Get Started. It's Free
or sign up with your email address
Rocket clouds
DCA by Mind Map: DCA

1. 1 - Orchestration

1.1. 1 -Network and Ports

1.1.1. Ports --publish published=8080,target=80 -p 8080:80 | --publish 8080:80 --publish mode=80,target=80,published=8080 docker service update --publish-add 8080:80 nginx

1.1.2. Network docker network create --driver overlay | docker network create -d overlay docker service create --network docker service update --network-add docker service update --network-rm docker network connect net1 nginx

1.2. 2 - Labels

1.2.1. docker node update [opt] <node_id> --availability active pause drain --label-add datacenter type=queue --label-rm --role worker manager docker service create --constraint [opt] <service_name> node.labels.type==queue node.labels.type!=queue node.role==manager node.role==worker docker service create --placement-pref 'spread=node.labels.datacenter' <service_name>

1.2.2. docker node [opt] <node_id> demote inspect ls, ps, rm promote update

1.3. 3 - Setup Swarm

1.3.1. docker swarm init --advertise-addr <ip>

1.3.2. docker swarm join-token [opt] worker manager

1.3.3. docker swarm join --token <token> <ip>:2377

1.3.4. docker swarm join-token --rotate [opt] worker manager

1.4. 4 - Stack application using YML compose file

1.4.1. docker stack [opt] deploy [opt] <stack_id> --bundle-file --compose-file, -c --prune --resolve-image ls, ps, rm services

1.4.2. docker-compose.yml build command CMD /usr/sbin/apachectl -D FOREGROUND mode shell configs depends_on deploy endpoint_mode labels mode placement replicas resource restart_policy rollbak_config update_config devices dns, dns_search entrypoint ENTRYPOINT ["/usr/sbin/apachectl] CMD ["-D", "FOREGROUND"] mode exec env_file, environment expose, ports heathcheck image network_mode, networks restart secrets volumes

1.5. 5 - Lock Swarm cluster

1.5.1. docker swarm init --autolock

1.5.2. docker swarm update --autolock=[true|false]

1.5.3. docker swarm unlock

1.5.4. docker swarm unlock-key

1.5.5. docker swarm unlock-key --rotate

1.6. 6 - Docker Service with templates

1.6.1. docker service create [opt] <service_id> --hostname --mount --env

1.6.2. Templates .Service.ID, .Service.Name, .Service.Labels .Node.ID, .Node.Hostname, .Host.ID .Task.ID, .Task.Name, .Task.Slot

1.6.3. docker service create --hostname="{{.Node.Hostname}}-{{.Node.ID}}" <image_id> top

1.6.4. docker inspect --format="{{.Config.Hostname}}" <container_id>

1.7. 7 - Containers into Services under Swarm

1.7.1. docker service create --name <service_name> --replicas 3 <image_id>

1.7.2. docker service ls

1.8. 8 - Troubleshoot a service not deploying

1.8.1. STATUS pending

1.8.2. docker service ps <node_id>

1.8.3. docker inspect <task_id>

1.8.4. docker container logs <node_id>

1.9. 9 - Service Replicated vs Global

1.9.1. docker service create --replicas 3 <image_id>

1.9.2. docker service create --mode global <image_id>

1.10. 10 - Increase Replicas

1.10.1. docker service scale <service_id>=5

1.10.2. docker service update --replicas 10 <service_id>

1.10.3. docker service ls --filter name=<service_id>

1.10.4. docker service scale <service_id_1>=3 <service_id_2>=5

1.11. 11 - Output of Docker Inspect

1.11.1. docker inspect [opt] <name | id> --format, -f --size, -s --type

1.11.2. docker inspect [opt] <node_id> --format='{{json .Config}}' --format='{{.Config.Image}}'

1.11.3. docker service inspect --pretty <service_id>

1.12. 12 - Stack of services

1.12.1. docker stack services [opt] <stack_id> --filter, -f --format --namespace --quiet, -q --kubeconfig --orchestrator

1.12.2. docker stack [opt] deploy ls, ps, rm services

1.12.3. docker stack services --filter [opt] id=<stack_id> label=key=<value> mode=global,replicated name=<stack_name> node=<node_id> service=<service_id>

1.12.4. docker stack services --format ""{{[opt]}}" .ID .Name .Mode .Replicas .Image

