# Docker ## Installation ### Install on Ubuntu20 1. Uninstall old version ``` sudo apt-get remove docker docker-engine docker.io containerd runc ``` 2. Set up the repository * Update the apt package index and install packages to allow apt to use a repository over HTTPS: ``` sudo apt-get update sudo apt-get install \ ca-certificates \ curl \ gnupg \ lsb-release ``` * Add Docker’s official GPG key: ``` sudo mkdir -m 0755 -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg ``` * Use the following command to set up the repository ``` echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null ``` 3. Install Docker Engine * Update the apt package index ``` sudo chmod a+r /etc/apt/keyrings/docker.gpg sudo apt-get update ``` * To install the latest version, run ``` sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` ### Install ```shell $ sudo apt-get install docker $ sudo apt-get install docker-compose $ sudo apt-get install docker.io ``` ### Permission ```shell $ sudo groupadd docker $ sudo chmod 666 /var/run/docker.sock $ sudo usermod -aG docker $USER ``` ### Trouble Shooting * Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? ```shell $ sudo service docker start ``` * Install docker.io fail ```shell $ sudo apt-get install docker.io ... The following packages have unmet dependencies: docker.io : Depends: containerd (>= 1.2.6-0ubuntu1~) E: Unable to correct problems, you have held broken packages. $ sudo apt install containerd ``` ## Get Image from Docker Hub ### Search Ubuntu Official ```shell=! $ docker search ubuntu -f is-official=true ubuntu Ubuntu is a Debian-based Linux operating sys… 14064 [OK] websphere-liberty WebSphere Liberty multi-architecture images … 283 [OK] ubuntu-upstart DEPRECATED, as is Upstart (find other proces… 112 [OK] neurodebian NeuroDebian provides neuroscience research s… 88 [OK] open-liberty Open Liberty multi-architecture images based… 52 [OK] ubuntu-debootstrap DEPRECATED; use "ubuntu" instead 46 [OK] ``` * `-f is-official=true`: List official images only ### Download image from Docker Hub ```shell=! $ docker pull ubuntu ``` ### List images ```shell=! $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu latest 825d55fb6340 9 days ago 72.8MB postgres 10.9 897b33033d64 2 years ago 230MB ``` ## How to run docker image ### Run Container (Create and start) ```shell=! $ docker run -d -p 80:80 docker/getting-started ``` * `-d`: Background * `-p xxxx:xxxx`: Port mapping ### Run Bash ```shell=! $ docker run -it ubuntu /bin/bash ``` * `-i`: --interactive (互動模式) * `-t`: --tty (配置一個終端機) * `-d`: --detach (在背景執行) ### Access the Container `without /bin/bash` ```shell! $ docker exec -i -t my_ubuntu /bin/bash ``` ### Access the Existing Container `with /bin/bash` ```shell! $ docker attach --sig-proxy=false my_ubuntu ``` ### List Running Containers ID ```shell $ docker ps ``` ### Start Container ```shell $ docker run -i <the-container-id> ``` * `-a`: --attach Attach ; STDOUT/STDERR and forward signals * `-i`: --interactive ; Attach container's STDIN ### Stop Container ```shell # Swap out <the-container-id> with the ID from docker ps $ docker stop <the-container-id> ``` ### Remove Container ```shell $ docker rm <the-container-id> ``` ## How to make docker image ### How to make Dockerfile ```shell mkdir docker_test cd docker_test vi Dockerfile ``` ```dockerfile= FROM node:12-alpine MAINTAINER Username # Adding build tools to make yarn install work on Apple silicon / arm64 machines RUN apk add --no-cache python2 g++ make WORKDIR /app COPY . . RUN yarn install --production CMD ["node", "src/index.js"] ``` * `FROM`: Used Image * `RUN`: Run shell command * `USER`: The User[:Group] is used when running the image. * `WORKDIR`: The Working Dir is used when running the image. * `COPY`: * `ADD`: Add local files to the Docker image * `CMD`: * `ENV`: Set Environment Variable * `VOLUME`: Set VOLUME Folder (Keep in local) #### Dockerfile Trouble Shooting * `COPY`: folder with symlink will lost ### How to build docker image ```shell=! $ docker build -t getting-started . [--no-cache] ``` * `-t`: Tag image * `--no-cache`: ### Check built image ```shell $ docker images ``` ### Remove image ```shell # Swap out <the-image-id> with the ID from docker images $ docker rmi <the-image-id> ``` ### Run with Volume * With mapping local path ```shell=! $ docker run -it -v /home/user1/storage:/storage ubuntu /bin/bash ``` * Without mapping local path ```shell=! $ docker run -it -v /storage ubuntu /bin/bash ``` ### Check Volume ```shell=! $ docker inspect -f '{{.Mounts}}' <the-container-id> ``` ## Docker Compose ... ## How to make Private Registry Server ```shell $ docker run -d -p 5050:5000 --restart=unless-stopped -v /home/user/docker_registry:/var/lib/registry --name docker-registry registry ``` * `-d`: Background * `-p`: Port mapping (Host:Docker) * Check Docker port via [docker inspect - .Config.ExposedPorts](#Docker-inspect) * `-v`: Link Volume (Host:Docker) * `--name`: Set container name * `--restart=unless-stopped`: ### Docker inspect * Show image information ```shell=! $ docker inspect docker-registry # show as a json file ``` * Show specific information * `ExposedPosrts`: The port used by the image ```bash=! docker inspect --format="{{json .Config.ExposedPorts }}" docker-registry ``` ## Private Registry Server ### How to push image to Private Registry Server ```shell=! $ docker tag mytomcat 