1. 1 - Orchestration
1.1. 1 -Network and Ports
1.1.1. Ports
1.1.1.1. --publish published=8080,target=80
1.1.1.2. -p 8080:80 | --publish 8080:80
1.1.1.3. --publish mode=80,target=80,published=8080
1.1.1.4. docker service update --publish-add 8080:80 nginx
1.1.2. Network
1.1.2.1. docker network create --driver overlay | docker network create -d overlay
1.1.2.2. docker service create --network
1.1.2.3. docker service update --network-add
1.1.2.4. docker service update --network-rm
1.1.2.5. docker network connect net1 nginx
1.2. 2 - Labels
1.2.1. docker node update [opt] <node_id>
1.2.1.1. --availability
1.2.1.1.1. active
1.2.1.1.2. pause
1.2.1.1.3. drain
1.2.1.2. --label-add
1.2.1.2.1. datacenter
1.2.1.2.2. type=queue
1.2.1.3. --label-rm
1.2.1.4. --role
1.2.1.4.1. worker
1.2.1.4.2. manager
1.2.1.5. docker service create --constraint [opt] <service_name>
1.2.1.5.1. node.labels.type==queue
1.2.1.5.2. node.labels.type!=queue
1.2.1.5.3. node.role==manager
1.2.1.5.4. node.role==worker
1.2.1.6. docker service create --placement-pref 'spread=node.labels.datacenter' <service_name>
1.2.2. docker node [opt] <node_id>
1.2.2.1. demote
1.2.2.2. inspect
1.2.2.3. ls, ps, rm
1.2.2.4. promote
1.2.2.5. update
1.3. 3 - Setup Swarm
1.3.1. docker swarm init --advertise-addr <ip>
1.3.2. docker swarm join-token [opt]
1.3.2.1. worker
1.3.2.2. manager
1.3.3. docker swarm join --token <token> <ip>:2377
1.3.4. docker swarm join-token --rotate [opt]
1.3.4.1. worker
1.3.4.2. manager
1.4. 4 - Stack application using YML compose file
1.4.1. docker stack [opt]
1.4.1.1. deploy [opt] <stack_id>
1.4.1.1.1. --bundle-file
1.4.1.1.2. --compose-file, -c
1.4.1.1.3. --prune
1.4.1.1.4. --resolve-image
1.4.1.2. ls, ps, rm
1.4.1.3. services
1.4.2. docker-compose.yml
1.4.2.1. build
1.4.2.2. command
1.4.2.2.1. CMD /usr/sbin/apachectl -D FOREGROUND
1.4.2.2.2. mode shell
1.4.2.3. configs
1.4.2.4. depends_on
1.4.2.5. deploy
1.4.2.5.1. endpoint_mode
1.4.2.5.2. labels
1.4.2.5.3. mode
1.4.2.5.4. placement
1.4.2.5.5. replicas
1.4.2.5.6. resource
1.4.2.5.7. restart_policy
1.4.2.5.8. rollbak_config
1.4.2.5.9. update_config
1.4.2.6. devices
1.4.2.7. dns, dns_search
1.4.2.8. entrypoint
1.4.2.8.1. ENTRYPOINT ["/usr/sbin/apachectl] CMD ["-D", "FOREGROUND"]
1.4.2.8.2. mode exec
1.4.2.9. env_file, environment
1.4.2.10. expose, ports
1.4.2.11. heathcheck
1.4.2.12. image
1.4.2.13. network_mode, networks
1.4.2.14. restart
1.4.2.15. secrets
1.4.2.16. volumes
1.5. 5 - Lock Swarm cluster
1.5.1. docker swarm init --autolock
1.5.2. docker swarm update --autolock=[true|false]
1.5.3. docker swarm unlock
1.5.4. docker swarm unlock-key
1.5.5. docker swarm unlock-key --rotate
1.6. 6 - Docker Service with templates
1.6.1. docker service create [opt] <service_id>
1.6.1.1. --hostname
1.6.1.2. --mount
1.6.1.3. --env
1.6.2. Templates
1.6.2.1. .Service.ID, .Service.Name, .Service.Labels
1.6.2.2. .Node.ID, .Node.Hostname, .Host.ID
1.6.2.3. .Task.ID, .Task.Name, .Task.Slot
1.6.3. docker service create --hostname="{{.Node.Hostname}}-{{.Node.ID}}" <image_id> top
1.6.4. docker inspect --format="{{.Config.Hostname}}" <container_id>
1.7. 7 - Containers into Services under Swarm
1.7.1. docker service create --name <service_name> --replicas 3 <image_id>
1.7.2. docker service ls
1.8. 8 - Troubleshoot a service not deploying
1.8.1. STATUS pending
1.8.2. docker service ps <node_id>
1.8.3. docker inspect <task_id>
1.8.4. docker container logs <node_id>
1.9. 9 - Service Replicated vs Global
1.9.1. docker service create --replicas 3 <image_id>
1.9.2. docker service create --mode global <image_id>
1.10. 10 - Increase Replicas
1.10.1. docker service scale <service_id>=5
1.10.2. docker service update --replicas 10 <service_id>
1.10.3. docker service ls --filter name=<service_id>
1.10.4. docker service scale <service_id_1>=3 <service_id_2>=5
1.11. 11 - Output of Docker Inspect
1.11.1. docker inspect [opt] <name | id>
1.11.1.1. --format, -f
1.11.1.2. --size, -s
1.11.1.3. --type
1.11.2. docker inspect [opt] <node_id>
1.11.2.1. --format='{{json .Config}}'
1.11.2.2. --format='{{.Config.Image}}'
1.11.3. docker service inspect --pretty <service_id>
1.12. 12 - Stack of services
1.12.1. docker stack services [opt] <stack_id>
1.12.1.1. --filter, -f
1.12.1.2. --format
1.12.1.3. --namespace
1.12.1.4. --quiet, -q
1.12.1.5. --kubeconfig
1.12.1.6. --orchestrator
1.12.2. docker stack [opt]
1.12.2.1. deploy
1.12.2.2. ls, ps, rm
1.12.2.3. services
1.12.3. docker stack services --filter [opt]
1.12.3.1. id=<stack_id>
1.12.3.2. label=key=<value>
1.12.3.3. mode=global,replicated
1.12.3.4. name=<stack_name>
1.12.3.5. node=<node_id>
1.12.3.6. service=<service_id>
1.12.4. docker stack services --format ""{{[opt]}}"
1.12.4.1. .ID
1.12.4.2. .Name
1.12.4.3. .Mode
1.12.4.4. .Replicas
1.12.4.5. .Image
1.13. 13 - Volumes
1.13.1. volume
1.13.1.1. --mount, -m
1.13.1.2. --mount-add
1.13.1.3. --mount-rm
1.13.1.4. --volumes-from
1.13.1.5. docker volume create <volume_name>
1.13.1.6. docker service create --mount src=<volume_name>, dst=<container_path> <image_id>
1.13.1.7. docker service create --mount type=volume,src=<volume_name>,dst=<container_path>,volume-driver=<driver>,volume-opt=<key1>=<value1>,volume-opt=<key2>=<value2> <image_name>
1.13.1.8. docker run -d --volumes-from <container_id> <image_name>
1.13.2. bind
1.13.2.1. docker service create --mount type=bind,src=<host_path>,dst=<container_path> <image_name>
1.13.2.2. docker service create --mount type=bind,src=<host_path>,dst=<container_path>,readonly <image_name>
1.13.2.3. docker run -d -rm -v <volume_name>:/tmp --volume <volume_backup:/backup <image_name> tar -cvf /backup/backup.tar /tmp
1.13.3. tmpfs
1.13.3.1. docker run -d --mount type=tmpfs,dst=<container_path> <image_name>
1.14. 14 - Quorum in a Swarm
1.14.1. docker node update --availability drain <node_id>
1.14.2. docker swarm init --force-new-cluster --advertise-addr <ip>:2377
1.14.3. docker node inspect <node_id> --format "{{ .ManagerStatus.Reachability }}"
1.14.4. docker node inspect <node_id> --format "{{ .Status.State }}"
1.14.5. Backup swarm - /var/lib/docker/swarm
1.14.6. Restore swarm
1.14.6.1. Stop Docker
1.14.6.2. remove /var/lib/docker/swarm
1.14.6.3. restore /var/lib/docker/swarm
1.14.6.4. Start Docker
1.14.6.5. docker swarm init --force-new-cluster
1.14.6.6. docker service ls
1.14.7. Revover Quorum
1.14.7.1. docker swarm init --force-new-cluster --advertise-addr <node_name>:2377
1.14.7.2. docker service update -f
1.14.7.3. docker service inspect --pretty <service_name>
1.14.7.4. docker service ps
1.14.7.5. docker service scale
1.15. 15 - Dockerized application communicates
1.15.1. ports
1.15.1.1. -p 8080:80
1.15.1.2. -p 192.168.1.100:8080:80
1.15.1.3. -p 8080:80/udp
1.15.1.4. -p 8080:80/tcp -p 8080:80/udp
1.15.2. network
1.15.2.1. bridge, overlay, macvlan, custom
1.15.2.2. docker network connect
1.15.2.2.1. --ip, --ip6
1.15.2.2.2. --alias
1.15.3. DNS
1.15.3.1. --dns
1.15.3.2. --dns-search
1.15.3.3. --dns-opt
1.15.3.4. --hostname
1.16. 16 - Container vs Service
1.16.1. docker start
1.16.2. docker ps -a
1.16.3. docker run --name <container_name> -it <image_name>
1.16.4. docker run -t -i --privileged <image_name> bash
1.16.5. docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list <image_name> bash
1.16.6. docker run -l my-label --label com.example.foo=bar <image_name> bash
1.16.7. docker run -itd --network=<network_name> <image_name>
1.16.8. docker run --device=/dev/sdc:/dev/xvdc --device=/dev/sdd --device=/dev/zero:/dev/nulo -i -t <image_name> ls -l /dev/{xvdc,sdd,nulo}
1.16.9. --restart
1.16.9.1. on
1.16.9.2. on-failures:[max-retries]
1.16.9.3. unless-stopped
1.16.9.4. always
1.16.10. docker run --add-host=docker:10.180.0.1 --rm -it <image_name>
1.16.11. docker run --sysctl net.ipv4.ip_forward=1 <image_name>
2. 2 - Image Management and Registry
2.1. 1 - Create a Docker Image
2.1.1. docker image [opt]
2.1.1.1. build
2.1.1.2. history
2.1.1.3. import
2.1.1.4. inspect
2.1.1.5. load --input
2.1.1.6. ls, rm
2.1.1.7. prune
2.1.1.8. pull
2.1.1.9. push
2.1.1.10. save -o
2.1.1.11. tag
2.2. 2 - Configure a Registry
2.2.1. ENV REGISTRY_variable
2.2.1.1. storage: filesystem: rootdirectory: /var/lib/registry
2.2.1.2. REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: <path>
