Difference between revisions of "Containers and virtual machines"
m (→^ Dockerfiles: - How to start Docker image with interactive shell) |
m (→^ Dockerfiles: How to save a Docker image as a compressed file) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 67: | Line 67: | ||
<ul> | <ul> | ||
* https://www.letscloud.io/community/how-to-launch-a-docker-container-with-an-interactive-shell | * https://www.letscloud.io/community/how-to-launch-a-docker-container-with-an-interactive-shell | ||
+ | </ul> | ||
+ | |||
+ | <span id="nn_anchor__save_docker_image_to_file"></span> | ||
+ | How to save a Docker image as a compressed file: | ||
+ | <ul> | ||
+ | * https://stackoverflow.com/questions/23935141/how-to-copy-docker-images-from-one-host-to-another-without-using-a-repository | ||
</ul> | </ul> | ||
Line 197: | Line 203: | ||
=== [[#top|^]] docker container rm === | === [[#top|^]] docker container rm === | ||
− | + | An excellent tutorial on removing Docker images, containers and volumes, with many examples: | |
+ | |||
+ | <ul> | ||
+ | * https://www.digitalocean.com/community/tutorials/how-to-remove-docker-images-containers-and-volumes | ||
+ | </ul> | ||
+ | |||
+ | Note also the Docker images are removed using `docker rmi`, while Docker containers are removed via `docker rm`. The example command to remove all Docker containers with `exited` status is not quite correct. Needed to filter for the first column of Docker's `ps -a` command in order to provide only Docker containter IDs: | ||
+ | |||
+ | $ docker rm $(docker ps -a -f status=exited | cut -d " " -f 1) | ||
+ | |||
+ | <!-- odne komentar --> | ||
+ | |||
+ | === [[#top|^]] docker load === | ||
− | + | * https://stackoverflow.com/questions/40582300/how-to-load-a-docker-image-from-a-tar-file | |
− | + | Example invocation of `docker load` command: | |
− | + | ||
− | + | $ docker load < image_name.tar | |
− | + | ||
− | < | + | In the above command except 'image_name' is really file basename. The given Docker image may not be named, but rather have only a hash-based identifier. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<!-- odne komentar --> | <!-- odne komentar --> | ||
Line 237: | Line 240: | ||
==== [[#top|^]] docker exec [options] [command_in_container] ==== | ==== [[#top|^]] docker exec [options] [command_in_container] ==== | ||
+ | |||
+ | Docker image ID can be obtained by running `docker images` or `docker images -a`. This can aid in the following Docker command invocation: | ||
+ | |||
<pre> | <pre> | ||
− | + | $ docker exec -it [image_id] /bin/bash | |
− | |||
</pre> | </pre> | ||
Note this can have unintended consequences given that there's no ssh server running to handle multiple, or additional logins! | Note this can have unintended consequences given that there's no ssh server running to handle multiple, or additional logins! | ||
+ | |||
<!-- comment --> | <!-- comment --> | ||
Latest revision as of 18:03, 10 July 2023
Containers :: RTOS Notes :: Clusters :: Unix and Linux config
Contents
- 1 ^ Container Software
- 2 ^ Docker
- 3 ^ Dockerfiles
- 4 ^ Docker commands
- 5 ^ SSH connection to Docker container
- 6 ^ Docker volumes
- 7 ^ Anatomy of a Dockerfile
- 8 ^ Promising Docker images
- 9 ^ Physical Device Access in a Docker Container =
- 10 ^ Private Docker registries
- 11 ^ Docker Features Not Done
- 12 ^ Outline of Docker Team How-To
- 13 ^ Docker Compose
- 14 ^ docker scan image
- 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- 16 ^ Kubernetes Container Software
- 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- 18 ^ Oracle Corporation VirtualBox software
- 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
^ Container Software
A promising starting point, collection of six articles / tutorials on Docker containers:
* https://medium.com/sysf/docker/home
A general note following about three days' Docker container experimentation, and to question "should I be using a Docker container interactively, running multiple apps, some simultaneously?". (Note the following forum post chain is a quagmire of issues and opinions!):
* https://news.ycombinator.com/item?id=7950326
^ Docker
Notes on Docker containerizing software. Note, to get a practical start it is a good and or needed step to create a user account with Docker dot com. Single user and free accounts with some advanced Docker features disabled are available. A good starting tutorial for beginners is written by one Brian Hogan of Digital Ocean, this article published 2018 July 5. First reference in list here:
-
2023-06-07:
Ted noting too there may be a daily limit to the number of docker images which a user with a free account can push to Docker's image repository. Docker's image repository provides URLs of the form https://hub.docker.com/u/<user_name>
, where username is the given person's Docker account user name.4
Returning to Docker a year to two further (2023-06-26) here is an article linked directly from Brian Hogan's How To Install... article at Digital Ocean. This article talks about creating multiple Docker containers, many of which contain each other in a layered fashion by design:
This article introduces some basic concepts regarding the Docker ecosystem. And a good article here to lay out the distinctions between a Docker image and a Docker container:
> Docker registries and repositories:
Nick Janetakis writes a pretty concise brief article to describe what are Docker repositories and Docker registries. An image repository holds versions (committed and tagged versions) of a given Docker image. A registry holds zero or more Docker repositories, and is generally a full-fledged always live service that's accessible on the internet or on an intranet.
