Master Docker: From Fundamentals to Advanced Container Management

1 Container Overview

Linux containers are isolated groups of processes that run from a separate image, providing all necessary files for the processes. Images contain all application dependencies, ensuring portability and consistency from development to production.

Containers enable you to simulate different environments locally without recreating server setups, ensuring applications run correctly across development, testing, and production.

1.2 Are containers just virtualization?

Virtualization allows multiple operating systems to run on a single host. Containers share the same OS kernel while isolating application processes.

Containers are lightweight compared to virtual machines, making them ideal for resource‑constrained environments.

1.3 Brief History of Containers

The concept began in 2000 with FreeBSD jail, providing isolated environments. In 2001, the VServer project introduced similar isolation for Linux, eventually evolving into modern container technology.

2 What Is Docker?

Docker refers to the open‑source project, its tools, the company Docker Inc., and the official Docker tools. It provides a way to create and use Linux containers.

Docker offers lightweight, modular virtual machines with high flexibility for creating, deploying, and moving containers across environments.

2.1 How Docker Works

Docker uses Linux kernel features such as cgroups and namespaces to isolate processes, allowing multiple independent applications to run securely.

2.2 Is Docker the Same as Traditional Linux Containers?

Docker originally built on LXC but has since moved away from it, offering additional features like image building, distribution, and version control.

2.3 Docker’s Goal

Docker’s primary goal is "Build, Ship, and Run any App, Anywhere".

Build: create a Docker image

Ship: docker pull

Run: start a container

3 Installing Docker

Environment preparation:

# Need two nodes for installation
[root@docker01 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@docker01 ~]# uname -r
3.10.0-327.el7.x86_64
[root@docker01 ~]# hostname -I
10.0.0.100 172.16.1.100
[root@docker02 ~]# hostname -I
10.0.0.101 172.16.1.101

Configure the Docker repository and install:

wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y

Modify the Docker service to listen on a remote TCP port:

# Edit /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://10.0.0.100:2375
systemctl daemon-reload
systemctl enable docker.service
systemctl restart docker.service

3.1 Basic Docker Commands

Check Docker version:

# docker version
Client:
 Version:    17.12.0-ce
 Server:
 Engine:
  Version:    17.12.0-ce

3.2 Run Your First Container

# docker run -d -p 80:80 nginx

Parameters:

Parameter

Description

run

Create and run a container

-d

Run in background

-p

Port mapping

nginx

Image name

3.3 Image Lifecycle

4 Docker Image Operations

4.1 Search Official Images

# docker search centos
NAME    DESCRIPTION    STARS    OFFICIAL    AUTOMATED
centos  The official build of CentOS. 3992   [OK]

4.2 Pull Images

# docker pull centos
Using default tag: latest
latest: Pulling from library/centos

4.3 Export Image

# docker image save centos > docker-centos.tar.gz

4.4 Delete Image

# docker image rm centos:latest

4.5 Import Image

# docker image load -i docker-centos.tar.gz

4.6 Inspect Image

# docker image inspect centos

5 Daily Container Management

5.1 Start/Stop Containers

# docker run nginx
# docker run -d nginx
# docker container ls
# docker stop <container_id>
# docker container kill <container_id>

5.2 Enter a Container

# docker run -it -p 80:80 nginx /bin/bash
# docker exec -it <container_name> /bin/bash

5.3 Remove All Containers

# docker rm -f $(docker ps -a -q)

5.4 Port Mapping on Start

# docker run -d -p 8888:80 nginx

6 Docker Volume Management

6.1 Create Volume on Mount

# docker run -d -p 80:80 -v /data:/usr/share/nginx/html nginx

6.2 Create Named Volume

# docker volume create
# docker volume ls
# docker volume inspect clsn

6.3 Save Container as Image

# docker commit brave_mcclintock centos6-ssh

7 Dockerfile Automated Image Build

7.1 Dockerfile Syntax

# Dockerfile example
FROM centos:6.8
RUN yum install -y openssh-server
RUN echo "root:123456" | chpasswd
RUN /etc/init.d/sshd start
CMD ["/usr/sbin/sshd","-D"]

7.2 Build Image

# docker image build -t centos6.8-ssh .

7.3 Install kodexplorer via Dockerfile

FROM centos:6.8
RUN yum install -y wget unzip php php-gd php-mbstring && yum clean all
WORKDIR /var/www/html/
RUN wget -c http://static.kodcloud.com/update/download/kodexplorer4.25.zip
RUN unzip kodexplorer4.25.zip && rm -f kodexplorer4.25.zip
RUN chown -R apache.apache .
CMD ["/usr/sbin/apachectl","-D","FOREGROUND"]

8 Docker Image Layering

Each layer adds changes on top of the base image, allowing sharing of common layers across images.

