either paused,

stopped, or killed. A container can self-exit when the running process
completes, or if the process goes into a fault state.

• To pause a running container, use the pause command. To stop a

running container, use the stop command. To send a kill signal if you
need to terminate the container, use the kill command.

• Lastly, to remove containers that are in a stopped state, use the remove
command. After removing a container, all data stored in the container
gets destroyed.
How to run a container
• To start a container, run the docker run command. You only need to specify the
image to run with its name or ID to launch the container from the image.
• Here, to run the container, add the -d flag.

• After an image is specified to run, Docker finds the image, loads container from
the image, and executes the command specified as the entry point. It's at this
point that the container is available for management.
How to view available containers
• To list running containers, run the docker ps command. To see all containers in all states, pass the -a argument.

• Here is an example.

• Here is the output from that command.

• Outputs:

• The image name listed in the IMAGE column. In this example, tmp-ubuntu: latest. Notice how you're allowed to create more than one
container from the same image.

• The status of the container listed in the STATUS column. In this example, you have one container that is running, and one container
that has exited. The container's status usually is your first indicator of the health of the container.

• Docker gives the container a random name. To give a container an explicit name using the --name flag, use the run command.
How to pause a container
• To pause a container, run the docker pause command. Here is an example.

• Pausing a container will suspend all processes. This command enables the container to
continue processes at a later stage. The docker unpause command un-suspends all
processes in the specified containers.
Restart / Stop a Container
How to restart a container

• To restart containers, run the docker restart command. Here is an example.

• The container receives a stop command, followed by a start command. If the container doesn't respond to the stop command,
then a kill signal is sent.

How to stop a container

• To stop a running container, run the docker stop command. Here is an example.
How to remove a container
• To remove a container, run the docker rm command. Here is an
example.

• After you remove the container, all data in the container is destroyed.
Docker container network configuration
• The default Docker network configuration allows for the isolation of
containers on the Docker host. This feature enables you to build and
configure apps that can communicate securely with each other.

• Docker provides different pre-configured network configurations such as

• Bridge
• Host
• none
What is the bridge network?
• The bridge network is the default configuration applied to containers. This network is an
internal, private network used by the container, and isolates the container network from
the Docker host network.

• Each container in the bridge network is assigned an IP address and subnet mask with
the hostname defaulting to the container name. Containers connected to the default
bridge network are allowed to access other bridge connected containers by IP address.

• Bridge networks apply to containers running on the same Docker server host.
What is the host network?

• The host network enables you to run the container on the host
network directly. This configuration effectively removes the isolation
between the host and the container at a network level.

What is the none network?

• To disable networking for containers, use the none network option.

Docker benefits
• When we use Docker, we immediately get access to the benefits containerisation offer.

• Containers run without using a virtual machine (VM). As we saw, the container relies on the host kernel for functions such as file system,
network management, process scheduling, and memory management.

• By removing the VM and the additional OS requirement, we can free resources on the host and use it for running other containers.

• Docker containers provide security features to run multiple containers simultaneously on the same host without affecting each other. We can
configure both data storage and network configuration to isolate our containers or share data and connectivity between specific containers.
Docker benefits
• Application portability

• Containers run almost everywhere, desktops, physical servers, VMs, and in the cloud. This runtime
compatibility makes it easy to move containerised applications between different environments.

• Since containers are lightweight, they don't suffer from slow startup or shutdown times like VMs.
This aspect makes redeployment and other deploy scenarios such as scaling up or down smooth
and fast.

• Application delivery
• With Docker, the container becomes the unit we use to distribute applications.

• We can use the container in every step of our deployment system once our development team
releases a build of our application. Containers are ideal candidates for continuous integration and
speed up the time from build to production.
• Management of hosting environments

• We configure our application's environment internally to the container.

• Our team can also manage which applications to install, update, and remove without affecting other
containers.

• Cloud deployments
• Docker containers are the default container architecture used in the Azure containerisation services
and are supported on many other cloud platforms.

• Azure container instances allow you to focus on designing and building your applications without the
overhead of managing infrastructure. And when you have many containers to orchestrate, Azure
Kubernetes service makes it easy to deploy and manage large-scale container deployments.
Registries
• Developers store images in a registry, which acts as a library of images and is needed
when deploying to production orchestrators.

• Docker maintains a public registry via Docker Hub; other vendors provide registries for
different collections of images, including Azure Container Registry. Alternatively,
enterprises can have a private registry on-premises for their own Docker images.
Registries
• Figure shows how images and registries in Docker relate to other
components. It also shows the multiple registry offerings from
vendors.
Dockerfile
• A Dockerfile is a text file that defines a Docker image. You’ll use a Dockerfile to create your own
custom Docker image, in other words to define your custom environment to be used in a Docker
container.

• You’ll want to create your own Dockerfile when existing images don’t satisfy your project needs.
Dockerfile
• A Dockerfile is a step-by-step definition of building up a Docker image. The Dockerfile contains a list
of instructions that Docker will execute when you issue the docker build command.

• Your workflow is like this:

• you create the Dockerfile and define the steps that build up your images.

• you issue the docker build command which will build a Docker image from your Dockerfile.

• now you can use this image to start containers with the docker run command.
 Dockerfile
A Dockerfile contains a set of instructions that are executed to build an image.

• FROM Creates layers of dependencies like we could build an OS layer.

• RUN allows us to install your application and packages required for it.

• COPY adds files from Docker client’s current directory.

• EXPOSE instruction informs Docker that the container listens on the specified network port at runtime.

• CMD specifies what command to run within the Container.

https://www.youtube.com/watch?v=LQjaJINkQXY
Create the first image
1. Create the Dockerfile

• Create an empty directory for this task and create an empty file in that directory with the name Dockerfile.
You can do this easily by issuing the command touch Dockerfile in your empty directory.

• Congratulations, you just created your first Dockerfile! Open the file in your favourite text editor!

2. Define the base image with FROM

• Every Dockerfile must start with the FROM instruction. The idea behind is that you need a starting point to
build your image. You can start FROM scratch, scratch is an explicitly empty image on the Docker store
that is used to build base images.

• You can also start you Docker images from any valid image that you pull from public registries. The image
you start from is called the base image. In our case let’s add FROM alpine:3.4 to the Dockerfile.
Docker Commands
• The Docker software automatically configures a local image registry on your machine. You can view the
images in this registry with the docker images command.

• The output looks like the example below.

• Notice how the image is listed with its Name, Tag, and an Image ID. Recall that we can apply multiple labels
to an image. Here is such an example. Even though the image names are different, we can see the IDs are
the same.
• The image ID is a useful way to identify and manage images where the name or tag of an image might be
ambiguous.
Docker Commands
• You can remove an image from the local docker registry with the docker
rmi command. Specify the name or ID of the image to remove.

• You can't remove an image if the image is still in use by a container.

The docker rmi command returns an error message, which lists the
container relying on the image.
Docker Commands
• Go to command prompt and run the following commands:
• $ docker images

• $docker run : this command takes an image and turns it to a running container. From
the above outputs:
$docker run ti ubuntu:latest bash
• Now we are in an ubuntu meaning that we have a running container. Using exit
command we can go back to the command prompt.
Docker Commands
• $ docker ps

• This command shows running containers. You can run this in

another command prompt to test the running container.
Docker Commands
• Now, you are inside the ubuntu image. Type ls:

• By running an image, you create a running container. However, if you make any
changes in the running container, it is not saved in the original image. You need to save
changes in a new image.
 Docker Commands
• If you want to save the changes in the running container use stopped
container.

• $ docker ps –l : this is for stopped container. Stopped container keep

our changes to the container.

• docker run takes an images to a running container, and docker commit takes
back the stopped container including all changes to a new image.
The last step is to give the image a name.
Now you can run the new image using:
$ docker run –ti my-image bash
Docker Commands
• $ docker logs container_name

• When a container does not work, this command helps to find the
problem.