Some important information about Docker container

What is docker container and what is K8s Pod

• docker container : It is a runtime instance of docker image, it can be managed and maintained by the docker.
• K8s Pods : It is an abstraction in K8s cluster which can have one or more containers within.

What are the ways, we can troubleshoot issues related to docker Containers.

• See the logs - docker logs container_name
• See the logs in real time - docker logs -f container_name
• inspect the container - docker inspect container-id
• Get the stats of all container - docker stats
• Docker system information - docker info
• To see the running process in a container - docker top contaoner-id

How to delete unused docker resources like

• image list all images - docker images delete all un-used images - docker image prune
• container list all the containers : docker ps
• delete all stopped/unused containers : docker container prune
• delete Unused volumes : docker volume prune
• Any custom network, but no containers are attached, that network can be deleted : docker network prune
• Remove all at once - docker system prune -a

How to know which network does not have any containers attached.

1. docker network ls -q
2. shell script to inspect each network and loop through them

#!/bin/bash

# List all networks
for network in $(docker network ls -q); do
  # Check if the network has no containers attached
  if [ -z "$(docker network inspect -f '{{.Containers}}' $network | grep -v '{}')" ]; then
    echo "Pruning network $network which has no containers attached."
    docker network rm $network
  fi
done        

How to restrict a container to have 1 CPU & 1GB Ram

docker run -d --cpu 1 --memory 1g --name partho-container nginx

In the docker file, what is the difference between run & cmd

• run : This is used during the container creation and starting the container(starting the machine)
• cmd : This runs the commands inside the container once the container is ready (executing ifconfig command inside the machine to know its IP address)

Basic Dockerfile

     # Use the official Nginx base image
     FROM nginx:latest

     # Set the working directory in the container
     WORKDIR /usr/share/nginx/html

     # Copy the content of the current directory to the container
     COPY . .

     # Expose port 80 to the host
     EXPOSE 80

     # The default command to run when the container starts
     CMD ["nginx", "-g", "daemon off;"]        

Multistage Dockerfile

• This is mostly used if there are multiple stages of image creation.
• This reduces the image size and so less files and dependencies, so its better for security

        # Stage 1: Build
        FROM node:16-alpine AS build

        # Set the working directory
        WORKDIR /app

        # Copy the package.json and package-lock.json
        COPY package*.json ./

        # Install dependencies
        RUN npm install

        # Copy the rest of the application code
        COPY . .

        # Build the React application
        RUN npm run build

        # Stage 2: Run
        FROM nginx:alpine

        # Copy the built React application from the build stage
        COPY --from=build /app/build /usr/share/nginx/html

        # Expose port 80
        EXPOSE 80

        # Start nginx
        CMD ["nginx", "-g", "daemon off;"]        

• Then create an image using that multistage Dockerfile
• Using that image, build a container

Update the Docker container without Data-loss to a new image

1. Volume must be mounted on the container, so that the data is persistent on Docker volume
2. Take a backup of the data
3. stop the container docker stop container-id
4. Remove old container to avoid any conflict - docker rm current-container
5. pull the latest image - docker pull new-updated-image:latest
6. Start the new container with new image and old data - docker run -d --name new-container -v my-volume:/path/to/data new-updated-image:latest

How to move one container from one Host-1 to Host-2

• Perform all the above steps like stop, backup the data etc

How to Restore a container from Backup?

• docker run --rm --volumes-from <container> -v $(pwd):/backup busybox sh -c "cd <container-path> && tar xvf /backup/backup.tar --strip 1"

How to ensure the containers are secure?

• Get the image which is trusted
• Maintain the underlying host with latest patches and regular updates
• Regularly scan the image for any vulnerability -
• Enable observability to check the logs and alerts

What are the best practices of Docker as a Container.

1. Use light-weight image to avoid getting any attack and optimize the build and deployment.
2. Patch the Host and use the latest image for container
3. Use some orchestration tool like K8s to manage containers at scale and enable the features like LB and Auto Healing etc
4. Enable resource limit using --cpu --memory etc
5. Monitor the container health, resource usage(docker stats)
6. Enable custom bridge network and keep the containers isolated to prevent any security compromise
7. Regularly back up the data - use some shell scripts to do that daily
8. Check the vulnerability test using tools like trivy

Docker Volume is also very essential to retain the data in a container, because its a limitation of container as it does not have any native solution to have any storage.

I will write another article on Docker volume which overcomes the limitations of container storage.