Last active
December 28, 2021 13:14
-
-
Save milindchawre/079d468eea198821a9417c5f6bec1c37 to your computer and use it in GitHub Desktop.
Docker demo commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
docker run -d -it centos:7 sh | |
#Dockerfile | |
----------------------------------------------- | |
FROM ubuntu:14.04 | |
RUN \ | |
apt-get update && \ | |
apt-get -y install apache2 | |
ADD index.html /var/www/html/index.html | |
CMD ["/usr/sbin/apache2ctl","-D","FOREGROUND"] | |
----------------------------------------------- | |
#index.html | |
<h1>Docker Rocks!</h1> | |
docker build -t apache2 . | |
docker run -d -p 80:80 apache2 | |
curl localhost:80 | |
docker pause <container-id> | |
docker unpause <container-id> | |
# Port mapping in container internally its through iptables rules | |
iptables -t nat -L | |
# Container linking | |
docker run -d --name db training/postgres | |
docker run -d -P --name web --link db:db training/webapp python app.py | |
# Container networking | |
docker network ls | |
docker run -it --network=host centos:7 sh | |
docker network create mynet | |
docker network inspect mynet | |
docker run -it --network=mynet centos:7 sh | |
# Volume management in containers | |
docker run -v /root/data:/volume1 -it alpine sh | |
docker run -it -v /data --name container1 busybox | |
docker run -it --volumes-from container1 --name container2 busybox | |
docker volume ls | |
# Control groups in containers | |
docker run -itd --kernel-memory 50M --cpus=".5" --blkio-weight 400 centos:7 sh | |
# Linux capabilities in containers | |
capsh --print | |
docker run -it --cap-drop=net_raw centos:7 sh | |
# Seccomp in containers | |
docker run -it busybox sh | |
docker run -it --security-opt seccomp:./profile.json busybox sh | |
#profile.json | |
{ | |
"defaultAction": "SCMP_ACT_ALLOW", | |
"syscalls": [ | |
{ | |
"name": "chmod", | |
"action": "SCMP_ACT_ERRNO" | |
} | |
] | |
} | |
# docker default seccomp profile is here https://github.com/docker/docker/blob/master/profiles/seccomp/default.json | |
#containers from scratch | |
1. Get root filesystem (rootfs) | |
docker run -itd centos:7 sh | |
docker export <container-id> > centos7.tar | |
mkdir rootfs | |
tar -C rootfs/ -xf centos7.tar | |
2. chrooting | |
chroot rootfs /bin/bash | |
mount -t proc proc /proc | |
ps -ef | |
ls | |
/usr/bin/python -c 'print "Hello, container world!"' | |
3. Running application in chroot | |
chroot rootfs python -m SimpleHTTPServer | |
4. Creating separate PID namespace and chrooting | |
unshare -p -f --mount-proc=$PWD/rootfs/proc \ | |
chroot rootfs /bin/bash | |
5. Entering inside a namespace (try to do on VM instead on browser with "play with docker") | |
nsenter --pid=/proc/<pid>/ns/pid \ | |
unshare -f --mount-proc=$PWD/rootfs/proc \ | |
chroot rootfs /bin/bash | |
6. chroot with mount | |
mkdir readonlyfiles | |
echo "hello" > readonlyfiles/hi.txt | |
mkdir -p rootfs/var/readonlyfiles | |
mount --bind -o ro $PWD/readonlyfiles $PWD/rootfs/var/readonlyfiles | |
chroot rootfs /bin/bash | |
cat /var/readonlyfiles/hi.txt | |
echo "bye" > /var/readonlyfiles/hi.txt | |
7. cgroups | |
mkdir /sys/fs/cgroup/memory/demo | |
ls /sys/fs/cgroup/memory/demo/ | |
echo "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes | |
echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness | |
echo <pid> > /sys/fs/cgroup/memory/demo/tasks | |
# Memory hungry program | |
-------------------------------------- | |
f = open("/dev/urandom", "r") | |
data = "" | |
i=0 | |
while True: | |
data += f.read(10000000) # 10mb | |
i += 1 | |
print "%dmb" % (i*10,) | |
-------------------------------------- | |
pyhton hungry.py | |
8. Capabilities | |
capsh --print | |
capsh --drop=cap_chown --chroot=$PWD/rootfs -- | |
https://ericchiang.github.io/post/containers-from-scratch/ | |
http://training.play-with-docker.com/alacart/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment