On Wednesday, 16th November, Dhahran Docker meetup participated in
the global #learndocker event "Global Mentor Week." two useful resources that were used to some extent were
PWD: Play With Docker and
Katacoda.
There were lots of questions asked during and after the meetup. So here I am trying to capture to the best of my knowledge Docker and containers questions and some of the answers for the future meetup mentors as a taste of things to come, I will try to update and answer more questions, however I encourage joining the Docker
community Slack channel and
Forum for any further questions.
Technical:
Q: I am still confused what is the difference between image, and containers, aren't container and image both the same thing?
A: Think of the image is the golden template, and when Docker run it, it creates an instance of it in memory with the required customization "port exposed, environment variables set to configure an aspect, volumes bound, network connected,.., etc"; when the process/container is done, it still exists but now in disk, in case you need to create a template from it, otherwise one needs to clean them up periodically. Although that question seems easy to answer, it was the most asked question from everyone at some time;
from
Stackoverflow.com docker-image-vs-container
Docker Images vs. Containers
In Dockerland, there are images, and there are containers. The two are closely related, but distinct. For me, grasping this dichotomy has clarified Docker immensely.
What's an Image?
An image is an inert, immutable, file that's essentially a snapshot of a container. Images are created with the
build command, and they'll produce a container when started with a
run. Images are stored in a Docker registry such as
registry.hub.docker.com. Because they can become quite large, images are designed to be composed of layers of other images, allowing a minimal amount of data to be sent when transferring images over the network.
Local images can be listed by running docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
ubuntu 13.10 5e019ab7bf6d 2 months ago 180 MB
ubuntu 14.04 99ec81b80c55 2 months ago 266 MB
ubuntu latest 99ec81b80c55 2 months ago 266 MB
ubuntu trusty 99ec81b80c55 2 months ago 266 MB
<none> <none> 4ab0d9120985 3 months ago 486.5 MB
Some things to note:
- IMAGE ID is the first 12 characters of the true identifier for an image. You can create many tags of a given image, but their IDs will all be the same (as above).
- VIRTUAL SIZE is virtual because its adding up the sizes of all the distinct underlying layers. This means that the sum of all the values in that column is probably much larger than the disk space used by all of those images.
- The value in the REPOSITORY column comes from the
-t
flag of the docker build
command, or from docker tag
-ing an existing image. You're free to tag images using a nomenclature that makes sense to you, but know that Docker will use the tag as the registry location in a docker push
or docker pull
.
- The full form of a tag is
[REGISTRYHOST/][USERNAME/]NAME[:TAG]
. For aboveubuntu
, REGISTRYHOST is inferred to be registry.hub.docker.com
. So if you plan on storing your image called my-application
in a registry at docker.example.com
, you should tag that image docker.example.com/my-application
.
- The TAG column is just the [:TAG] part of the full tag. This is unfortunate terminology.
- The
latest
tag is not magical, it's simply the default tag when you don't specify a tag.
- You can have untagged images only identifiable by their IMAGE IDs. These will get the
<none>
TAG and REPOSITORY. It's easy to forget about them.
What's a container?
To use a programming metaphor, if an image is a class, then a container is an instance of a class—a runtime object. Containers are hopefully why you're using Docker; they're lightweight and portable encapsulations of an environment in which to run applications.
View local running containers with docker ps
:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f2ff1af05450 samalba/docker-registry:latest /bin/sh -c 'exec doc 4 months ago Up 12 weeks 0.0.0.0:5000->5000/tcp docker-registry
Here I'm running a dockerized version of the docker registry, so that I have a private place to store my images. Again, some things to note:
- Like IMAGE ID, CONTAINER ID is the true identifier for the container. It has the same form, but it identifies a different kind of object.
docker ps
only outputs running containers. You can view stopped containers with docker ps -a
.
- NAMES can be used to identify a started container via the
--name
flag.
How to avoid image and container buildup?
One of my early frustrations with Docker was the seemingly constant buildup of untagged images and stopped containers. On a handful of occassions this buildup resulted in maxed out hard drives slowing down my laptop or halting my automated build pipeline. Talk about "containers everywhere"!
We can remove all untagged images by combining docker rmi
with the recent dangling=true
query:
docker images -q --filter "dangling=true" | xargs docker rmi
Docker won't be able to remove images that are behind existing containers, so you may have to remove stopped containers with docker rm
first:
docker rm `docker ps --no-trunc -aq`
These are
known pain points with Docker, and may be addressed in future releases. However, with a clear understanding of images and containers, these situations can be avoided with a couple of practices:
- Always remove a useless, stopped container with
docker rm [CONTAINER_ID]
.
- Always remove the image behind a useless, stopped container with
docker rmi [IMAGE_ID]
more from
Stackoverflow "whats-the-difference-between-a-container-and-an-image"
Images are frozen immutable snapshots of live containers. Containers are running (or stopped) instances of some image.
Start with the base image called 'ubuntu'. Let's run bash interactively within the ubuntu image and create a file. We'll use the -i
and -t
flags to give us an interactive bash shell.
$ docker run -i -t ubuntu /bin/bash
root@48cff2e9be75:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root@48cff2e9be75:/# cat > foo
This is a really important file!!!!
root@48cff2e9be75:/# exit
Don't expect that file to stick around when you exit and restart the image. You're restarting from exactly the same defined state as you started in before, not where you left off.
$ docker run -i -t ubuntu /bin/bash
root@abf181be4379:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root@abf181be4379:/# exit
But, the container, now no longer running, has state and can be saved (committed) to an image.
