Docker Workshop Part 2: The Docker runtime, lifecycle, security model, filesystem, and networking

Nick Sweeting
Nick Sweeting
106
0
Published 2021-03-18
(best watched at 2x speed)
FULL OUTLINE for PART 1, 2, and 3: docs.monadical.com/s/Sy-mZxxNO
PART 1:    • Docker Workshop Part 1: How to write ...  

Using docker well in practice is really about understanding 3 technologies independently:
1. the container image building system: Dockerfile
2. the container runtime: containerd (or podman, etc)
3. container orchestration tooling: docker-compose / k8s / swarm etc.

This video is part 2, covering the container runtime, lifecycle, filesystem, networking, security model, logging.

CONTENTS OF PART 2 (this video):

- storage driver: overlayfs / zfs / etc. (just use the default, or zfs is you want)
- what are volumes, why to never use named volumes, and volume modes `:ro` `:rw` `:z`, etc.
- best practices for backups: instant filesystem snapshot / or script to dump db to file + rsync-style incremental backup (never incremental backup a database data dir directly)
- best practices for permissions: use root / or pass UID/GID on linux w/ entrypoint to chmod & drop perms to execute
- best practices for networking: use `expose:` to define which ports are used by other containers (it's a n00p all containers can see all ports on other containers, it's just for humans to know)
- sidecar containers: for networking, filesystems, etc.
- handling ingress: sidecar containers for argo, tailscale, wireguard, socks, caddy, traefik, etc.
- `cap_add`, `privileged: true`, what they mean and when you need them
- stdout / stderr handling (different defaults: `-it` with `docker` vs `-T` in docker-compose)
- logging handling (use a json-file driver, or use supervisord to catch output of `docker-compose up` and do logrotation)
- init systems: inside the container or outside the container or both? (`supervisord` for multi-project control, docker-compose within a project, and no init system inside the container)
- clearning stopped containers and orphan containers, `docker system prune --all`, and `run --rm` and when it's necessary
All Comments (1)