2.2.1.3. docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/config.yml:/etc/docker/registry/config.yml registry:2
2.3. 3 - Delete an Image from a Registry
2.3.1. DELETE /v2/<name>/manifests/<reference>
2.4. 4 - Tagging an Image
2.4.1. docker image tag <source_image>[:tag] <target_image>[:tag]
2.5. 5 - Deploy a Registry
2.5.1. Docker Trusted Registry (DTR)
2.5.1.1. Image and job management
2.5.1.2. Availability
2.5.1.3. Efficiency
2.5.1.4. Built-in access control
2.5.1.5. Security scanning
2.5.1.6. Image signing
2.5.1.6.1. export DOCKER_CONTENT_TRUST=1
2.5.1.7. Requirements
2.5.1.7.1. All nodes must be a worker node managed by Universal Control Plan
2.5.1.7.2. All nodes must have a fixed hostname
2.5.1.7.3. DTR can be installed on-premises or on a cloud provider
2.5.1.7.4. Ports 80 and 443
2.5.2. docker run -d -p 5000:5000 --name registry registry:2
2.5.2.1. docker pull ubuntu
2.5.2.2. docker image tag ubuntu localhost:5000/myfirstimage
2.5.2.3. docker push localhost:5000/myfirstimage
2.5.2.4. docker pull localhost:5000/myfirstimage
2.5.2.5. docker container stop registry && docker container rm -v registry
2.5.3. Docker Enterprise
2.5.3.1. Before installing
2.5.3.1.1. Docker Engine, DTR, and UCP version compatibility
2.5.3.1.2. Time Synchronization
2.5.3.1.3. Disk space
2.5.3.1.4. Network ports
2.6. 6 - Dockerfile Options
2.6.1. docker build .
2.6.2. .dockerignore
2.6.2.1. # comment */temp* */*/temp* temp?
2.6.3. docker build -f /path/to/a/Dockerfile .
2.6.4. docker build -t shykes/myapp .
2.6.5. docker build -t shykes/myapp:1.0.2 -t shykes/myapp:latest .
2.6.6. docker build --cache-from shykes/myapp:1.0.2 -t shykes/myapp:1.0.3 .
2.6.7. Dockerfile
2.6.7.1. ADD
2.6.7.2. ARG
2.6.7.3. CMD
2.6.7.4. COPY
2.6.7.5. ENTRYPOINT
2.6.7.6. ENV
2.6.7.7. EXPOSE
2.6.7.8. FROM
2.6.7.9. HEALTHCHECK
2.6.7.10. LABEL
2.6.7.11. STOPSIGNAL
2.6.7.12. USER
2.6.7.13. VOLUME
2.6.7.14. WORKDIR
2.7. 7 - Image Deletion
2.7.1. docker ps -s
2.7.2. /var/lib/docker/<storage-driver>
2.7.3. docker image ls
2.7.4. docker history
2.7.5. docker rm $(docker ps -a -q)
2.7.6. docker rmi $(docker images -f "dangling=true" -q)
2.7.7. docker rmi $(docker images -q)
2.7.8. docker rm $(docker ps -qf status=exited)
2.8. 8 - Image Layers
2.8.1. drivers
2.8.1.1. autofs
2.8.1.2. overlay
2.8.1.3. overlay2
2.9. 9 - Display layers of a Docker image
2.9.1. docker image history [OPT] <image>
2.9.1.1. --format
2.9.1.2. --human, -H
2.9.1.3. --no-trunc
2.9.1.4. --quiet, -q
2.10. 10 - Create an Efficient Image
2.10.1. FROM ubuntu:18.04 COPY . /app RUN make /app CMD python /app/app.py
2.10.2. mkdir myproject && cd myproject echo "hello" > hello echo -e "FROM busybox\nCOPY /hello /\nRUN cat /hello" > Dockerfile docker build -t helloapp:v1 .
2.10.3. mkdir -p dockerfiles context mv Dockerfile dockerfiles && mv hello context docker build --no-cache -t helloapp:v2 -f dockerfiles/Dockerfile context
2.10.4. echo -e 'FROM busybox\nRUN echo "hello world"' | docker build -
2.10.5. docker build -<<EOF FROM busybox RUN echo "hello world" EOF
2.10.6. docker build -t myimage:latest -<<EOF FROM busybox RUN echo "hello world" EOF
2.11. 11 - Inspect Images
2.11.1. docker image inspect --format image <image_id>
2.11.2. docker images --filter "dangling=true"
2.11.3. docker images --filter "label=com.example.version"
2.11.4. docker images --filter "label=com.example.version=1.0"
2.11.5. docker images --filter "before=image1"
2.11.6. docker images --filter "since=image3"
2.11.7. docker images --filter=reference='busy*:*libc'
2.11.8. docker images --filter=reference='busy*:uclibc' --filter=reference='busy*:glibc'
2.11.9. docker images --format "{{[OPT]}}: {{.Repository}}"
2.11.9.1. .ID
2.11.9.2. .Repository
2.11.9.3. .Tag
2.11.9.4. .Digest
2.11.9.5. .CreateSince
2.11.9.6. .CreateAt
2.11.9.7. .Size
2.11.10. docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"
2.12. 12 - Log into a Registry
2.12.1. docker login [opt] [server]
2.12.1.1. --password, -p
2.12.1.2. --password-stdin
2.12.1.3. --username, -u
2.12.2. docker login localhost:8080
2.12.3. cat ~/my_password.txt | docker login --username foo --password-stdin
2.12.4. $HOME/.docker/config.json
2.13. 13 - Modify an Image