8.1 Why Images Are Layered

Layering enables resource sharing; multiple containers can share the same base layers without duplication.

8.2 Writable Container Layer

When a container starts, a writable layer is added on top of the read‑only image layers.

8.3 Details of the Container Layer

File operations follow a copy‑on‑write model: new files are added to the writable layer, reads copy files from uppermost layers, modifications copy‑on‑write, and deletions are recorded without altering lower layers.

9 Running Zabbix Server with Docker

9.1 Container Inter‑Communication

# docker run -d -p 80:80 nginx
# docker run -it --link quirky_brown:web01 centos-ssh /bin/bash
# ping web01

9.2 Start Zabbix Stack

# MySQL container
docker run --name mysql-server -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="zabbix_pwd" -e MYSQL_ROOT_PASSWORD="root_pwd" -d mysql:5.7 --character-set-server=utf8 --collation-server=utf8_bin
# Java gateway
docker run --name zabbix-java-gateway -d zabbix/zabbix-java-gateway:latest
# Zabbix server
docker run --name zabbix-server-mysql -e DB_SERVER_HOST="mysql-server" -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="zabbix_pwd" -e MYSQL_ROOT_PASSWORD="root_pwd" -e ZBX_JAVAGATEWAY="zabbix-java-gateway" --link mysql-server:mysql --link zabbix-java-gateway:zabbix-java-gateway -p 10051:10051 -d zabbix/zabbix-server-mysql:latest
# Zabbix web UI
docker run --name zabbix-web-nginx-mysql -e DB_SERVER_HOST="mysql-server" -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="zabbix_pwd" -e MYSQL_ROOT_PASSWORD="root_pwd" --link mysql-server:mysql --link zabbix-server-mysql:zabbix-server -p 80:80 -d zabbix/zabbix-web-nginx-mysql:latest

9.3 Zabbix API Example

# Get token
curl -s -X POST -H 'Content-Type:application/json' -d '{
  "jsonrpc":"2.0",
  "method":"user.login",
  "params":{"user":"Admin","password":"zabbix"},
  "id":1
}' http://10.0.0.100/api_jsonrpc.php

10 Docker Registry

10.1 Simple Registry

# Run registry container
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry
# Configure Docker daemon for insecure registry
cat > /etc/docker/daemon.json <<EOF
{
  "registry-mirrors": ["https://registry.docker-cn.com"],
  "insecure-registries": ["10.0.0.100:5000"]
}
EOF
systemctl restart docker.service
# Tag and push image
docker tag busybox:latest 10.0.0.100:5000/clsn/busybox:1.0
docker push 10.0.0.100:5000/clsn/busybox
EOF

10.2 Registry with Basic Auth

# Install httpd-tools
yum install -y httpd-tools
# Create auth file
mkdir -p /opt/registry-var/auth
htpasswd -Bbn clsn 123456 > /opt/registry-var/auth/htpasswd
# Run registry with auth
docker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
# Login and push
docker login 10.0.0.100:5000
docker push 10.0.0.100:5000/clsn/busybox
EOF

11 Docker‑Compose Orchestration

11.1 Install Docker‑Compose

# Install pip and docker‑compose
yum install -y python2-pip
pip install docker-compose
# Optional: use Aliyun mirror for pip
mkdir -p ~/.pip
cat > ~/.pip/pip.conf <<EOF
[global]
index-url = https://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host=mirrors.aliyun.com
EOF
EOF

11.2 Compose File Example (WordPress + MySQL)

version: '3'
services:
  db:
    image: mysql:5.7
    volumes:
      - /data/db_data:/var/lib/mysql
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: somewordpress
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress
  wordpress:
    depends_on:
      - db
    image: wordpress:latest
    volumes:
      - /data/web_data:/var/www/html
    ports:
      - "8000:80"
    restart: always
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
EOF

Start with docker-compose up -d and access http://10.0.0.100:8000.

11.3 HAProxy Load Balancing for Multiple WordPress Instances

# Install HAProxy
yum install -y haproxy
# Configure /etc/haproxy/haproxy.cfg (simplified)
global
    log 127.0.0.1 local2
    daemon
defaults
    mode http
    timeout connect 10s
    timeout client 1m
    timeout server 1m
frontend www
    bind 10.0.0.100:8000
    default_backend wordpress
backend wordpress
    balance roundrobin
    server wp1 10.0.0.100:32768 check
    server wp2 10.0.0.100:32769 check
EOF
systemctl start haproxy
systemctl enable haproxy
EOF

11.4 Control HAProxy via socat

# Install socat
yum install -y socat
# Disable a backend server
echo "disable server backend_www_example_com/web-node2" | socat stdio /var/lib/haproxy/stats
# Enable it again
echo "enable server backend_www_example_com/web-node2" | socat stdio /var/lib/haproxy/stats
EOF

12 Restart Docker Service Without Stopping Containers

12.1 Use Restart Policy

# docker run --restart=always ...

12.2 Enable Live‑Restore

# Add to /etc/docker/daemon.json
{
  "live-restore": true
}
systemctl restart docker.service
EOF

13 Docker Network Types

13.1 Network Drivers

Type

Description

none

No network configuration

container

Share another container's network namespace

host

Use the host's network namespace

bridge

Default NAT network

13.2 No Network

# docker run --network none busybox /bin/sh

13.3 Share Container Network

# docker run -it --network container:mywordpress_db_1 busybox /bin/sh

13.4 Host Network

# docker run --network host busybox /bin/sh

13.5 List Networks

# docker network ls
NETWORK ID   NAME      DRIVER    SCOPE
b15e8a720d3b bridge    bridge    local
345d65b4c2a0 host      host      local
bc5e2a32bb55 mywordpress_default bridge local
ebf76eea91bb none      null      local
EOF

13.6 Assign Static IP with pipework

# Install pipework
wget https://github.com/jpetazzo/pipework/archive/master.zip
unzip master.zip
cp pipework-master/pipework /usr/local/bin/
chmod +x /usr/local/bin/pipework
# Create bridge br0 and configure IP on host
# (example omitted for brevity)
# Run container and assign IP
pipework br0 $(docker run -d -it --net=none --name test httpd:2.4) 10.0.0.221/[email protected]
EOF

13.7 macvlan Network

# Create macvlan network
docker network create --driver macvlan --subnet 10.1.0.0/24 --gateway 10.1.0.254 -o parent=eth0 macvlan_1
# Enable promiscuous mode on host NIC
ip link set eth0 promisc on
# Run container on macvlan
docker run -it --network macvlan_1 --ip=10.1.0.222 busybox /bin/sh
EOF

14 Harbor – Enterprise Docker Registry

Harbor provides a web UI for managing projects, users, and images.

# Install Harbor (offline installer example)
cd /opt
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.3.0.tgz
tar xf harbor-offline-installer-v1.3.0.tgz
cd harbor
# Edit harbor.cfg
hostname = 10.0.0.100
harbor_admin_password = Harbor12345
./install.sh
EOF

After installation, access http://10.0.0.100 to log in, create projects, and push images:

# Tag and push image
docker tag centos:6.8 10.0.0.100/clsn/centos6.8:1.0
docker login 10.0.0.100
docker push 10.0.0.100/clsn/centos6.8
EOF

14.1 Recommendations for Using Containers

Do not split application releases across multiple containers.

Avoid creating large images.

Run only one process per container.

Do not store credentials or rely on fixed IPs inside images.

Run processes as non‑root users.

Avoid using the "latest" tag.

Do not commit running containers to create images.

Avoid single‑layer images.

Do not store persistent data inside containers.

14.2 Monitoring Docker Containers

Key metrics include container count, IDs, names, images, commands, ports, status, CPU usage, memory consumption, block I/O, and network traffic.

References

https://www.redhat.com/zh/topics/containers/whats-a-linux-container

https://www.redhat.com/zh/topics/containers/what-is-docker

http://blog.51cto.com/dihaifeng/1713512

https://www.cnblogs.com/Bourbon-tian/p/6867796.html

https://www.cnblogs.com/CloudMan6/p/6806193.html