^ Dockerfiles
An article and tutorial on crafting a basic Dockerfile:
Ubuntu Docker images are the most downloaded on hub.docker.com. Here is an article on how to customize this image:
How to start Docker image with interactive shell:
How to save a Docker image as a compressed file:
^ Docker commands
NOTE: as of 2021-07-19 Monday this section needs organizing and annotation work. - TMH
This first reference URL was added when Ted did not know how to start a Docker image running and grant it access to a host OS directory hierarchy:
-
More on Docker volumes at this next URL. Note also that there is an older Docker volume mechanism and a newer more flexible one, but that may be detailed in another tutorial or guide:
^ Docker pull
Example command to pull a Docker image from a private registry:
docker pull registry.some_remote_host.com/ubuntu-20-04:version-1p0
When pulling Docker images from Docker's primary community site, hub.docker.com, only the Docker username is needed prior to the image name:
docker pull tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p8
^ Docker run
Very limited but useful example of how to run a docker image, with two host OS directory hierarchies accessible in the Docker container:
# docker run -i -t -v /home/cpguest/projects/chibios:/home/huesped/project/chibios -v /mnt/host_os_downloads:/mnt/host_os_downloads --privileged bf980d48d9ab
^ Docker commit
To commit changes within a container a user can invoke `docker commit ...`. While it is good to know about Docker commit command, commits of container changes are not trackable and maintainable nearly as practically as Dockerfiles. Here is the official documentation for this commit command, followed by a tutorial on Docker commit command with preliminary steps of writing a Dockerfile:
Figure: example Docker commit:
docker commit -m "Created 'use marker' file in root homedir of ubuntu-20-04-lts:version-1p0 image." -a "Sr Fulano" ad494bcfe010 private_registry.some_host.com/ubuntu-20-04:version-1p0
^ Docker push
Incomplete synopsis of `docker push` command:
$ docker push [<optional_remote_registry>/]<image_name>[:<optional_tag>]
Series of docker push
invocations for a work-in-progress image. Note the tag names are optional until one needs push an image that's being amended, such that it is a newer or different version of an existing image on the remote Docker repository:
886 docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc 932 docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p2 944 docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p3 962 docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p4 965 docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p5
And here is a link to an article describing Docker push command syntax:
We'll note this link also in the References section of this page. Takeaway here is that the third token in the above push command examples, the latter four examples, that token has the form "<docker_user_name>/<image_name>:<docker_tag>".
