Docker & Docker Compose Overview

Quick List

• docker-compose build
• docker-compose up -d
• docker-compose logs -f
• docker exec -it <container> bash
• docker run -it centos
• docker ps -aq --no-trunc | xargs docker rm
• docker images -q --filter dangling=true | xargs docker rmi

NOTE: Configure Direct-LVM Mode for Production

Misc

Can’t connect to your Container?  It Exists immediately and  you want to see why?

# docker commit <container-id> my-hosed-container &&
# docker run -it my-hosed-container /bin/sh

Push images to your Registry (GCP)

# gcloud docker -- push us.gcr.io/sysops7/varnish5:dev

List gcloud container Images

# gcloud container images list --repository=us.gcr.io/sysops7 

NAME
us.gcr.io/sysops7/varnish5

# gcloud container images list-tags us.gcr.io/sysops7/varnish5
DIGEST       TAGS TIMESTAMP
244bf0d4ffc6 dev  2017-12-01T15:44:01

Remove images from Registry (GCP)

# gcloud container images delete us.gcr.io/sysops7/varnish5:dev
Digests:
- us.gcr.io/sysops7/varnish5@sha256:244bf0d4ffc6936f561adf68364fa56ce43b0574ca0db350f7352b466ab3d7ff
  Associated tags:
 - dev
Tags:
- us.gcr.io/sysops7/varnish5:dev
This operation will delete the tags and images identified by the 
digests above.

Do you want to continue (Y/n)?  y

Deleted [us.gcr.io/sysops7/varnish5:dev].
Deleted [us.gcr.io/sysops7/varnish5@sha256:244bf0d4ffc6936f561adf68364fa56ce43b0574ca0db350f7352b466ab3d7ff].

Pull images from Registry (GCP)

# gcloud docker -- pull us.gcr.io/my-project/my-image

To pull a specific image, append the image’s tag or digest:

# gcloud docker -- pull us.gcr.io/my-project/my-image:test
# gcloud docker -- pull us.gcr.io/my-project/my-image@sha256:44bde...

Docker Swarm Init

# docker swarm init --advertise-addr 192.168.1.33

Swarm initialized: current node (3ww6m5jr6df24sgg0hj8i1d7) is now a manager.

To add a worker to this swarm, run the following command:

# docker swarm join \
--token SWMTKN-1-1ygehettvmj02Fakeasd4thedfFake8aql26o7jd9u8h6oFakej5u-1f01w77gxtanFakezmnck3jve \
192.168.1.33:2377

To add a manager to this swarm, run docker swarm join-token manager and follow the instructions.

Docker Lifecycle Commands

• docker create creates a container but does not start it.
• docker rename allows the container to be renamed.
• docker run creates and starts a container in one operation.
• docker rm deletes a container.
• docker update updates a container’s resource limits.

Starting and Stopping Docker

• docker start starts a container so it is running.
• docker stop stops a running container.
• docker restart stops and starts a container.
• docker pause pauses a running container, “freezing” it in place.
• docker unpause will unpause a running container.
• docker wait blocks until running container stops.
• docker kill sends a SIGKILL to a running container.
• docker attach will connect to a running container.

Removing Docker containers and images

Playing with Docker can leave you with several stopped containers and unneeded, intermediary images. This may waste substantial disk space. This article shows how to efficiently remove such containers and images.

List all exited containers

# docker ps -aq -f status=exited

Remove stopped containers

# docker ps -aq --no-trunc | xargs docker rm

This command will not remove running containers, only an error message will be printed out for each of them.

Remove containers

# docker rm $(docker ps -qa --no-trunc --filter "status=exited")

Removing Unused Volumes

# docker volume rm $(docker volume ls -qf dangling=true

# docker volume ls -qf dangling=true | xargs -r docker volume rm

Removing Networks

# docker network ls
# docker network ls | grep "bridge"
# docker network rm $(docker network ls | grep "bridge" | awk '/ / { print $1 }')

Remove dangling/untagged images

# docker images -q --filter dangling=true | xargs docker rmi

Remove containers created after a specific container

# docker ps --since a1bz3768ez7g -q | xargs docker rm

Remove containers created before a specific container

# docker ps --before a1bz3768ez7g -q | xargs docker rm

Use --rm for docker build

Use --rm together with docker build to remove intermediary images during the build process.