2.13.1. docker create -t -i fedora bash
2.13.2. docker create -v /data --name data ubuntu
2.13.3. docker create -v /home/docker:/docker --name docker ubuntu
2.13.4. docker create -it --storage-opt size=120G fedora /bin/bash
2.13.5. export
2.13.5.1. docker export red_panda > latest.tar
2.13.5.2. docker export --output="latest.tar" red_panda
2.13.6. import
2.13.6.1. docker image import [opt] file|URL|- [repository[:tag]]
2.13.6.1.1. --change , -c
2.13.6.1.2. --message , -m
2.13.6.1.3. --platform
2.13.7. save
2.13.7.1. docker save <image_name> > /home/save.tar
2.13.8. load
2.13.8.1. docker load < /home/save.tar
2.14. 14 - Pull an Image
2.14.1. docker pull [opt] <image_name[:tag|@digest]>
2.14.1.1. --all-tags , -a
2.14.1.2. --disable-content-trust
2.14.1.3. --platform
2.14.1.4. --quiet , -q
2.14.2. docker pull debian
2.14.3. docker pull ubuntu:14.04
2.14.4. docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
2.14.5. docker pull myregistry.local:5000/testing/test-image
2.14.6. docker pull --all-tags fedora
2.15. 15 - Push an Image
2.15.1. docker image push [opt] <image_name[:tag]>
2.15.1.1. --disable-content-trust
2.16. 16 - Show the main parts of a Dockerfile
2.17. 17 - Sign an image in a registry
2.17.1. Docker Content Trust (DCT)
2.17.2. <registry_host[:registry_port]/><repository[:tag]>
2.17.3. docker trust
2.17.4. docker trust key generate
2.17.5. Universal Control Plane (UCP)
2.17.5.1. Trusts Images
2.17.5.1.1. Initialize trust metadata for the repository
2.17.5.1.2. Delegate signing to the keys in your UCP client bundle
2.17.5.1.3. Configure your Notary client
2.17.5.2. Made up
2.17.5.2.1. subject
2.17.5.2.2. role
2.17.5.2.3. resource collection
2.17.5.3. Monitor
2.17.5.3.1. Using the Docker CLI client
2.17.5.3.2. Web UI
2.17.5.4. Check Health
2.17.5.4.1. https://<ucp-manager-url>/_ping
2.18. 18 - Tag in a Image
2.18.1. docker image tag <source_image[:tag]> <target_mage[:tag]>
2.19. 19 - Manage Images
2.19.1. docker image ls [opt] <repository:[tag]>
2.19.1.1. --all , -a
2.19.1.2. --digests
2.19.1.3. --filter , -f
2.19.1.4. --format
2.19.1.5. --no-trunc
2.19.1.6. --quiet , -q
2.19.2. docker image rm [opt] <image_name>
2.19.2.1. --force, -f
2.19.2.2. --no-prune
2.19.3. docker image prune [opt]
2.19.3.1. --all , -a
2.19.3.2. --filter
2.19.3.3. --force, -f
2.20. 20 - Registry to Store an Image
2.20.1. docker image push [opt] <image_name[:tag]>
2.20.1.1. --disable-content-trust
2.21. 21 - Search in a Registry
2.21.1. docker search [opt] TERM
2.21.1.1. --automated
2.21.1.2. --filter , -f
2.21.1.3. --format
2.21.1.3.1. .Name
2.21.1.3.2. .Description
2.21.1.3.3. .StarCount
2.21.1.3.4. .IsOfficial
2.21.1.3.5. .IsAutomated
2.21.1.4. --limit
2.21.1.5. --no-trunc
2.21.1.6. --starts, -s
2.21.2. docker search busybox
2.21.3. docker search --stars=3 --no-trunc busybox
2.21.4. docker search --filter stars=3 busybox
2.21.5. docker search --filter is-automated busybox
2.21.6. docker search --filter "is-official=true" --filter "stars=3" busybox
3. 3 - Installation and Configuration
3.1. 1 - Backup for UCP and DTR
3.1.1. UCP
3.1.1.1. Backup
3.1.1.1.1. Steps
3.1.1.1.2. docker config ls
3.1.1.1.3. docker container run --log-driver none --rm --interactive --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 backup --id <ucp-instance-id> --passphrase "secret" > /tmp/backup.tar
3.1.1.1.4. SELinux
3.1.1.2. Restore
3.1.1.2.1. uninstall-ucp
3.1.1.2.2. docker container run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 restore < /tmp/backup.tar
3.1.1.2.3. docker container run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 restore --passphrase "secret" < /tmp/backup.tar
3.1.1.2.4. docker container run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/backup.tar:/config/backup.tar docker/ucp:2.2.22 restore -i
3.1.2. DTR
3.1.2.1. Backup
3.1.2.1.1. Steps
3.1.2.2. Restore
3.1.2.2.1. Steps
3.2. 2 - Installation of Docker Engine on multiple platforms
3.2.1. Oracle Linux
3.2.1.1. Install
3.2.1.1.1. yum remove docker docker-engine docker-engine-selinux
3.2.1.1.2. rm /etc/yum.repos.d/docker*.repo
3.2.1.1.3. export DOCKERURL="<DOCKER-EE-URL>"