This article helped get us closer to understanding how Docker CLI parses the argument to a given docker push
argument. Even with this understanding some further trial and error helped clarify what is needed in the form of this argument, which identifies a Docker image to be pushed to a private, non-docker.io registry. Some excerpts from the command line:
vmguest@vm-ubuntu-0p2:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu-20-04-lts version-0p0 065cf14a189c 8 days ago 135MB localhost:5000/my-ubuntu latest 065cf14a189c 8 days ago 135MB tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc version-0p8 bf980d48d9ab 8 days ago 2.98GB tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc version-0p2 4110ca98063a 2 weeks ago 309MB tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc latest f24e27e3d998 2 weeks ago 245MB registry 2 1fd8e1b0bb7e 2 months ago 26.2MB docker-registry.neelanurseries.com/hello-world version-0p0 d1165f221234 3 months ago 13.3kB vmguest@vm-ubuntu-0p2:~$ docker push ubuntu-20-04-lts:version-0p0 docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0 "docker push" requires exactly 1 argument. See 'docker push --help'. Usage: docker push [OPTIONS] NAME[:TAG] Push an image or a repository to a registry vmguest@vm-ubuntu-0p2:~$ docker push ubuntu-20-04-lts:version-0p0 The push refers to repository [docker.io/library/ubuntu-20-04-lts] d07b1c131bb8: Preparing 2788d2f5dd8f: Preparing 04d694391e96: Preparing 48ed8163532b: Preparing denied: requested access to the resource is denied vmguest@vm-ubuntu-0p2:~$ docker push docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0 The push refers to repository [docker-registry.neelanurseries.com/ubuntu-20-04-lts] An image does not exist locally with the tag: docker-registry.neelanurseries.com/ubuntu-20-04-lts vmguest@vm-ubuntu-0p2:~$ docker tag ubuntu-20-04-lts:version-0p0 docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0 vmguest@vm-ubuntu-0p2:~$ docker push docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0 The push refers to repository [docker-registry.neelanurseries.com/ubuntu-20-04-lts] d07b1c131bb8: Pushed 2788d2f5dd8f: Pushed 04d694391e96: Pushed 48ed8163532b: Pushed version-0p0: digest: sha256:114bbce1997fa476da56c3958cb3ca13269a54b0a97dfd3667543c7778287bf2 size: 1150
Delete a Docker repository on Docker hub:
^ docker container rm
An excellent tutorial on removing Docker images, containers and volumes, with many examples:
Note also the Docker images are removed using `docker rmi`, while Docker containers are removed via `docker rm`. The example command to remove all Docker containers with `exited` status is not quite correct. Needed to filter for the first column of Docker's `ps -a` command in order to provide only Docker containter IDs:
$ docker rm $(docker ps -a -f status=exited | cut -d " " -f 1)
^ docker load
Example invocation of `docker load` command:
$ docker load < image_name.tar
In the above command except 'image_name' is really file basename. The given Docker image may not be named, but rather have only a hash-based identifier.
^ SSH connection to Docker container
Secure shell into, or otherwise connect with a running Docker container in and of a Linux environment:
- https://github.com/linuxserver/docker-openssh-server
- https://github.com/linuxserver/docker-openssh-server/blob/71d16e9d09cf8b319ccec9bde2e64ed9298a6d95/LICENSE
A couple examples of running second bash
instance of a given Docker container, not a login, but provides second interactive window or interface to a given Docker container:
^ docker exec [options] [command_in_container]
Docker image ID can be obtained by running `docker images` or `docker images -a`. This can aid in the following Docker command invocation:
$ docker exec -it [image_id] /bin/bash
Note this can have unintended consequences given that there's no ssh server running to handle multiple, or additional logins!
-- Enable USB access in Docker container --
^ Docker volumes
https://www.digitalocean.com/community/tutorials/how-to-share-data-between-docker-containers
^ Anatomy of a Dockerfile
This section in progress!
An annotated example Dockerfile:
A link to a Docker based project which comes very close to what we're working on for an embedded development toolchain and environment that's fully tracked, easy to reproduce on demand:
^ Promising Docker images
^ Physical Device Access in a Docker Container =
^ Private Docker registries
One of the later references found, but one of the most helpful to putting all the pieces together and to understanding how to test them, and why they're there:
This post from 2016 by writer Lathonez.
Notes on how to set up a Docker container registry, a networked server from which Docker images can be accessed and shared:
- https://docs.docker.com/registry/deploying/
- https://docs.docker.com/registry/deploying/#considerations-for-air-gapped-registries
Setting up authentication using htaccess files:
Some requirements for the above link to Docker registry recipe:
-
A brief article on how LetsEncrypt works:
Above tutorials and articles don't paint a clear easy path to setting up a first, basic Docker registry. Taking up a different path here at DigitalOcean:
Regarding port forwarding in apache2 config files:
There is some nginx configuration stuff that's not obvious how to port to apache2 config files, but following how-to article gives a clue with "Header set Host ..." and "RequestHeader set X-Forwarded-Proto "https"":
^ web server configuration
A dedicated virtual machine can easily have one web server configured to act as a reverse proxy in front of a Docker registry. In this context we mean 'proxy' as in a proxy for the public to reach one's internal, in this case Docker registry server. But for development purposes where our virtual machine options are not yet easily configured to be accessible on a LAN, we face a need to set up a first private registry on an existing cloud host which has a name and fixed IP. And there is already a web server config in place there, which we want to leave intact while testing the reverse proxy and other Docker registry pieces. Hence this section in this notes page.
