Understanding and Using Containers

.

What is a Container

  • A container is a self-contained ready-to-run application
  • This is what makes it different from a virtual machine!
  • Containers have all on board that is required to start the application
  • To start a container, a container runtime is required
  • The container runtime is running on a host platform and establishes communication between the local host kernel and the container
  • So, all containers, no matter what they do, run on top
    of the same local host kernel

 

Container Components

  • Images are read-only environments that contain the runtime environment, which includes the application and all libraries it requires
  • Containers are the isolated runtime environments where the application is running. By using namespaces the containers can be offered as a strictly isolated environment
  • Registries are used to store images. Docker Hub is a common registry, other registries exist (like quay.io) and private registries can be created also

 

Containers are Linux!

  • Containers are based on features offered by the Linux
    operating system
  • Linux Kernel Namespaces provide strict isolation between system components at different levels
    • network
    • file
    • users
    • processes
    • IPCs
  • Linux CGroups offer resource allocation and limitation

 

Container Runtimes

  • The container runtime allows for starting and running the container on top of the host OS
  • The container runtime is responsible for all parts of running the container which are not already a part of the running container program itself
  • Different container runtime solutions exist
    • docker
    • Ixc
    • runc
    • cri-o
    • containerd
  • These runtimes are included in the different container solutions

 

The OCI

  • OCI is the Open Containers Initiative (https://opencontainers.org)
  • It standardizes the use of containers
    • The image-spec defines how to package a container in a “filesystem bundle”
    • The runtime-spec defines how to run that filesystem in a container
  • OCI standardization ensures compatibility between containers, no matter which environment they originally come from
  • The result is that for instance images made for Docker work without modifications in Red Hat Podman

 

Docker

  • Docker is important in the container landscape, but Docker is NOT the only way to run containers
  • When it started in 2013, Docker offered the following:
    • Container image format
    • Dockerfile, which is a method for building container images
    • A way to manage container images
    • A way to run containers
    • A way to manage container instances
    • A solution to share container images
  • Podman is the main alternative to Docker

 

Alternatives to Docker

  • With the launch of RHEL 8, Red Hat started offering Podman as an alternative to Docker
    • Podman runs containers without the need of having a daemon directly on top of the cri-o container runtime
    • Buildah is the related service that is used for managing container images
  • Other solutions for running containers also exist
    • LXC is a Linux-native container runtime
    • systemd-nspawn offers containers integrated in Systemd

 

Registries

  • Container registries are used to provide access to container images
  • Registries make distribution of containers easier: anyone can publish images on public registries
  • Docker Hub (hub.docker.com) is the biggest registry
  • Other registries exist as well, like quay.io
  • It’s also possible to create private registries

 

Accessing Registries

  • Access to registries is normally free
  • In some cases, additional authorization is required and you’ll need an account to access registry contents
  • On Docker Hub, an account gives access to additional features
    • Higher image pull limit
    • Web hooks connecting to GitHub
  • Use the browser-based login, or docker login from the command line

 

Starting Containers

  • Many environments are available, let’s look at Docker
  • To use containers on RHEL 8 and related distributions, you can use podman instead of docker
  • Use dnf install -y container-tools to install podman and related utilities

 

Installing Docker on Ubuntu

  • sudo apt-get update
  • sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
  • curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  • sudo apt-key fingerprint OEBFCD88
  • sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(Isb_release -cs) stable"
  • sudo apt-get update
  • sudo apt-get install docker-ce docker-ce-cli containerd.io
  • sudo docker run hello-world

 

Running a Container

  • mkdir -p /var/www/html
  • echo hello from docker >> /var/www/html/index.html
  • docker run -d -p 8080:80 --name="myapache" -v /var/www/html:/var/www/html httpd
  • docker ps
  • ss -tunap | grep 8080
  • curl http://localhost:8080

 

Running Another Container

  • docker run -it busybox will start the busybox container with an interactive terminal to the entrypoint application
  • Ctrl-p, Ctrl-q to disconnect and keep it running
  • exit to stop the current container application
    • If you were connected to the entrypoint application, the container will stop
    • If you were connected to another shell session, the container will continue

 

Managing Containers – Common Commands

  • docker ps [-a]: shows currently [and past] running containers
  • docker start: starts a container from a locally stored image
  • docker stop: stops a container using Linux SIGTERM
  • docker restart: restarts a currently running container
  • docker kill: stops a container using Linux SIGKILL
  • docker rm: removes all container files from the host operating system

 

Inspecting Container Settings

  • docker ps will show the IDs of containers: pick one!
  • docker inspect <ID> | less
  • docker inspect --format='{{.NetworkSettings.IPAddress}}' containername
  • docker inspect --format ='{{.State.Pid}}' containername
  • Alternatively, use ps aux on the host to find the container PID

 

Managing Images

  • After fetching, the container images are stored on the host
  • Use docker images to get a list of images
  • Or use docker image --help to get an overview of all options related to managing container images

 

Container Logging

  • The container application does not connect to a STDOUT, which is why logs,
    by default, are written to the container
  • Use docker logs mycontainer to get access to the container log
  • Using docker logs is convenient for troubleshooting

 

Lab: Using Containers

  • Run the latest version of Ubuntu in a container
  • In interactive mode, start a bash shell and explore the /etc/os-release file, as well as the kernel version (uname -r)
  • Disconnect from the container without shutting it down

As we see the kernel version in the container is alwys the same like in the virtual machine.