3.2.1.1.4. sh -c 'echo "$DOCKERURL/oraclelinux" > /etc/yum/vars/dockerurl'
3.2.1.1.5. yum install -y yum-utils device-mapper-persistent-data lvm2
3.2.1.1.6. yum-config-manager --enable ol7_addons
3.2.1.1.7. yum-config-manager --add-repo $DOCKERURL/oraclelinux/docker-ee.repo"
3.2.1.1.8. yum -y install docker-ee docker-ee-cli containerd.io
3.2.1.2. Remove
3.2.1.2.1. yum -y remove docker-ee
3.2.1.2.2. rm -rf /var/lib/docker
3.2.1.2.3. rm -rf /run/docker
3.2.1.2.4. rm -rf /var/run/docker
3.2.1.2.5. rm -rf /etc/docker
3.2.2. Red Hat Enterprise Linux
3.2.2.1. Install
3.2.2.1.1. yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-egine-selinux docker-engine
3.2.2.1.2. rm /etc/yum.repos.d/docker*.repo
3.2.2.1.3. export DOCKERURL="<DOCKER-EE-URL>"
3.2.2.1.4. sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
3.2.2.1.5. sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
3.2.2.1.6. yum install -y yum-utils device-mapper-persistent-data lvm2
3.2.2.1.7. yum-config-manager --enable rhel-7-server-extras-rpms
3.2.2.1.8. yum-config-manager --enable extras
3.2.2.1.9. subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms
3.2.2.1.10. yum makecache fast
3.2.2.1.11. yum -y install container-selinux
3.2.2.1.12. yum-config-manager --enable rhui-REGION-rhel-server-extras
3.2.2.1.13. yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms
3.2.2.1.14. yum-config-manager --add-repo "$DOCKERURL/rhel/docker-ee.repo"
3.2.2.1.15. yum -y install docker-ee docker-ee-cli containerd.io
3.2.2.2. Remove
3.2.2.2.1. yum -y remove docker-ee
3.2.2.2.2. rm -rf /var/lib/docker
3.2.2.2.3. rm -rf /run/docker
3.2.2.2.4. rm -rf /var/run/docker
3.2.2.2.5. rm -rf /etc/docker
3.2.3. SUSE SLES
3.2.3.1. Install
3.2.3.1.1. zypper rm docker docker-engine runc
3.2.3.1.2. rpm -e docker-engine
3.2.3.1.3. DOCKER_EE_BASE_URL="<DOCKER-EE-URL>"
3.2.3.1.4. DOCKER_EE_URL="${DOCKER_EE_BASE_URL}/sles/<SLES_VERSION>/<ARCH>/stable-<DOCKER_VERSION>"
3.2.3.1.5. zypper addrepo $DOCKER_EE_URL docker-ee-stable
3.2.3.1.6. rpm --import "${DOCKER_EE_BASE_URL}/sles/gpg"
3.2.3.1.7. zypper refresh
3.2.3.1.8. zypper install docker-ee docker-ee-cli containerd.io
3.2.3.2. Remove
3.2.3.2.1. zypper rm docker-ee
3.2.3.2.2. rm -rf /var/lib/docker/*
3.2.4. CentOS
3.2.4.1. Install
3.2.4.1.1. yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-egine-selinux docker-engine
3.2.4.1.2. rm /etc/yum.repos.d/docker*.repo
3.2.4.1.3. export DOCKERURL="<DOCKER-EE-URL>"
3.2.4.1.4. sh -c 'echo "$DOCKERURL/centos" > /etc/yum/vars/dockerurl'
3.2.4.1.5. yum install -y yum-utils device-mapper-persistent-data lvm2
3.2.4.1.6. yum-config-manager --add-repo $DOCKERURL/centos/docker-ee.repo"
3.2.4.1.7. yum -y install docker-ee docker-ee-cli containerd.io
3.2.4.2. Remove
3.2.4.2.1. yum -y remove docker-ee
3.2.4.2.2. rm -rf /var/lib/docker
3.2.4.2.3. rm -rf /run/docker
3.2.4.2.4. rm -rf /var/run/docker
3.2.4.2.5. rm -rf /etc/docker
3.2.5. Ubuntu
3.2.5.1. Install
3.2.5.1.1. apt-get remove docker docker-engine docker-ce docker-ce-cli docker.io
3.2.5.1.2. apt-get update
3.2.5.1.3. apt-get install apt-transport-https ca-certificates curl software-properties-common
3.2.5.1.4. DOCKER_EE_URL="<DOCKER-EE-URL>"
3.2.5.1.5. curl -fsSL "${DOCKER_EE_URL}/ubuntu/gpg" | sudo apt-key add -
3.2.5.1.6. apt-key fingerprint 6D085F96
3.2.5.1.7. add-apt-repository "deb [arch=$(dpkg --print-architecture)] $DOCKER_EE_URL/ubuntu $(lsb_release -cs) stable-$DOCKER_EE_VERSION"
3.2.5.1.8. apt-get update
3.2.5.1.9. apt-get install docker-ee docker-ee-cli containerd.io
3.2.5.2. Remove
3.2.5.2.1. apt-get purge docker-ee
3.2.5.2.2. rm -rf /var/lib/docker
3.2.6. Windows Server 2016
3.2.6.1. Install
3.2.6.1.1. Install-Module DockerMsftProvider -Force
3.2.6.1.2. Install-Package Docker -ProviderName DockerMsftProvider -Force
3.2.6.1.3. (Install-WindowsFeature Containers).RestartNeeded
3.2.6.1.4. Restart-Computer
3.2.6.2. Remove
3.2.6.2.1. Uninstall-Package -Name docker -ProviderName DockerMsftProvider
3.2.6.2.2. Uninstall-Module -Name DockerMsftProvider
3.2.6.2.3. Get-HNSNetwork | Remove-HNSNetwork Remove-Item -Path "C:\ProgramData\Docker" -Recurse -Force
3.2.7. Backup order
3.2.7.1. Back up your swarm
3.2.7.1.1. Unlock key
3.2.7.1.2. Stop Docker
3.2.7.1.3. Back up the entire /var/lib/docker/swarm
3.2.7.1.4. Restart the manager
3.2.7.2. Back up UCP
3.2.7.3. Back up DTR
3.2.7.3.1. Backup image content
3.2.7.3.2. Backup DTR metadata
3.3. 3 - Logging Drivers
3.3.1. daemon.json
3.3.1.1. { "log-driver": "syslog" }
3.3.1.2. { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3", "labels": "production_status", "env": "os,customer" } }
3.3.2. docker info --format '{{.LoggingDriver}}'
3.3.3. docker run -it --log-driver [opt] alpine ash
3.3.3.1. none
3.3.3.2. local
3.3.3.3. json-file
3.3.3.4. syslog
3.3.3.5. journald
3.3.3.6. gelf
3.3.3.7. fluentd
3.3.3.8. awslogs
3.3.3.9. splunk
3.3.3.10. etwlogs
3.3.3.11. gcplogs
3.3.3.12. logentries
3.3.4. docker inspect -f '{{.HostConfig.LogConfig.Type}}' <CONTAINER>
3.4. 4 - Docker daemon on boot
3.4.1. Group
3.4.1.1. groupadd docker
3.4.1.2. usermod -aG docker $USER
3.4.1.3. newgrp docker
3.4.2. Start
3.4.2.1. systemctl enable docker
3.4.2.2. echo manual | tee /etc/init/docker.override
3.4.2.3. chkconfig docker on
3.4.3. Stop
3.4.3.1. systemctl disable docker
3.4.4. Network daemon
3.4.4.1. systemctl edit docker.service
3.4.4.1.1. [Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375
3.4.4.1.2. systemctl daemon-reload
3.4.4.1.3. systemctl restart docker.service
3.4.4.1.4. netstat -lntp | grep dockerd
3.4.5. Network daemon.json
3.4.5.1. /etc/docker/daemon.json
3.4.5.1.1. { "hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"] }
3.4.5.1.2. systemctl restart docker.service
3.4.5.1.3. netstat -lntp | grep dockerd
3.4.6. DOCKER_HOST
3.4.7. DNS
3.4.7.1. /etc/docker/daemon.json
3.4.7.1.1. { "dns": ["8.8.8.8", "8.8.4.4"] }
3.4.7.1.2. service docker restart
3.5. 5 - Docker UCP and DTR in HA
3.5.1. Requirements
3.5.1.1. Be a worker node managed by Universal Control Plane
3.5.1.2. Have a fixed hostname
3.5.1.3. Ports
3.5.1.3.1. 80/tcp
3.5.1.3.2. 443/tcp
3.5.2. Install UCP
3.5.2.1. docker image pull docker/ucp:2.2.22
3.5.2.2. docker container run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 install --host-address <node-ip-address> --interactive
3.5.2.3. License your installation
3.5.2.4. Join manager nodes
3.5.2.5. Join worker nodes
3.5.3. Install DTR
3.5.3.1. docker pull docker/dtr:2.3.11
3.5.3.2. docker run -it --rm docker/dtr:2.3.11 install --ucp-node <ucp-node-name> --ucp-insecure-tls
3.5.4. Check that DTR is running
3.5.5. Configure DTR
3.5.5.1. TLS communication
3.5.5.2. Storage backend to store the Docker images
3.5.6. Test pushing and pulling
3.5.7. Join replicas to the cluster
3.5.7.1. docker run -it --rm docker/dtr:2.3.11join --ucp-node <ucp-node-name> --ucp-insecure-tls
3.6. 6 - Manager User and Teams
3.7. 7 - Upgrade the Docker Engine
3.7.1. /etc/docker/daemon.json
3.7.1.1. { "live-restore": true }
3.7.2. dockerd --live-restore
3.8. 8 - Troubleshoot
3.8.1. dockerd
3.8.2. daemon.json
3.8.2.1. { "debug": true, "tls": true, "tlscert": "/var/docker/server.pem", "tlskey": "/var/docker/serverkey.pem", "hosts": ["tcp://192.168.59.3:2376"] }
3.8.3. dockerd --debug --tls=true --tlscert=/var/docker/server.pem --tlskey=/var/docker/serverkey.pem --host tcp://192.168.59.3:2376
3.9. 9 - Sizing requirements prior to installation
3.9.1. Hardware
3.9.1.1. Minimum
3.9.1.1.1. 8GB of RAM for manager nodes or nodes running DTR
3.9.1.1.2. 4GB of RAM for worker nodes
3.9.1.1.3. 3GB of free disk space
3.9.1.2. Recommended
3.9.1.2.1. 16GB of RAM for manager nodes or nodes running DTR
3.9.1.2.2. 4 vCPUs for manager nodes or nodes running DTR
3.9.1.2.3. 25-100GB of free disk space
3.9.2. DTR
3.9.2.1. Memory: 4Gb
3.9.2.2. Disk: 20-30GB
3.9.2.3. CPU: DTR is not very CPU intensive
3.9.3. UCP
3.9.3.1. Ports
3.9.3.1.1. TCP 443 - managers, workers
3.9.3.1.2. TCP 2376 - managers
3.9.3.1.3. TCP 2377 - managers, workers
3.9.3.1.4. UDP 4789 - managers, workers
3.9.3.1.5. TCP, UDP 7946 - managers, workers
3.9.3.1.6. TCP 12376 - managers, workers
3.9.3.1.7. TCP 12379, 1238[0-7] - managers
3.9.3.2. Time synchronization
3.10. 10 - Setup Swarm
3.10.1. docker swarm init --advertise-addr <MANAGER-IP>
3.10.2. docker info
3.10.3. docker node ls