^ apache2 plus nginx
This section contains references and notes regarding how to set up apache2 and nginx on one server.
^ to run multiple instances of apache2
At startpage.com entered search phrase "possible to run apache2 twice with distinct configurations". First result helpful:
^ Reverse proxy choices
Inbound SSL - Configuring to Serve Content via HTTPS Available in Nexus Repository OSS and Nexus Repository Pro Providing access to the user interface and content via HTTPS is a best practice. You have two options: Use a separate reverse proxy server in front of the repository manager to manage HTTPS Configure the repository manager itself to serve HTTPS directly Using A Reverse Proxy Server A common approach is to access the repository manager through a dedicated server which answers HTTPS requests on behalf of the repository manager - these servers are called reverse proxies or SSL/TLS terminators. Subsequently requests are forwarded to the repository manager via HTTP and responses received via HTTP are then sent back to the requestor via HTTPS. There are a few advantages to using these which can be discussed with your networking team. For example, the repository manager can be upgraded/installed without the need to work with a custom JVM keystore. The reverse proxy could already be in place for other systems in your network. Common reverse proxy choices are Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can be configured to serve SSL content, and there is a large amount of reference material available online. Serving SSL Directly The second approach is to use the Eclipse Jetty instance that is distributed with the repository manager to accept HTTPS connections. How to Enable...
^ local private registry with only apache2-utils
Following article good, well written! Describes in clear detail and incrementally how to set up private Docker registry. Gives references. Explains need for some kind of web service provision to achieve a remotely accessible private Docker registry. Key words Gabriel Tanner private Docker registry :
^ Docker Features Not Done
Apparently there is no ready facility to list the images in a private Docker registry, one that's running from the official registry:2
Docker image. A forum post includes mentions of two possible home brew scripts to provide such a listing:
The second of the two scripts is hosted at Github. Need to check the license applied to it, looks like there are recent updates to this project, from about 2021 March:
^ Outline of Docker Team How-To
Sections of document to share with work team:
- End User Use of Docker
- How To Install Docker Client 'docker-ce'
- Basic Interactions with Docker Images
- login
- pull
- run
- stop
- modify
- commit
- tag
- push
- logoff
- Private Docker Registry Configuration
^ Docker Compose
Docker compose files can coordinate and run multiple Docker containers which work together to provide a larger service or set of services. A starting point for understanding how to utilize Docker compose files, which are drafted in a mark-up language named YAML, can be found here:
In contrast a dockerfile is a set of build instructions, which could be run at a command line to manually create a Docker image. A dockerfile provides a way to automate the image building process, and is much lighter weight in terms of disk space taken compared with a typical image. A one line command in a dockerfile could pull in a multi-megabyte library or binary. Some information on dockerfiles here:
^ docker scan image
Starting point to understand Docker vulnerability scanning:
An example vulnerability found in certain versions of Perl which ship with Debian:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
^ Kubernetes Container Software
Kubernetes notes 2021-06-09 This section a stub section.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
^ Oracle Corporation VirtualBox software
VirtualBox on-line manual
-
Some important VM terms include,
- host OS . . . the OS on which VirtualBox software runs
- guest OS . . . the OS which runs inside a VirtualBox VM instance
- virtual machine . . . the hosting environment which VirtualBox creates for given guest OS
- https://www.virtualbox.org/manual/ch04.html
- https://www.virtualbox.org/manual/ch02.html#externalkernelmodules
NOTE! An important BIOS feature and setting to permit virtual machines to run at all using VirtualBox >= 6.1.0 is detailed here at forums dot virtualbox dot org, topic equals 62339:
First set up steps for virtual machine:
To set up shared folders in VirtualBox instances, see VirtualBox documentation chapter 4 at the first following URL. There are also some needed steps detailed in same Oracle documentation, chapter 2, second URL here:
Following screen capture is from Ted's work setting up virtual Ubuntu host.
Figure 1 - capture of VM Ubuntu guest OS command prompt, with steps to mount VirtualBox CDROM drive:
Interestingly, mounting the device /dev/sr0 within the guest OS provides access to several files which we did not see or explicitly install when installing VirtualBox framework software. Scripts to set up needed Linux kernel modules are among these files at /media/cdrom
.