1.13. 13 - Volumes

1.13.1. volume --mount, -m --mount-add --mount-rm --volumes-from docker volume create <volume_name> docker service create --mount src=<volume_name>, dst=<container_path> <image_id> docker service create --mount type=volume,src=<volume_name>,dst=<container_path>,volume-driver=<driver>,volume-opt=<key1>=<value1>,volume-opt=<key2>=<value2> <image_name> docker run -d --volumes-from <container_id> <image_name>

1.13.2. bind docker service create --mount type=bind,src=<host_path>,dst=<container_path> <image_name> docker service create --mount type=bind,src=<host_path>,dst=<container_path>,readonly <image_name> docker run -d -rm -v <volume_name>:/tmp --volume <volume_backup:/backup <image_name> tar -cvf /backup/backup.tar /tmp

1.13.3. tmpfs docker run -d --mount type=tmpfs,dst=<container_path> <image_name>

1.14. 14 - Quorum in a Swarm

1.14.1. docker node update --availability drain <node_id>

1.14.2. docker swarm init --force-new-cluster --advertise-addr <ip>:2377

1.14.3. docker node inspect <node_id> --format "{{ .ManagerStatus.Reachability }}"

1.14.4. docker node inspect <node_id> --format "{{ .Status.State }}"

1.14.5. Backup swarm - /var/lib/docker/swarm

1.14.6. Restore swarm Stop Docker remove /var/lib/docker/swarm restore /var/lib/docker/swarm Start Docker docker swarm init --force-new-cluster docker service ls

1.14.7. Revover Quorum docker swarm init --force-new-cluster --advertise-addr <node_name>:2377 docker service update -f docker service inspect --pretty <service_name> docker service ps docker service scale

1.15. 15 - Dockerized application communicates

1.15.1. ports -p 8080:80 -p -p 8080:80/udp -p 8080:80/tcp -p 8080:80/udp

1.15.2. network bridge, overlay, macvlan, custom docker network connect --ip, --ip6 --alias

1.15.3. DNS --dns --dns-search --dns-opt --hostname

1.16. 16 - Container vs Service

1.16.1. docker start

1.16.2. docker ps -a

1.16.3. docker run --name <container_name> -it <image_name>

1.16.4. docker run -t -i --privileged <image_name> bash

1.16.5. docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list <image_name> bash

1.16.6. docker run -l my-label --label <image_name> bash

1.16.7. docker run -itd --network=<network_name> <image_name>

1.16.8. docker run --device=/dev/sdc:/dev/xvdc --device=/dev/sdd --device=/dev/zero:/dev/nulo -i -t <image_name> ls -l /dev/{xvdc,sdd,nulo}

1.16.9. --restart on on-failures:[max-retries] unless-stopped always

1.16.10. docker run --add-host=docker: --rm -it <image_name>

1.16.11. docker run --sysctl net.ipv4.ip_forward=1 <image_name>

2. 2 - Image Management and Registry

2.1. 1 - Create a Docker Image

2.1.1. docker image [opt] build history import inspect load --input ls, rm prune pull push save -o tag

2.2. 2 - Configure a Registry

2.2.1. ENV REGISTRY_variable storage: filesystem: rootdirectory: /var/lib/registry REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: <path> docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/config.yml:/etc/docker/registry/config.yml registry:2

2.3. 3 - Delete an Image from a Registry

2.3.1. DELETE /v2/<name>/manifests/<reference>

2.4. 4 - Tagging an Image

2.4.1. docker image tag <source_image>[:tag] <target_image>[:tag]

2.5. 5 - Deploy a Registry

2.5.1. Docker Trusted Registry (DTR) Image and job management Availability Efficiency Built-in access control Security scanning Image signing export DOCKER_CONTENT_TRUST=1 Requirements All nodes must be a worker node managed by Universal Control Plan All nodes must have a fixed hostname DTR can be installed on-premises or on a cloud provider Ports 80 and 443

2.5.2. docker run -d -p 5000:5000 --name registry registry:2 docker pull ubuntu docker image tag ubuntu localhost:5000/myfirstimage docker push localhost:5000/myfirstimage docker pull localhost:5000/myfirstimage docker container stop registry && docker container rm -v registry

2.5.3. Docker Enterprise Before installing Docker Engine, DTR, and UCP version compatibility Time Synchronization Disk space Network ports

2.6. 6 - Dockerfile Options

2.6.1. docker build .

