Master Docker: From Basics to Advanced Container Management and Registry

Introduction to Linux Containers

Linux containers isolate a set of processes from the rest of the system, running from a dedicated image that provides all required files. The container image bundles the application and its dependencies, ensuring portability and consistency from development through production.

When developing on a laptop with a specific configuration, containers let you simulate the production environment without recreating servers, ensuring the application runs reliably across different machines.

Containers vs. Virtualization

Virtualization runs multiple operating systems on a single hypervisor, while containers share the host kernel and isolate processes. Containers are lighter weight, allowing many instances to run on limited resources.

Brief History of Containers

2000 – FreeBSD jail introduced isolation.

2001 – VServer project brought similar concepts to Linux.

2008 – LXC provided early Linux container support.

2013 – Docker popularized container usage with a user‑friendly toolset.

What Is Docker?

Docker is an open‑source platform that enables creation, deployment, and management of Linux containers. It provides tools for building images, distributing them, and running containers consistently across environments.

How Docker Works

Docker leverages kernel features such as cgroups and namespaces to isolate processes. Images are built from a base layer and stacked with additional layers for each change, enabling efficient storage and sharing.

Docker Goals

Build : Create Docker images.

Ship : Distribute images via registries.

Run : Deploy containers from images.

Installing Docker (CentOS 7 Example)

# Check OS version
cat /etc/redhat-release
# Install Docker CE from a local mirror
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install -y docker-ce
# Enable remote API on port 2375
sed -i 's|ExecStart=/usr/bin/dockerd|ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375|' /usr/lib/systemd/system/docker.service
systemctl daemon-reload
systemctl enable docker && systemctl start docker

Basic Docker Commands

docker version

– Show client and server versions. docker pull centos:7 – Download an image. docker images – List local images. docker run -d -p 80:80 nginx – Start a container in detached mode and map ports. docker ps – List running containers. docker exec -it <em>container</em> /bin/bash – Open an interactive shell. docker stop <em>container</em> – Stop a container. docker rm -f $(docker ps -aq) – Remove all containers.

Managing Images

docker tag SOURCE:TAG TARGET:TAG

– Retag an image. docker push TARGET:TAG – Upload to a registry. docker rmi IMAGE_ID – Delete a local image.

Dockerfile Basics

A Dockerfile defines how to build an image. Common instructions: FROM – Base image. RUN – Execute commands during build. COPY / ADD – Add files. WORKDIR – Set working directory. EXPOSE – Declare listening ports. CMD – Default command when container starts.

# Example Dockerfile
FROM centos:6.8
RUN yum install -y openssh-server && \
    echo "root:123456" | chpasswd && \
    /etc/init.d/sshd start
CMD ["/usr/sbin/sshd","-D"]

Image Layering

Each Docker image consists of read‑only layers stacked on top of a base layer. Adding software creates a new layer, which can be shared among containers, reducing storage and memory usage. When a container writes to the filesystem, Docker creates a writable top layer (Copy‑on‑Write).

Running a Zabbix Stack with Docker

Example steps to deploy Zabbix using separate containers for MySQL, Java gateway, Zabbix server, and web UI, linking them together:

# MySQL container
docker run --name mysql-server -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" \
    -e MYSQL_PASSWORD="zabbix_pwd" -e MYSQL_ROOT_PASSWORD="root_pwd" -d mysql:5.7

# Java gateway
docker run --name zabbix-java-gateway -d zabbix/zabbix-java-gateway:latest

# Zabbix server (linked to MySQL and Java gateway)
docker run --name zabbix-server-mysql -e DB_SERVER_HOST="mysql-server" \
    -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="zabbix_pwd" \
    -e MYSQL_ROOT_PASSWORD="root_pwd" -e ZBX_JAVAGATEWAY="zabbix-java-gateway" \
    --link mysql-server:mysql --link zabbix-java-gateway:zabbix-java-gateway \
    -p 10051:10051 -d zabbix/zabbix-server-mysql:latest

# Zabbix web UI (linked to MySQL and server)
docker run --name zabbix-web-nginx-mysql -e DB_SERVER_HOST="mysql-server" \
    -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="zabbix_pwd" \
    -e MYSQL_ROOT_PASSWORD="root_pwd" --link mysql-server:mysql \
    --link zabbix-server-mysql:zabbix-server -p 80:80 -d zabbix/zabbix-web-nginx-mysql:latest

Docker Registry (Private)

Start a simple registry on port 5000:

docker run -d -p 5000:5000 --restart=always --name registry \
    -v /opt/myregistry:/var/lib/registry registry:2

Configure the Docker daemon to trust the insecure registry:

{
  "insecure-registries": ["10.0.0.100:5000"]
}

Tag and push an image:

docker tag busybox:latest 10.0.0.100:5000/clsn/busybox:1.0
docker push 10.0.0.100:5000/clsn/busybox:1.0

Registry with Basic Authentication

Install httpd-tools and create an htpasswd file:

mkdir -p /opt/registry-var/auth && \
htpasswd -Bbn clsn 123456 > /opt/registry-var/auth/htpasswd

Run the registry with auth parameters:

docker run -d -p 5000:5000 -v /opt/registry-var/auth:/auth \
    -e REGISTRY_AUTH=htpasswd \
    -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    registry:2

Docker Compose

Compose simplifies multi‑container applications. Example docker-compose.yml for WordPress and MySQL:

version: '3'
services:
  db:
    image: mysql:5.7
    volumes:
      - /data/db_data:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: somewordpress
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress
  wordpress:
    depends_on:
      - db
    image: wordpress:latest
    ports:
      - "8000:80"
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress

Start with docker-compose up -d and access http://HOST_IP:8000.

HAProxy Load Balancing for Docker Containers

After scaling WordPress to two instances ( docker-compose up --scale wordpress=2), configure HAProxy to balance traffic:

global
    log 127.0.0.1 local2
    daemon

defaults
    mode http
    timeout connect 10s
    timeout client 1m
    timeout server 1m

frontend www_example
    bind 10.0.0.100:8000
    default_backend wordpress_back

backend wordpress_back
    balance roundrobin
    server web1 10.0.0.100:32768 check
    server web2 10.0.0.100:32769 check

Control HAProxy at runtime via the Unix socket or socat (e.g.,

echo "disable server wordpress_back/web2" | socat stdio /var/lib/haproxy/stats

).

Docker Restart Policies and Live‑Restore

Use --restart=always when running containers to ensure they start after a daemon restart. Enabling live-restore in /etc/docker/daemon.json keeps containers running while the Docker daemon is restarted.

{
  "live-restore": true,
  "insecure-registries": ["10.0.0.100:5000"]
}

Harbor – Enterprise Registry

Harbor provides a UI, role‑based access, and vulnerability scanning. Install Docker and Docker‑Compose, extract Harbor, edit harbor.cfg to set hostname and admin password, then run ./install.sh. After login, create projects and push images using tags like 10.0.0.100/clsn/centos6.8:1.0.

Best Practices for Container Images

Do not split a single application into many containers unnecessarily.

Keep images small; avoid installing unused packages.

Run a single process per container.

Do not store credentials inside images; use secrets.

Run processes as non‑root users.

Avoid the latest tag; use explicit version tags.

Do not create images from running containers.

Prefer multi‑stage builds to reduce layers.

Store persistent data in volumes, not inside containers.

Monitoring Docker Containers

Key metrics include container count, IDs, names, image names, command, ports, status (running, paused, exited), CPU usage, memory consumption, block I/O, and network traffic. Tools such as docker stats, Prometheus with cAdvisor, or third‑party platforms can collect and visualize these metrics.

References

redhat.com/zh/topics/containers/whats-a-linux-container

redhat.com/zh/topics/containers/what-is-docker

blog.51cto.com/dihaifeng/1713512

cnblogs.com/Bourbon-tian/p/6867796.html

cnblogs.com/CloudMan6/p/6806193.html