To configure port forwarding, for ssh from host OS to guest OS:
Where VirtualBox stores its files . . .
VirtualBox needs a one-time set up for each host OS folder or directory to be shareable with a given virtual machine. Once that sharing configuration is completed, a *nix mount command is needed in a login session in the virtual machine. Example mount commands to make a host OS directory accessible to the given running VM:
Figure x - share files in one directory between host OS and VM:
804 sudo mount -t vboxsf host_os_downloads /mnt/host_os_downloads/
^ ssh to VM on remote Windows station
The following article gives simple instructions to set up a virtual machine to accept ssh connections from the host operating system. This normally means that when logging in we are ssh'ing <given_vm_user>@localhost, on a particular port other than port 22, to which a feature of the VM listens for ssh traffic.
^ TinyCore Linux on Virtual Machine
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
^ References and Notes
For Ubuntu installs be sure to make /boot large enough, e.g. ~500MB when creating a separate /boot partition:
On first use of Docker
Just after installing docker-ce, `sudo systemctl status docker` returns: ● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-06-16 18:57:15 UTC; 54s ago TriggeredBy: ● docker.socket Docs: https://docs.docker.com Main PID: 20113 (dockerd) Tasks: 8 Memory: 40.2M CGroup: /system.slice/docker.service └─20113 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.411564912Z" level=warning msg="Your kernel does not support CPU realtime scheduler" Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.411704850Z" level=warning msg="Your kernel does not support cgroup blkio weight" Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.411837721Z" level=warning msg="Your kernel does not support cgroup blkio weight_device" Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.412338475Z" level=info msg="Loading containers: start." Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.573219785Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip> Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.675938542Z" level=info msg="Loading containers: done." Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.714086036Z" level=info msg="Docker daemon" commit=b0f5bc3 graphdriver(s)=overlay2 version=20.10.7 Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.715744202Z" level=info msg="Daemon has completed initialization" Jun 16 18:57:15 ubuntu-vm systemd[1]: Started Docker Application Container Engine. Jun 16 18:57:15 ubuntu-vm dockerd[20113]: time="2021-06-16T18:57:15.837838160Z" level=info msg="API listen on /run/docker.sock" Ted noting this due to the three warnings regarding "kernel does not support x...".
^ Git client config in VM and Docker container
For firmware dev work whether in virtual machines and or Docker containers, we need access to remote git repositories. SSL keys are necessary for this access. Here are some beginning notes to explain setting up such keys within each environment:
337 ssh-keygen -t ed25519 <-- generate elliptic type key 338 cd .ssh 340 ls -l 341 cat id_ed25519.pub <-- dump public key to terminal to copy 342 which ssh-agent <-- check that `ssh-agent` is installed and in local $PATH variable 346 ps ax | grep ssh-agent <-- check whether ssh-agent is presently running 348 eval `ssh-agent -s` <-- start ssh-agent running when not found running 349 ps ax | grep ssh-agent <-- confirm running in background as a daemon 350 ssh-add ./id_ed25519 <-- add the private key of the public + private key pair created above
GNU Arm Toolchain refs:
- https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm
- https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads
gcc-arm-none-eabi-10-2020-q4-major-x86_64-linux.tar.bz2 Linux x86_64 Tarball MD5: 8312c4c91799885f222f663fc81f9a31 gcc-arm-none-eabi-10-2020-q4-major-src.tar.bz2 Source Tarball MD5: 0cc79529934703e16ec25a8915028897
^ Docker set up tangential topics, references to sort
On WSL...
Docker rmi
command to remove one or more but not last Docker tag associated with a given image:
^ Private docker registration configuration topics
References related to first steps to bring up nginx web server:
- https://www.digitalocean.com/community/tutorials/apache-network-error-ah00072-make_sock-could-not-bind-to-address
- https://www.nginx.com/resources/wiki/start/topics/examples/full/
To bring up nginx is actually a part of effort to configure and bring up private Docker registry. Here is a CA related article which helps explain the TLS certificate part of this work:
2021-06-25 Friday... Docker push syntax explained further than on Docker main site documentation pages:
Unable to stop a running container, one which appears to have started running automatically in Ubuntu VM host. Searched startpage.com with 'runc did not terminate sucessfully:', found discussion of AppArmor aa-remove-unknown command:
- - - top of page - - -