2.6.2. .dockerignore # comment */temp* */*/temp* temp?

2.6.3. docker build -f /path/to/a/Dockerfile .

2.6.4. docker build -t shykes/myapp .

2.6.5. docker build -t shykes/myapp:1.0.2 -t shykes/myapp:latest .

2.6.6. docker build --cache-from shykes/myapp:1.0.2 -t shykes/myapp:1.0.3 .


2.7. 7 - Image Deletion

2.7.1. docker ps -s

2.7.2. /var/lib/docker/<storage-driver>

2.7.3. docker image ls

2.7.4. docker history

2.7.5. docker rm $(docker ps -a -q)

2.7.6. docker rmi $(docker images -f "dangling=true" -q)

2.7.7. docker rmi $(docker images -q)

2.7.8. docker rm $(docker ps -qf status=exited)

2.8. 8 - Image Layers

2.8.1. drivers autofs overlay overlay2

2.9. 9 - Display layers of a Docker image

2.9.1. docker image history [OPT] <image> --format --human, -H --no-trunc --quiet, -q

2.10. 10 - Create an Efficient Image

2.10.1. FROM ubuntu:18.04 COPY . /app RUN make /app CMD python /app/

2.10.2. mkdir myproject && cd myproject echo "hello" > hello echo -e "FROM busybox\nCOPY /hello /\nRUN cat /hello" > Dockerfile docker build -t helloapp:v1 .

2.10.3. mkdir -p dockerfiles context mv Dockerfile dockerfiles && mv hello context docker build --no-cache -t helloapp:v2 -f dockerfiles/Dockerfile context

2.10.4. echo -e 'FROM busybox\nRUN echo "hello world"' | docker build -

2.10.5. docker build -<<EOF FROM busybox RUN echo "hello world" EOF

2.10.6. docker build -t myimage:latest -<<EOF FROM busybox RUN echo "hello world" EOF

2.11. 11 - Inspect Images

2.11.1. docker image inspect --format image <image_id>

2.11.2. docker images --filter "dangling=true"

2.11.3. docker images --filter "label=com.example.version"

2.11.4. docker images --filter "label=com.example.version=1.0"

2.11.5. docker images --filter "before=image1"

2.11.6. docker images --filter "since=image3"

2.11.7. docker images --filter=reference='busy*:*libc'

2.11.8. docker images --filter=reference='busy*:uclibc' --filter=reference='busy*:glibc'

2.11.9. docker images --format "{{[OPT]}}: {{.Repository}}" .ID .Repository .Tag .Digest .CreateSince .CreateAt .Size

2.11.10. docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"

2.12. 12 - Log into a Registry

2.12.1. docker login [opt] [server] --password, -p --password-stdin --username, -u

2.12.2. docker login localhost:8080

2.12.3. cat ~/my_password.txt | docker login --username foo --password-stdin

2.12.4. $HOME/.docker/config.json

2.13. 13 - Modify an Image

2.13.1. docker create -t -i fedora bash

2.13.2. docker create -v /data --name data ubuntu

2.13.3. docker create -v /home/docker:/docker --name docker ubuntu

2.13.4. docker create -it --storage-opt size=120G fedora /bin/bash

2.13.5. export docker export red_panda > latest.tar docker export --output="latest.tar" red_panda

2.13.6. import docker image import [opt] file|URL|- [repository[:tag]] --change , -c --message , -m --platform

2.13.7. save docker save <image_name> > /home/save.tar

2.13.8. load docker load < /home/save.tar

2.14. 14 - Pull an Image

2.14.1. docker pull [opt] <image_name[:tag|@digest]> --all-tags , -a --disable-content-trust --platform --quiet , -q

2.14.2. docker pull debian

2.14.3. docker pull ubuntu:14.04

2.14.4. docker pull [email protected]:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2

2.14.5. docker pull myregistry.local:5000/testing/test-image

2.14.6. docker pull --all-tags fedora

2.15. 15 - Push an Image

2.15.1. docker image push [opt] <image_name[:tag]> --disable-content-trust

2.16. 16 - Show the main parts of a Dockerfile

2.17. 17 - Sign an image in a registry

2.17.1. Docker Content Trust (DCT)

2.17.2. <registry_host[:registry_port]/><repository[:tag]>

2.17.3. docker trust

2.17.4. docker trust key generate

2.17.5. Universal Control Plane (UCP) Trusts Images Initialize trust metadata for the repository Delegate signing to the keys in your UCP client bundle Configure your Notary client Made up subject role resource collection Monitor Using the Docker CLI client Web UI Check Health https://<ucp-manager-url>/_ping