3.10.4. docker swarm join --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c 192.168.99.100:2377
3.10.5. docker swarm join-token worker
3.10.6. swarm init --force-new-cluster
3.11. 11 - Namespaces, cgroups and certificates
3.11.1. Namespaces
3.11.1.1. pid
3.11.1.2. net
3.11.1.3. ipc
3.11.1.4. mnt
3.11.1.5. user
3.11.1.6. uts
3.11.2. Cgroups
3.11.2.1. Limit hardware
3.11.2.1.1. Memory
3.11.2.1.2. CPU
3.11.3. UnionFS
3.11.3.1. File systems that operate by creating layers, making them very lightweight and fast
3.11.4. Certificates
3.11.4.1. tlsverify
3.11.4.2. tlscacert
3.11.4.3. genrsa -aes256 -out ca-key.pem 4096
3.11.4.4. genrsa -out server-key.pem 4096
3.11.4.5. echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
3.11.4.6. echo extendedKeyUsage = serverAuth >> extfile.cnf
3.11.4.7. openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
3.11.4.8. docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version
3.12. 12 - Certificate-based client-server
3.12.1. /etc/docker/certs.d
3.12.1.1. <filename>.key/cert
3.12.2. openssl genrsa -out client.key 4096
3.12.3. openssl req -new -x509 -text -key client.key -out client.cert
4. 4 - Networking
4.1. 1 - External DNS
4.1.1. dockerd --dns 8.8.8.8
4.1.2. dockerd --dns-search example.com
4.2. 2 - Docker Bridge Network
4.2.1. --link
4.2.2. docker network create [opt] teste
4.2.2.1. --driver, -d
4.2.2.1.1. overlay
4.2.2.1.2. bridge
4.2.2.2. --gateway
4.2.2.3. --ip-range, --fixed-cidr
4.2.2.4. --internal
4.2.2.5. --ipv6
4.2.2.6. --subnet, --bip
4.2.3. docker network connect teste ubuntu
4.2.4. docker network disconnect teste ubuntu
4.2.5. docker network rm teste
4.2.6. Forwarding
4.2.6.1. sysctl net.ipv4.conf.all.forwarding=1
4.2.6.2. iptables -P FORWARD ACCEPT
4.2.7. daemon.json
4.2.7.1. { "bip": "192.168.1.5/24", "fixed-cidr": "192.168.1.5/25", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "10.20.1.1", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2","10.20.1.3"] }
4.2.8. docker network create --driver=bridge --subnet=192.168.0.0/16 br0
4.2.9. docker network create --driver=bridge --subnet=172.28.0.0/16 --ip-range=172.28.5.0/24 --gateway=172.28.5.254 br0
4.2.10. docker network create -d overlay \ --subnet=192.168.1.0/25 --subnet=192.170.2.0/25 \ --gateway=192.168.1.100 --gateway=192.170.2.100 \ --aux-address="my-router=192.168.1.5" --aux-address="my-switch=192.168.1.6" \ --aux-address="my-printer=192.170.1.5" --aux-address="my-nas=192.170.1.6" \ my-multihost-network
4.2.11. docker network create -o "com.docker.network.bridge.host_binding_ipv4"="172.19.0.1" simple-network
4.2.12. docker network create -d overlay --subnet=10.11.0.0/16 --ingress --opt com.docker.network.driver.mtu=9216 --opt encrypted=true my-ingress-network
4.3. 3 - Docker Overlay Network
4.3.1. Swarm init
4.3.1.1. ingress network
4.3.1.2. docket_gwbridge network
4.3.2. docker network create -d overlay my-overlay
4.3.3. docker network create -d overlay --attachable my-attachable-overlay
4.3.4. docker network create --opt encrypted --driver overlay --attachable my-attachable-multi-host-network
4.3.5. docker service update --network-add my-network my-web
4.3.6. docker service update --network-rm my-network my-web
4.3.7. --secret
4.3.7.1. /run/secrets
4.3.7.2. printf "This is a secret" | docker secret create my_secret_data -
4.3.7.3. docker service create --name redis --secret my_secret_data redis:alpine
4.3.7.4. docker ps --filter name=redis -q
4.3.7.5. docker secret ls
4.3.7.6. docker secret rm my_secret_data
4.3.7.7. docker service update --secret-rm my_secret_data redis
4.3.8. --reserve-memory
4.3.9. --reserve-cpu
4.4. 4 - Difference between host and ingress port publishing mode
4.4.1. mode=host
4.4.2. docker service create --name my_web --replicas 3 --publish published=8080,target=80 nginx
4.5. 5 - Built-in network drivers
4.5.1. bridge
4.5.2. host
4.5.3. overlay
4.5.4. macvlan
4.5.5. none
4.5.6. Network plugins
4.6. 6 - Identify which IP and port
4.6.1. docker ps
4.6.2. docker port test
4.6.3. docker port test 7890/tcp
4.6.4. docker port test 7890/udp
4.6.5. docker port test 7890
4.7. 7 - Publish a port
4.7.1. --expose
4.7.2. -P
4.7.2.1. /proc/sys/net/ipv4/ip_local_port_range
4.7.3. -p
4.7.4. --link
4.8. 8 - Troubleshoot
4.8.1. docker network inspect [opt] network <network_name>
4.8.1.1. --format, -f
4.8.1.2. --verbose, -v
4.9. 9 - Types of traffic
4.10. 10 - Container Network Model
4.11. 11 - Docker to load balance HTTP HTTPs
5. 5 - Security
5.1. 1 - Configure RBAC in UCP
5.1.1. Access control model
5.1.1.1. Subject
5.1.1.1.1. User
5.1.1.1.2. Organization
5.1.1.1.3. Team
5.1.1.2. Role
5.1.1.2.1. None
5.1.1.2.2. View Only
5.1.1.2.3. Restricted Control
5.1.1.2.4. Scheduler
5.1.1.2.5. Full Control
5.1.1.3. Resource Collections
5.1.1.3.1. Physical or virtual nodes
5.1.1.3.2. Containers
5.1.1.3.3. Services
5.1.1.3.4. Networks
5.1.1.3.5. Volumes
5.1.1.3.6. Secrets
5.1.1.3.7. Application configs
5.2. 2 - UCP client bundles
5.3. 3 - Image passes a security scan
5.4. 4 - MTLS
5.4.1. docker swarm init --external-ca
5.4.2. docker swarm ca --rotate
5.4.3. docker swarm ca --rotate --ca-cert --external-ca
5.4.4. --ca-cert, --ca-key
5.5. 5 - Engine Security
5.5.1. Trusted images
5.5.2. Protect the Docker daemon socket
5.5.3. Certificates for repository
5.5.4. Seccomp security profiles for Docker
5.5.5. AppArmor security profiles for Docker
5.5.6. Isolate containers with a user namespace
5.5.7. Run the Docker daemon as a non-root user
5.5.8. Docker Security
5.5.8.1. Kernel namespaces
5.5.8.2. Control groups
5.5.8.3. Docker daemon attack surface
5.5.8.4. Linux kernel capabilities
5.5.8.5. Docker Content Trust Signature Verification
5.5.8.6. Other kernel security features
5.6. 6 - process to use external certificates
5.6.1. UCP Use your own TLS certificates
5.6.2. DTR Use your own TLS certificates
5.7. 7 - swarm default security
5.8. 8 - Difference between UCP workers and managers
5.9. 9 - Signing an image
5.9.1. docker pull nginx:latest
5.9.2. docker tag nginx:latest dtr.example.org/dev/nginx:1
5.9.3. docker login dtr.example.org
5.9.4. export DOCKER_CONTENT_TRUST=1 docker push dtr.example.org/dev/nginx:1
5.10. 10 - Enable Docker Content Trust
5.10.1. export DOCKER_CONTENT_TRUST=1
5.11. 11 - Identity roles
5.11.1. None
5.11.2. View Only
5.11.3. Restricted Control
5.11.4. Scheduler
5.11.5. Full Control
5.12. 12 - Integrate UCP with LDAP AD
5.12.1. Base DN
5.12.2. scope
5.12.3. filter
5.12.4. username
5.12.5. full name
6. 6 - Storage and Volumes
6.1. 1 - Docker storage drivers
6.1.1. overlay2
6.1.2. aufs
6.1.3. devicemapper
6.1.4. btrfs, zfs
6.1.5. vfs
6.2. 2 - How storage can be used
6.2.1. Volume Plugins
6.2.2. Screts
6.2.2.1. docker secret [opt]
6.2.2.1.1. ls
6.2.2.1.2. inspect
6.2.2.1.3. rm
6.2.2.2. echo -n "teste" | docker secret create example -
6.2.2.3. docker secret create example2 file.txt
6.2.2.4. docker service create --name nginx -p 8080:80 --secret example nginx
6.2.2.5. docker service update --secret-rm example nginx
6.2.2.6. docker service update --secret-add example1 nginx
6.2.2.7. /run/secrets
6.2.2.8. docker service create --name nginx -p 8080:80 --secret \ src=example,target=meu-secret,uid=200,gid=200,mode=0400 nginx
6.3. 3 - Configure devicemapper
6.3.1. daemon.json
6.3.1.1. loop-lvm
6.3.1.1.1. { "storage-driver": "devicemapper" }
6.3.1.2. direct-lvm
6.3.1.2.1. { "storage-driver": "devicemapper", "storage-opts": [ "dm.directlvm_device=/dev/xdf", "dm.thinp_percent=95", "dm.thinp_metapercent=1", "dm.thinp_autoextend_threshold=80", "dm.thinp_autoextend_percent=20", "dm.directlvm_device_force=false" ] }
6.3.1.3. docker info
6.4. 4 - Docker persistent storage
6.4.1. --volume, -v
6.4.2. --mount
6.4.3. types
6.4.3.1. bind
6.4.3.2. volume
6.4.3.3. tmpfs
6.5. 5 - Prune unused Docker objects
6.5.1. Images
6.5.1.1. docker image prune
6.5.1.2. docker image prune -a
6.5.1.3. docker image prune -a --filter "until=24h"
6.5.2. Containers
6.5.2.1. docker container prune
6.5.2.2. docker container prune --filter "until=24h"
6.5.3. Volumes
6.5.3.1. docker volume prune
6.5.3.2. docker volume prune --filter "label!=keep"
6.5.4. Networks
6.5.4.1. docker network prune
6.5.4.2. docker network prune --filter "until=24h"
6.5.5. System
6.5.5.1. docker system prune
6.5.5.2. docker system prune --volumes
6.5.6. DTR Garbage collection