Searching for Images in the Docker Hub

You can search for images available on Docker Hub by using the docker command with the searchsubcommand. For example, to search for the CentOS image, type:

docker search centos

The script will crawl Docker Hub and return a listing of all images whose name match the search string. In this case, the output will be similar to this:

NAME                            DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
centos                          The official build of CentOS.                   2224      [OK]       
jdeathe/centos-ssh              CentOS-6 6.7 x86_64 / CentOS-7 7.2.1511 x8...   22                   [OK]
jdeathe/centos-ssh-apache-php   CentOS-6 6.7 x86_64 / Apache / PHP / PHP M...   17                   [OK]
million12/centos-supervisor     Base CentOS-7 with supervisord launcher, h...   11                   [OK]
nimmis/java-centos              This is docker images of CentOS 7 with dif...   10                   [OK]
torusware/speedus-centos        Always updated official CentOS docker imag...   8                    [OK]
nickistre/centos-lamp           LAMP on centos setup                            3                    [OK]

...

In the OFFICIAL column, OK indicates an image built and supported by the company behind the project. Once you’ve identifed the image that you would like to use, you can download it to your computer using the pull subcommand, like so:

docker pull centos

After an image has been downloaded, you may then run a container using the downloaded image with the run subcommand. If an image has not been downloaded when docker is executed with the runsubcommand, the Docker client will first download the image, then run a container using it:

• docker run centos

To see the images that have been downloaded to your computer, type:

• docker images

The output should look similar to the following:

[secondary_lable Output]
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos              latest              778a53015523        5 weeks ago         196.7 MB
hello-world         latest              94df4f0ce8a4        2 weeks ago         967 B

As you’ll see later in this tutorial, images that you use to run containers can be modified and used to generate new images, which may then be uploaded (pushed is the technical term) to Docker Hub or other Docker registries.

Running a Docker Container

The hello-world container you ran in the previous step is an example of a container that runs and exits, after emitting a test message. Containers, however, can be much more useful than that, and they can be interactive. After all, they are similar to virtual machines, only more resource-friendly.

As an example, let’s run a container using the latest image of CentOS. The combination of the -i and -t switches gives you interactive shell access into the container:

• docker run -it centos

Your command prompt should change to reflect the fact that you’re now working inside the container and should take this form:

[root@59839a1b7de2 /]#

Important: Note the container id in the command prompt. In the above example, it is 59839a1b7de2.

Now you may run any command inside the container. For example, let’s install MariaDB server in the running container. No need to prefix any command with sudo, because you’re operating inside the container with root privileges:

• yum install mariadb-server

Committing Changes in a Container to a Docker Image

When you start up a Docker image, you can create, modify, and delete files just like you can with a virtual machine. The changes that you make will only apply to that container. You can start and stop it, but once you destroy it with the docker rm command, the changes will be lost for good.

This section shows you how to save the state of a container as a new Docker image.

After installing MariaDB server inside the CentOS container, you now have a container running off an image, but the container is different from the image you used to create it.

To save the state of the container as a new image, first exit from it:

• exit

Then commit the changes to a new Docker image instance using the following command. The -m switch is for the commit message that helps you and others know what changes you made, while -a is used to specify the author. The container ID is the one you noted earlier in the tutorial when you started the interactive docker session. Unless you created additional repositories on Docker Hub, the repository is usually your Docker Hub username:

• docker commit -m “What did you do to the image” -a “Author Name” container-id repository/new_image_name

For example:

• docker commit -m “added mariadb-server” -a “Sunday Ogwu-Chinuwa” 59839a1b7de2 finid/centos-mariadb

Note: When you commit an image, the new image is saved locally, that is, on your computer. Later in this tutorial, you’ll learn how to push an image to a Docker registry like Docker Hub so that it may be assessed and used by you and others.

After that operation has completed, listing the Docker images now on your computer should show the new image, as well as the old one that it was derived from:

• docker images

The output should be of this sort:

REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
finid/centos-mariadb   latest              23390430ec73        6 seconds ago       424.6 MB
centos                 latest              778a53015523        5 weeks ago         196.7 MB
hello-world            latest              94df4f0ce8a4        2 weeks ago         967 B

In the above example, centos-mariadb is the new image, which was derived from the existing CentOS image from Docker Hub. The size difference reflects the changes that were made. And in this example, the change was that MariaDB server was installed. So next time you need to run a container using CentOS with MariaDB server pre-installed, you can just use the new image. Images may also be built from what’s called a Dockerfile. But that’s a very involved process that’s well outside the scope of this article. We’ll explore that in a future article.

Listing Docker Containers

After using Docker for a while, you’ll have many active (running) and inactive containers on your computer. To view the active ones, use:

• docker ps

You will see output similar to the following:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
f7c79cc556dd        centos              "/bin/bash"         3 hours ago         Up 3 hours                              silly_spence

To view all containers — active and inactive, pass it the -a switch:

• docker ps -a

To view the latest container you created, pass it the -l switch:

• docker ps -l

Stopping a running or active container is as simple as typing:

• docker stop container-id

The container-id can be found in the output from the docker ps command.

Pushing Docker Images to a Docker Repository

The next logical step after creating a new image from an existing image is to share it with a select few of your friends, the whole world on Docker Hub, or other Docker registry that you have access to. To push an image to Docker Hub or any other Docker registry, you must have an account there.

This section shows you how to push a Docker image to Docker Hub.

To create an account on Docker Hub, register at Docker Hub. Afterwards, to push your image, first log into Docker Hub. You’ll be prompted to authenticate:

• docker login -u docker-registry-username

If you specified the correct password, authentication should succeed. Then you may push your own image using:

• docker push docker-registry-username/docker-image-name

It will take sometime to complete, and when completed, the output will be of this sort:

The push refers to a repository [docker.io/finid/centos-mariadb]
670194edfaf5: Pushed 
5f70bf18a086: Mounted from library/centos 
6a6c96337be1: Mounted from library/centos

...

After pushing an image to a registry, it should be listed on your account’s dashboard.

If a push attempt results in an error of this sort, then you likely did not log in first:

The push refers to a repository [docker.io/finid/centos-mariadb]
e3fbbfb44187: Preparing
5f70bf18a086: Preparing
a3b5c80a4eba: Preparing
7f18b442972b: Preparing
3ce512daaf78: Preparing
7aae4540b42d: Waiting
unauthorized: authentication required

Log in, then repeat the push attempt.

There are a number of iSCSI related esxcli commands, all accessed using the ‘esxcli iscsi’ namespace:

# esxcli iscsi
Usage: esxcli iscsi {cmd} [cmd options]

Available Namespaces:
  adapter               Operations that can be performed on iSCSI adapters
  networkportal         Operations that can be performed on iSCSI Network Portal (iSCSI vmknic)
  physicalnetworkportal Operations that can be performed on iSCSI Physical Network Portal (vmnic)
  session               Operations that can be performed on iSCSI sessions
  ibftboot              Operations that can be performed on iSCSI IBFT boot table
  logicalnetworkportal  Operations that can be performed on iSCSI Logical Network Portal (vmknic)
  plugin                Operations that can be performed on iSCSI management plugins
  software              Operations that can be performed on software iSCSI

Looking at the host’s iSCSI adapters:

# esxcli iscsi adapter list
Adapter Driver    State  UID                                            Description 
------- --------- ------ ---------------------------------------------- ----------------------------
vmhba3  qla4xxx   online iqn.2000-04.com.qlogic:qle4060c.yk10ny96t57v.1 4032 Family iSCSI Controller
vmhba35 iscsi_vmk online iqn.1998-01.com.vmware:xvm1-mgt-1a8f4e4d       iSCSI Software Adapter

It’s clear from the output that this host is using the iSCSI Software Adapter and a Hardware controller. To display more information on a given adapter you can run:

# esxcli iscsi adapter get --adapter vmhba3
vmhba3
 Name: iqn.2000-04.com.qlogic:qle4060c.yk10ny96t57v.1
 Alias: xvm1
 Vendor: QLOGIC
 Model: QLE4060C
 Description: 4032 Family iSCSI Controller
 Serial Number: YK10NY96T57V
 Hardware Version: QLE4060C
 Asic Version: 0
 Firmware Version: 3.0.1.49
 Option Rom Version: 1.0.0.0
 Driver Name: qla4010.o
 Driver Version: 624-01-43
 TCP Protocol Supported: true
 Bidirectional Transfers Supported: true
 Maximum Cdb Length: 0
 Can Be NIC: false
 Is NIC: false
 Is Initiator: true
 Is Target: false
 Using TCP Offload Engine: true
 Using ISCSI Offload Engine: true

As this is a hardware adapter, some of the fields will display additional information such as details on Firmware and Driver versions etc. You can use the ‘set’ option to change the name and alias of the adapter. For example:

# esxcli iscsi adapter set --adapter vmhba3 --alias HardwareAdapter

There are a number of other namespaces relating to the iSCSI adapter:

# esxcli iscsi adapter
Usage: esxcli iscsi adapter {cmd} [cmd options]

Available Namespaces:
  auth                  Operations that can be performed on iSCSI adapter authentications
  discovery             Operations that can be performed on iSCSI adapter discovery
  target                Operations that can be performed on iSCSI targets
  capabilities          Operations that can be performed on iSCSI adapter capabilities
  firmware              Operations that can be performed on iSCSI adapter firmware
  param                 Operations that can be performed on iSCSI adapter parameters

In relation to troubleshooting its worth paying attention to the ‘auth’, ‘discovery’ and ‘target’ namespaces in particular. You can list the chap settings with:

# esxcli iscsi adapter auth chap get -A vmhba3
   Direction: uni
   Name:
   Level: prohibited

To list the configured iSCSI targets you can run:

# esxcli iscsi adapter target list
Adapter Target                                  Alias Discovery Method Last Error
------- --------------------------------------- ----- ---------------- ----------
vmhba35 iqn.1996-04.com.bosch:raid.sn7445666.00       SENDTARGETS      No Error 
vmhba35 iqn.1996-04.com.bosch:raid.sn7445666.10       SENDTARGETS      No Error 
vmhba3  iqn.1996-04.com.bosch:raid.sn7445666.00       SENDTARGETS      na 
vmhba3  iqn.1996-04.com.bosch:raid.sn7445666.10       SENDTARGETS      na 

To list the iSCSI targets with IP and port, run this:

# esxcli iscsi adapter target portal list
Adapter  Target                                   IP           Port  Tpgt
-------  ---------------------------------------  -----------  ----  ----
vmhba35  iqn.1996-04.com.bosch:raid.sn7445666.00  192.168.3.3  3260  1   
vmhba35  iqn.1996-04.com.bosch:raid.sn7445666.10  192.168.3.4  3260  1   
vmhba3   iqn.1996-04.com.bosch:raid.sn7445666.00  192.168.3.3  3260  1   
vmhba3   iqn.1996-04.com.bosch:raid.sn7445666.10  192.168.3.4  3260  1

Moving away from the adapter related commands, a useful command for troubleshooting is the ‘sessions’ namespace. This will output established sessions to the host’s configured targets. For example:

# esxcli iscsi session list
vmhba35,iqn.1996-04.com.bosch:raid.sn7445666.00,00023d000001
 Adapter: vmhba35
 Target: iqn.1996-04.com.bosch:raid.sn7445666.00
 ISID: 00023d000001
 TargetPortalGroupTag: 1
 AuthenticationMethod: none
 DataPduInOrder: true
 DataSequenceInOrder: true
 DefaultTime2Retain: 0
 DefaultTime2Wait: 0
 ErrorRecoveryLevel: 0
 FirstBurstLength: 65536
 ImmediateData: true
 InitialR2T: false
 MaxBurstLength: 262144
 MaxConnections: 1
 MaxOutstandingR2T: 1
 TSIH: 256