2.18. 18 - Tag in a Image

2.18.1. docker image tag <source_image[:tag]> <target_mage[:tag]>

2.19. 19 - Manage Images

2.19.1. docker image ls [opt] <repository:[tag]> --all , -a --digests --filter , -f --format --no-trunc --quiet , -q

2.19.2. docker image rm [opt] <image_name> --force, -f --no-prune

2.19.3. docker image prune [opt] --all , -a --filter --force, -f

2.20. 20 - Registry to Store an Image

2.20.1. docker image push [opt] <image_name[:tag]> --disable-content-trust

2.21. 21 - Search in a Registry

2.21.1. docker search [opt] TERM --automated --filter , -f --format .Name .Description .StarCount .IsOfficial .IsAutomated --limit --no-trunc --starts, -s

2.21.2. docker search busybox

2.21.3. docker search --stars=3 --no-trunc busybox

2.21.4. docker search --filter stars=3 busybox

2.21.5. docker search --filter is-automated busybox

2.21.6. docker search --filter "is-official=true" --filter "stars=3" busybox

3. 3 - Installation and Configuration

3.1. 1 - Backup for UCP and DTR

3.1.1. UCP Backup Steps docker config ls docker container run --log-driver none --rm --interactive --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 backup --id <ucp-instance-id> --passphrase "secret" > /tmp/backup.tar SELinux Restore uninstall-ucp docker container run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 restore < /tmp/backup.tar docker container run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 restore --passphrase "secret" < /tmp/backup.tar docker container run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/backup.tar:/config/backup.tar docker/ucp:2.2.22 restore -i

3.1.2. DTR Backup Steps Restore Steps

3.2. 2 - Installation of Docker Engine on multiple platforms

3.2.1. Oracle Linux Install yum remove docker docker-engine docker-engine-selinux rm /etc/yum.repos.d/docker*.repo export DOCKERURL="<DOCKER-EE-URL>" sh -c 'echo "$DOCKERURL/oraclelinux" > /etc/yum/vars/dockerurl' yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --enable ol7_addons yum-config-manager --add-repo $DOCKERURL/oraclelinux/docker-ee.repo" yum -y install docker-ee docker-ee-cli Remove yum -y remove docker-ee rm -rf /var/lib/docker rm -rf /run/docker rm -rf /var/run/docker rm -rf /etc/docker

3.2.2. Red Hat Enterprise Linux Install yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-egine-selinux docker-engine rm /etc/yum.repos.d/docker*.repo export DOCKERURL="<DOCKER-EE-URL>" sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl' sh -c 'echo "7" > /etc/yum/vars/dockerosversion' yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --enable rhel-7-server-extras-rpms yum-config-manager --enable extras subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms yum makecache fast yum -y install container-selinux yum-config-manager --enable rhui-REGION-rhel-server-extras yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms yum-config-manager --add-repo "$DOCKERURL/rhel/docker-ee.repo" yum -y install docker-ee docker-ee-cli Remove yum -y remove docker-ee rm -rf /var/lib/docker rm -rf /run/docker rm -rf /var/run/docker rm -rf /etc/docker

3.2.3. SUSE SLES Install zypper rm docker docker-engine runc rpm -e docker-engine DOCKER_EE_BASE_URL="<DOCKER-EE-URL>" DOCKER_EE_URL="${DOCKER_EE_BASE_URL}/sles/<SLES_VERSION>/<ARCH>/stable-<DOCKER_VERSION>" zypper addrepo $DOCKER_EE_URL docker-ee-stable rpm --import "${DOCKER_EE_BASE_URL}/sles/gpg" zypper refresh zypper install docker-ee docker-ee-cli Remove zypper rm docker-ee rm -rf /var/lib/docker/*

3.2.4. CentOS Install yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-egine-selinux docker-engine rm /etc/yum.repos.d/docker*.repo export DOCKERURL="<DOCKER-EE-URL>" sh -c 'echo "$DOCKERURL/centos" > /etc/yum/vars/dockerurl' yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo $DOCKERURL/centos/docker-ee.repo" yum -y install docker-ee docker-ee-cli Remove yum -y remove docker-ee rm -rf /var/lib/docker rm -rf /run/docker rm -rf /var/run/docker rm -rf /etc/docker

3.2.5. Ubuntu Install apt-get remove docker docker-engine docker-ce docker-ce-cli apt-get update apt-get install apt-transport-https ca-certificates curl software-properties-common DOCKER_EE_URL="<DOCKER-EE-URL>" curl -fsSL "${DOCKER_EE_URL}/ubuntu/gpg" | sudo apt-key add - apt-key fingerprint 6D085F96 add-apt-repository "deb [arch=$(dpkg --print-architecture)] $DOCKER_EE_URL/ubuntu $(lsb_release -cs) stable-$DOCKER_EE_VERSION" apt-get update apt-get install docker-ee docker-ee-cli Remove apt-get purge docker-ee rm -rf /var/lib/docker

3.2.6. Windows Server 2016 Install Install-Module DockerMsftProvider -Force Install-Package Docker -ProviderName DockerMsftProvider -Force (Install-WindowsFeature Containers).RestartNeeded Restart-Computer Remove Uninstall-Package -Name docker -ProviderName DockerMsftProvider Uninstall-Module -Name DockerMsftProvider Get-HNSNetwork | Remove-HNSNetwork Remove-Item -Path "C:\ProgramData\Docker" -Recurse -Force

3.2.7. Backup order Back up your swarm Unlock key Stop Docker Back up the entire /var/lib/docker/swarm Restart the manager Back up UCP Back up DTR Backup image content Backup DTR metadata

3.3. 3 - Logging Drivers

3.3.1. daemon.json { "log-driver": "syslog" } { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3", "labels": "production_status", "env": "os,customer" } }

3.3.2. docker info --format '{{.LoggingDriver}}'

3.3.3. docker run -it --log-driver [opt] alpine ash none local json-file syslog journald gelf fluentd awslogs splunk etwlogs gcplogs logentries

3.3.4. docker inspect -f '{{.HostConfig.LogConfig.Type}}' <CONTAINER>

3.4. 4 - Docker daemon on boot

3.4.1. Group groupadd docker usermod -aG docker $USER newgrp docker

3.4.2. Start systemctl enable docker echo manual | tee /etc/init/docker.override chkconfig docker on

3.4.3. Stop systemctl disable docker

3.4.4. Network daemon systemctl edit docker.service [Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp:// systemctl daemon-reload systemctl restart docker.service netstat -lntp | grep dockerd

3.4.5. Network daemon.json /etc/docker/daemon.json { "hosts": ["unix:///var/run/docker.sock", "tcp://"] } systemctl restart docker.service netstat -lntp | grep dockerd


3.4.7. DNS /etc/docker/daemon.json { "dns": ["", ""] } service docker restart

3.5. 5 - Docker UCP and DTR in HA

3.5.1. Requirements Be a worker node managed by Universal Control Plane Have a fixed hostname Ports 80/tcp 443/tcp

3.5.2. Install UCP docker image pull docker/ucp:2.2.22 docker container run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.22 install --host-address <node-ip-address> --interactive License your installation Join manager nodes Join worker nodes

3.5.3. Install DTR docker pull docker/dtr:2.3.11 docker run -it --rm docker/dtr:2.3.11 install --ucp-node <ucp-node-name> --ucp-insecure-tls

3.5.4. Check that DTR is running

3.5.5. Configure DTR TLS communication Storage backend to store the Docker images

3.5.6. Test pushing and pulling

3.5.7. Join replicas to the cluster docker run -it --rm docker/dtr:2.3.11join --ucp-node <ucp-node-name> --ucp-insecure-tls

3.6. 6 - Manager User and Teams

3.7. 7 - Upgrade the Docker Engine

3.7.1. /etc/docker/daemon.json { "live-restore": true }

3.7.2. dockerd --live-restore

3.8. 8 - Troubleshoot

3.8.1. dockerd

3.8.2. daemon.json { "debug": true, "tls": true, "tlscert": "/var/docker/server.pem", "tlskey": "/var/docker/serverkey.pem", "hosts": ["tcp://"] }

3.8.3. dockerd --debug --tls=true --tlscert=/var/docker/server.pem --tlskey=/var/docker/serverkey.pem --host tcp://

3.9. 9 - Sizing requirements prior to installation

3.9.1. Hardware Minimum 8GB of RAM for manager nodes or nodes running DTR 4GB of RAM for worker nodes 3GB of free disk space Recommended 16GB of RAM for manager nodes or nodes running DTR 4 vCPUs for manager nodes or nodes running DTR 25-100GB of free disk space

3.9.2. DTR Memory: 4Gb Disk: 20-30GB CPU: DTR is not very CPU intensive

3.9.3. UCP Ports TCP 443 - managers, workers TCP 2376 - managers TCP 2377 - managers, workers UDP 4789 - managers, workers TCP, UDP 7946 - managers, workers TCP 12376 - managers, workers TCP 12379, 1238[0-7] - managers Time synchronization

3.10. 10 - Setup Swarm

3.10.1. docker swarm init --advertise-addr <MANAGER-IP>

3.10.2. docker info

3.10.3. docker node ls

3.10.4. docker swarm join --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c

3.10.5. docker swarm join-token worker

3.10.6. swarm init --force-new-cluster

3.11. 11 - Namespaces, cgroups and certificates

3.11.1. Namespaces pid net ipc mnt user uts

3.11.2. Cgroups Limit hardware Memory CPU

3.11.3. UnionFS File systems that operate by creating layers, making them very lightweight and fast

3.11.4. Certificates tlsverify tlscacert genrsa -aes256 -out ca-key.pem 4096 genrsa -out server-key.pem 4096 echo subjectAltName = DNS:$HOST,IP:,IP: >> extfile.cnf echo extendedKeyUsage = serverAuth >> extfile.cnf openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

3.12. 12 - Certificate-based client-server

3.12.1. /etc/docker/certs.d <filename>.key/cert

3.12.2. openssl genrsa -out client.key 4096

3.12.3. openssl req -new -x509 -text -key client.key -out client.cert

4. 4 - Networking

4.1. 1 - External DNS

4.1.1. dockerd --dns

4.1.2. dockerd --dns-search

4.2. 2 - Docker Bridge Network

4.2.1. --link

4.2.2. docker network create [opt] teste --driver, -d overlay bridge --gateway --ip-range, --fixed-cidr --internal --ipv6 --subnet, --bip

4.2.3. docker network connect teste ubuntu

4.2.4. docker network disconnect teste ubuntu

4.2.5. docker network rm teste

4.2.6. Forwarding sysctl net.ipv4.conf.all.forwarding=1 iptables -P FORWARD ACCEPT

4.2.7. daemon.json { "bip": "", "fixed-cidr": "", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["",""] }

4.2.8. docker network create --driver=bridge --subnet= br0

4.2.9. docker network create --driver=bridge --subnet= --ip-range= --gateway= br0

4.2.10. docker network create -d overlay \ --subnet= --subnet= \ --gateway= --gateway= \ --aux-address="my-router=" --aux-address="my-switch=" \ --aux-address="my-printer=" --aux-address="my-nas=" \ my-multihost-network

4.2.11. docker network create -o ""="" simple-network

4.2.12. docker network create -d overlay --subnet= --ingress --opt --opt encrypted=true my-ingress-network

4.3. 3 - Docker Overlay Network

4.3.1. Swarm init ingress network docket_gwbridge network

4.3.2. docker network create -d overlay my-overlay

4.3.3. docker network create -d overlay --attachable my-attachable-overlay

4.3.4. docker network create --opt encrypted --driver overlay --attachable my-attachable-multi-host-network

4.3.5. docker service update --network-add my-network my-web

4.3.6. docker service update --network-rm my-network my-web

4.3.7. --secret /run/secrets printf "This is a secret" | docker secret create my_secret_data - docker service create --name redis --secret my_secret_data redis:alpine docker ps --filter name=redis -q docker secret ls docker secret rm my_secret_data docker service update --secret-rm my_secret_data redis

4.3.8. --reserve-memory

4.3.9. --reserve-cpu

4.4. 4 - Difference between host and ingress port publishing mode

4.4.1. mode=host

4.4.2. docker service create --name my_web --replicas 3 --publish published=8080,target=80 nginx

4.5. 5 - Built-in network drivers

4.5.1. bridge

4.5.2. host

4.5.3. overlay

4.5.4. macvlan

4.5.5. none

4.5.6. Network plugins

4.6. 6 - Identify which IP and port

4.6.1. docker ps

4.6.2. docker port test

4.6.3. docker port test 7890/tcp

4.6.4. docker port test 7890/udp

4.6.5. docker port test 7890

4.7. 7 - Publish a port

4.7.1. --expose

4.7.2. -P /proc/sys/net/ipv4/ip_local_port_range

4.7.3. -p

4.7.4. --link

4.8. 8 - Troubleshoot

4.8.1. docker network inspect [opt] network <network_name> --format, -f --verbose, -v

4.9. 9 - Types of traffic

4.10. 10 - Container Network Model

4.11. 11 - Docker to load balance HTTP HTTPs

5. 5 - Security

5.1. 1 - Configure RBAC in UCP

5.1.1. Access control model Subject User Organization Team Role None View Only Restricted Control Scheduler Full Control Resource Collections Physical or virtual nodes Containers Services Networks Volumes Secrets Application configs

5.2. 2 - UCP client bundles

5.3. 3 - Image passes a security scan

5.4. 4 - MTLS

5.4.1. docker swarm init --external-ca

5.4.2. docker swarm ca --rotate

5.4.3. docker swarm ca --rotate --ca-cert --external-ca

5.4.4. --ca-cert, --ca-key

5.5. 5 - Engine Security

5.5.1. Trusted images

5.5.2. Protect the Docker daemon socket

5.5.3. Certificates for repository

5.5.4. Seccomp security profiles for Docker

5.5.5. AppArmor security profiles for Docker

5.5.6. Isolate containers with a user namespace

5.5.7. Run the Docker daemon as a non-root user

5.5.8. Docker Security Kernel namespaces Control groups Docker daemon attack surface Linux kernel capabilities Docker Content Trust Signature Verification Other kernel security features

5.6. 6 - process to use external certificates

5.6.1. UCP Use your own TLS certificates

5.6.2. DTR Use your own TLS certificates

5.7. 7 - swarm default security

5.8. 8 - Difference between UCP workers and managers

5.9. 9 - Signing an image

5.9.1. docker pull nginx:latest

5.9.2. docker tag nginx:latest

5.9.3. docker login

5.9.4. export DOCKER_CONTENT_TRUST=1 docker push

5.10. 10 - Enable Docker Content Trust

5.10.1. export DOCKER_CONTENT_TRUST=1

5.11. 11 - Identity roles

5.11.1. None

5.11.2. View Only

5.11.3. Restricted Control

5.11.4. Scheduler

5.11.5. Full Control

5.12. 12 - Integrate UCP with LDAP AD

5.12.1. Base DN

5.12.2. scope

5.12.3. filter

5.12.4. username

5.12.5. full name

6. 6 - Storage and Volumes

6.1. 1 - Docker storage drivers

6.1.1. overlay2

6.1.2. aufs

6.1.3. devicemapper

6.1.4. btrfs, zfs

6.1.5. vfs

6.2. 2 - How storage can be used

6.2.1. Volume Plugins

6.2.2. Screts docker secret [opt] ls inspect rm echo -n "teste" | docker secret create example - docker secret create example2 file.txt docker service create --name nginx -p 8080:80 --secret example nginx docker service update --secret-rm example nginx docker service update --secret-add example1 nginx /run/secrets docker service create --name nginx -p 8080:80 --secret \ src=example,target=meu-secret,uid=200,gid=200,mode=0400 nginx

6.3. 3 - Configure devicemapper

6.3.1. daemon.json loop-lvm { "storage-driver": "devicemapper" } direct-lvm { "storage-driver": "devicemapper", "storage-opts": [ "dm.directlvm_device=/dev/xdf", "dm.thinp_percent=95", "dm.thinp_metapercent=1", "dm.thinp_autoextend_threshold=80", "dm.thinp_autoextend_percent=20", "dm.directlvm_device_force=false" ] } docker info

6.4. 4 - Docker persistent storage

6.4.1. --volume, -v

6.4.2. --mount

6.4.3. types bind volume tmpfs

6.5. 5 - Prune unused Docker objects

6.5.1. Images docker image prune docker image prune -a docker image prune -a --filter "until=24h"

6.5.2. Containers docker container prune docker container prune --filter "until=24h"

6.5.3. Volumes docker volume prune docker volume prune --filter "label!=keep"

6.5.4. Networks docker network prune docker network prune --filter "until=24h"

6.5.5. System docker system prune docker system prune --volumes

6.5.6. DTR Garbage collection

6.6. 6 - Container’s graph drivers

6.7. 7 - Layers