192.168.123.134:5050/get-started $ docker push 192.168.123.134:5050/get-started ``` ### Troubl Shooting * Push fail ```shell=! sudo vi /etc/docker/daemon.json ``` ```json= { "group": "docker", "insecure-registries": [ "192.168.123.134:5050" ], "live-restore": true } ``` ### How to pull image from Private Registry Server ```shell=! $ docker pull 192.168.123.134:5050/get-started ``` ### How to check Docker Registry * List all docker images in Registry Server ```shell=! $ curl -X GET http://192.168.123.134:5050/v2/_catalog ``` * List docker image tags ```shell=! $ curl -X GET http://192.168.123.134:5000/v2/get-started/tags/list ``` ### How to delete image in Private Registry Server 1. Check Delete ```shell=! $ docker exec -it docker-registry sh -c "cat /etc/docker/registry/config.yml" ``` ```json= version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3 ``` 2. Add `delete enabled: true` ```shell=! $ docker exec -it docker-registry sh -c "vi /etc/docker/registry/config.yml" ``` ```json version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry delete: enabled: true http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3 ``` 3. docker container restart ```shell=! $ docker restart docker-registry ``` 4. Get Docker-Content-Digest ```shell=! $ curl -X GET --header "Accept: application/vnd.docker.distribution.manifest.v2+json" -I http://192.168.123.134:5000/v2/get-started/manifests/x.x.x ``` ```json= HTTP/1.1 200 OK Content-Length: 3266 Content-Type: application/vnd.docker.distribution.manifest.v2+json Docker-Content-Digest: sha256:2dd045b1e8df1e563ca5d13afbf35252ac9f3c2a34fff725ae6ae281efc1be2b Docker-Distribution-Api-Version: registry/2.0 Etag: "sha256:2dd045b1e8df1e563ca5d13afbf35252ac9f3c2a34fff725ae6ae281efc1be2b" X-Content-Type-Options: nosniff Date: Wed, 04 May 2022 06:23:25 GMT ``` 5. Delete manifest ```shell=! $ curl -X DELETE http://localhost:5000/v2/get-started/manifests/sha256:2dd045b1e8df1e563ca5d13afbf35252ac9f3c2a34fff725ae6ae281efc1be2b ``` 6. docker execute garbage-collect ``` docker exec -it docker-registry sh -c "registry garbage-collect /etc/docker/registry/config.yml" ``` ## Docker certificate 1. Generate a root key. `openssl genrsa -out "root-ca.key" 4096` 2. Generate a CSR using the root key. ```sheel= openssl req \ -new -key "root-ca.key" \ -out "root-ca.csr" -sha256 \ -subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=Swarm Secret Example CA' ``` * Error ```error Can't load /home/olivie/.rnd into RNG 139848959476160:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/olivie/.rnd ``` * Fix ` sudo vi /etc/ssl/openssl.cnf` ```diff # This definition stops the following lines choking if HOME isn't # defined. HOME = . - RANDFILE = $ENV::HOME/.rnd + #RANDFILE = $ENV::HOME/.rnd ``` 3. Configure the root CA. ```shell: [root_ca] basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = critical, nonRepudiation, cRLSign, keyCertSign subjectKeyIdentifier=hash ``` 4. Sign the certificate. ``` openssl x509 -req -days 3650 -in "root-ca.csr" \ -signkey "root-ca.key" -sha256 -out "root-ca.crt" \ -extfile "root-ca.cnf" -extensions \ root_ca ``` * Error ```error Error Loading extension section root-ca ``` * Fix `sudo vi /etc/ssl/openssl.cnf` ```diff # Extension copying option: use with caution. - # copy_extensions = copy + copy_extensions = copy ``` > openssl x509 -req -days 3650 -in "root-ca.csr" \ -signkey "root-ca.key" -sha256 -out "root-ca.crt" \ ~~-extfile "root-ca.cnf"~~ -extensions \ root_ca 5. Generate the site key. `openssl genrsa -out "site.key" 4096` 6. Generate the site certificate and sign it with the site key. ```bash: openssl req -new -key "site.key" -out "site.csr" -sha256 \ -subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=localhost' ``` 7. Configure the site certificate. * New file `site.cnf` `vi site.cnf` ```shell: [server] authorityKeyIdentifier=keyid,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage=serverAuth keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = DNS:localhost, IP:127.0.0.1 subjectKeyIdentifier=hash ``` 8. Sign the site certificate. ```bash: openssl x509 -req -days 750 -in "site.csr" -sha256 \ -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial \ -out "site.crt" -extfile "site.cnf" -extensions server ``` 9. docker * error `docker secret create site.key site.key` ```error Error response from daemon: This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again ``` #### Trouble Shoot * x509: certificate signed by unknown authority ``` $ docker pull 192.168.123.123:443/tmp:0.0.1 Error response from daemon: Get https://192.168.3.123:123/v2/: x509: certificate signed by unknown authority ``` * upload domain.crt ``` sudo cp domain.cr /usr/share/ca-certificates/ sudo dpkg-reconfigure ca-certificates sudo systemctl restart docker.service sudo systemctl restart docker.socket ``` ## How to Backup docker image ```shell=! $ docker save -o get-started.tar get-started ``` ## How to Load docker image ```shell=! $ docker load -i get-started.tar ``` ## How to build docker image for multiple platform ### ## Reference * [Docker Official](https://docs.docker.com/get-started/) ## Docker log `docker logs --follow container_name ` ## Remove <none> image ``` docker images -q -a | xargs docker inspect --format='{{.Id}}{{range $rt := .RepoTags}} {{$rt}} {{end}}'|grep -v ':' docker rmi $(docker images --filter "dangling=true" -q --no-trunc) ```