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
abf181be4379 ubuntu:14.04 /bin/bash 17 seconds ago Exited (0) 12 seconds ago elegant_ardinghelli
48cff2e9be75 ubuntu:14.04 /bin/bash About a minute ago Exited (0) 50 seconds ago determined_pare
...
Let's create an image from container ID 48cff2e9be75 where we created our file:
$ docker commit 48cff2e9be75 ubuntu-foo
d0e4ae9a911d0243e95556e229c8e0873b623eeed4c7816268db090dfdd149c2
Now, we have a new image with our really important file:
$ docker run ubuntu-foo /bin/cat foo
This is a really important file!!!!
Try the command docker images
. You should see your new image ubuntu-foo
listed along with the ubuntu
standard image we started with.
Q: the "FROM" directive in Dockerfile, Shouldn't the best practice pin the image with a tag?
A: Yes, I think it would be a good practice to pin the base image in the
FROM directive line in Dockerfile. The reasoning is the default is latest, that could mean if someone rebuilds the image again, he is not guaranteed original functionality as things might have changed in future base images that might affect the other layers, not guaranteed security also if it will be pulled from non-trusted repository/hub.
Q: What if my image was compiled with optimisation in mind, would that work with another platform that does not have the instruction set?
No, it would not work, if one is targeting portability, he will build the image for the lowest denominator with no special platform specific compiler flags. There could be internal Enterprise use cases where different builds of the containers for particular platform, tags could be used to distinguish such images.
Q: How would containers help us startups? Do you have use cases?
Docker history has some good lessons to learn from, Docker by itself is a good use case. When Solomon Hykes the Docker founder started up
dotcloud in Y Combinator and how the
dotcloud team was supporting other Y Combinator startups build, deploy and ship their apps into AWS, and
the 20 startups from YC that adopted Docker early.
Check out the origin story of dotcloud and how it transformed to Docker.
Also, the rich Docker Hub app repository, regarding application subsystems, and ready components. If one have an idea how to help a customer, it can be fast and easy to prototype into a fully working application or build an appliance. The entire Docker Ecosystem to create a full working operational and development workflow for the prototype and help the application scale.
In most cases, containers are an alternative to virtual machines. So it's easier to talk to people that already have virtual machines in use as they can relate. Containers could prove faster, more performant, and easy to manage.
One case I had seen recently with
Zenoss when they moved their architecture to Docker containers, it helped them ship a standalone version of a complex distributed application in a scalable, manageable approach. That customers can install Zenoss behind their firewall. The
Zenoss distributed architecture is very complicated, it uses a mix of many solutions, but still user's the whole installation, upgrade, and management experience have been inspiring.
How does Docker differ or relate to vagrant? How about docker-machine vs. vagrant?
The essence of Docker is the a-z of the software application lifecycle regarding build, ship, and run; that could be in any environment, development, production, QA, and could be multiple of environments mixed. Vagrant, on the other hand, is meant to be mainly for development, the Vagrant file is more or less like the Docker compose YAML file describes the environment setup but doesn't describe how the application instances or images are created, in Docker the images can be described using Dockerfile if not pulled from a registry/repository/Docker hub.
How can swarm allocate a container that might later overuse memory resources of the host?
How does Docker hub ensure images pushed to are lawfully licensed?
Some questions related to differences between images and containers
some questions when to use virtualizations vs. container or can one use both?
Will it be possible to run Windows containers on Linux platform, or the opposite without docker-machine?
Can one enforce network usage limits,? Bandwidth on a container?
Not yet in current Docker versions at the time of this blog writing. There are several closed/open Github issues related to throttling/limiting network bandwidth for a container. For example,
Github shivacherukuri Docker-Network-Bandwidth solution is one way to go about it.
One questions about build Docker images for a legacy app that its container size reached 10G in size have asked him to follow up with me with details?
What is the size limit or expectations of container size?
Questioning the numbers of 7B+ downloads, the percentage of Docker in production? Having access to the application survey would have helped.?
As for the downloads number these were from Docker Hub, and most of it is the community images, a
quick search today in the newly store, shows around 439,440 community images, and as one can see captured image below, some of these images had already been downloaded over 10M+ times
there are several surveys done that report different statics regarding the adoption of Docker in production and in the Enterprise, however, all of them almost agree on the rate of growth of using Docker in production. one good resource discussing some of these statistics earlier this year is
Coscale Docker usage statistics increased adoption by enterprises and for production use
Some other example surveys:
- https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2016.pdf
- https://redmonk.com/fryan/2016/12/01/containers-in-production-is-security-a-barrier-a-dataset-from-anchore/
- https://www.datadoghq.com/docker-adoption/
- https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud-Foundry-2016-Container-Report.pdf
All these numbers are obsolete by now due to the rapid growth Docker and containers, in general, are seeing.
Non-technical questions:
I did register for the Docker community, I do not see the general/ Global-Mentor-Week channel?
After you sign up for the
Docker community group, you will get in your email a
Slack invite, this is a manual process and could take some from few hours to a couple of days. Also double check your spam folder for any Docker/Slack related emails.
Can I download the training instructions offline?
Some business related questions to local support, and resellers/partnerships in Saudi?
check https://www.docker.com/docker-support-services#/faq and email sales@docker.com
Other questions:
Why the voter app breaks build breaks in Linux platform but does not on Windows? And using proposed solution makes the app not function right?
What is the percentage of serious critical/stateful business enterprise applications compared to web/cloud apps? Is Docker mostly for web/cloud apps?
Will there be professional certifications and exams on Docker ECO system?
As far as I know, Red Hat have some courses and exams:
Doing an ldd/pmap inside a container, how can the view from inside the container relate to the outside view from the host system, and what is static vs. dynamic in here?