Docker Cheat Sheet

notes.md

Windows Containers notes

• Published ports from Windows Containers aren't accessible on the container host (they are remotely). Use Container IP locally:
  • docker inspect --format '{{ .NetworkSettings.Networks.nat.IPAddress }}' <container>
  • Docs explaining this
  • GH Issue tracking fixes
    • host's IP on host does work now in Creator's Update: "as well as having direct access to the container using the Host IP and exposed port." - https://blogs.technet.microsoft.com/virtualization/2017/04/13/whats-new-in-hyper-v-for-the-windows-10-creators-update/
    • localhost on host doesn't work yet
• Troubleshooting & Logs - Docker docs: https://docs.docker.com/docker-for-windows/troubleshoot/#docker-knowledge-hub

-v notes

• If host directory doesn't exist, it's created
• Windows uses windows path semantics: C:\host:C:\container
  • Can create new drives: C:\host:d:
  • Destination must be a non-existant directory, or empty, or a drive other than C: - bind-mount will fail otherwise
  • Source must be a directory, cannot be a file like linux bind-mounts

Mounting the current directory

Works with both Bash and Powershell: -v ${PWD}:/dest

Bash: -v ${PWD}:/dest or -v $(pwd):/dest or -v ``pwd``:/dest - this is command substitution

• docs refer to both $(pwd) and ``pwd``

Powershell: -v ${PWD}:/dest

CMD: TBD

• Manage data in containers
• Docker run

Dockerfile Windows Containers

• Official Microsoft docs: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/manage-windows-dockerfile
• dotnet-docker-samples - .NET Core
• dotnet-framework-dotnet-samples - .NET Framework

Change escape to backtick

Change escape from the default of \ to `` which is what powershell uses, this avoids issues with windows \ path separator. Another option is to use / instead for paths. Here's an example:

# escape=`
FROM microsoft/nanoserver

COPY testfile.txt c:\
RUN dir c:\

Escape docs

RUN caveats

• Shell vs Exec (json) form:

  • Shell form runs command in the default shell, exec runs the command specifies
    • Linux default shell is ["/bin/sh", "-c"]
    • Windows default shell is ["cmd", "/S", "/C" ]
    • Change default shell with SHELL instruction, use JSON format
      • i.e. SHELL ["powershell", "-command"]
      • shell changes for all subsequent instructions, so you can switch shells
      • affects RUN, CMD, and ENTRYPOINT when shell form is used (not exec form)
  • Exec can avoid shell string munging
  • Exec allows to RUN commands using a base image that does not contain the specified shell executable

• Exec form is parsed as JSON, need to escape \ to have valid JSON. The Shell form doesn't require this.

RUN ["c:\\windows\\system32\\tasklist.exe"]

CMD & ENTRYPOINT

CMD has three use cases:

• CMD ["executable","param1","param2"] (exec form, this is the preferred form)
• CMD ["param1","param2"] (as default parameters to ENTRYPOINT)
• CMD command param1 param2 (shell form)

ENTRYPOINT has use cases:

• ENTRYPOINT ["executable", "param1", "param2"] (exec form, preferred)
• ENTRYPOINT command param1 param2 (shell form)

Notes

• ENTRYPOINT allows you to create a container that runs as if it were an executable - args passed are passed to the entrypoint.

• 3 Scenarios:

  • 1. ENTRYPOINT exec form - specifies program and fixed arguments
    • Container acts as an executable: docker run nginx <args>
    • Use CMD for additional default parameters
    • Use DOCKERRUN args to override CMD
    • 2. Startup script + Executable
      • ENTRYPOINT set to startup script
      • Use exec or gosu in script to launch executable so your process recieves signals
  • 3. CMD (exec or shell) alone - specifies program and args
    • Use when an image provides multiple programs and you just want to provide a default program that's easily changed.
      • Rationale: ENTRYPOINT requires an extra -e arg to override the program specified by the image.
    • Use DOCKERRUN args to override CMD (both program and args)
  • 4. ENTRYPOINT shell form
    • CMD and DOCKERRUN args ignored
    • Process won't be PID1 b/c PID1 is the shell
    • Process won't receive signals, unless you use exec
    • Avoid this unless you need a shell

• Last CMD instruction wins (same for ENTRYPOINT)

• CMD purpose - provide defaults for what to execute

• If using both ENTRYPOINT and CMD - use JSON format (exec) - doesn't execute a shell

  • Pass full path to executable

• Arguments after docker run image ... override CMD

• Entrypoint override is a flag -e VAL or --entrypoint VAL - uses exec form override (not shell)

• CMD and ENTRYPOINT interaction docs

ADD vs COPY

Notes

• Use array syntax if path has whitespace
• Prefer COPY (local files only) - Use RUN for remote files and archives - can do everthing in one instruction
• First ADD (COPY too?) with a changed SRC directory invalidates cache for all subsequent instructions
• SRC can include wildcards - matches with Go's filepath.Match
• SRC must be in Build Context (what is sent to daemon for build)
• If SRC is a directory, all contents are copied, but not the directory itself
• Good idea to end DEST with / or \ to indicate it is a directory, refer to ADD docs
• COPY is a subset of ADD, ADD includes URL sources and extracting archives from local sources