vmhba35,iqn.1996-04.com.bosch:raid.sn7445666.10,00023d000001
 Adapter: vmhba35
 Target: iqn.1996-04.com.bosch:raid.sn7445666.10
 ISID: 00023d000001
 TargetPortalGroupTag: 1
 AuthenticationMethod: none
 DataPduInOrder: true
 DataSequenceInOrder: true
 DefaultTime2Retain: 0
 DefaultTime2Wait: 0
 ErrorRecoveryLevel: 0
 FirstBurstLength: 65536
 ImmediateData: true
 InitialR2T: false
 MaxBurstLength: 262144
 MaxConnections: 1
 MaxOutstandingR2T: 1
 TSIH: 512

vmhba3,iqn.1996-04.com.bosch:raid.sn7445666.00,00c0dd113f21
 Adapter: vmhba3
 Target: iqn.1996-04.com.bosch:raid.sn7445666.00
 ISID: 00c0dd113f21
 TargetPortalGroupTag: 1
 AuthenticationMethod: none
 DataPduInOrder: true
 DataSequenceInOrder: true
 DefaultTime2Retain: 0
 DefaultTime2Wait: 2
 ErrorRecoveryLevel: 0
 FirstBurstLength: 128
 ImmediateData: true
 InitialR2T: false
 MaxBurstLength: 512
 MaxConnections: 1
 MaxOutstandingR2T: 1
 TSIH: 0

vmhba3,iqn.1996-04.com.bosch:raid.sn7445666.10,00c0dd113f21
 Adapter: vmhba3
 Target: iqn.1996-04.com.bosch:raid.sn7445666.10
 ISID: 00c0dd113f21
 TargetPortalGroupTag: 1
 AuthenticationMethod: none
 DataPduInOrder: true
 DataSequenceInOrder: true
 DefaultTime2Retain: 0
 DefaultTime2Wait: 2
 ErrorRecoveryLevel: 0
 FirstBurstLength: 128
 ImmediateData: true
 InitialR2T: false
 MaxBurstLength: 512
 MaxConnections: 1
 MaxOutstandingR2T: 1
 TSIH: 0

Finally, you can view the network settings/vmk used by iSCSI on the host by running:

# esxcli iscsi networkportal list
vmhba35
 Adapter: vmhba35
 Vmknic: vmk2
 MAC Address: 5c:f3:fc:4d:e7:24
 MAC Address Valid: true
 IPv4: 192.168.3.104
 IPv4 Subnet Mask: 255.255.255.0
 IPv6: 
 MTU: 9000
 Vlan Supported: true
 Vlan ID: 0
 Reserved Ports: 63488~65536
 TOE: false
 TSO: true
 TCP Checksum: false
 Link Up: true
 Current Speed: 1000
 Rx Packets: 79643
 Tx Packets: 87410
 NIC Driver: bnx2
 NIC Driver Version: 2.2.1l.v50.1
 NIC Firmware Version: bc 5.2.3 NCSI 2.0.10
 Compliant Status: compliant
 NonCompliant Message: 
 NonCompliant Remedy: 
 Vswitch: vSwitch0
 PortGroup: iSCSI
 VswitchUuid: 
 PortGroupKey: 
 PortKey: 
 Duplex: 
 Path Status: unused

# esxcli network firewall get

Default Action: DROP
 Enabled: true
 Loaded: true

After making changes, backup and regenerate system configuration:

# /sbin/auto-backup.sh
--- /etc/vmware/esx.conf
+++ /tmp/auto-backup.4408027//etc/vmware/esx.conf
@@ -299,6 +299,8 @@
 /firewall/services/vprobeServer/enabled = "false"
 /firewall/services/WOL/allowedall = "true"
 /firewall/services/WOL/enabled = "true"
+/firewall/services/dynamicruleset/allowedall = "true"
+/firewall/services/dynamicruleset/enabled = "true"
 /firewall/services/vMotion/allowedall = "true"
 /firewall/services/vMotion/enabled = "true"
 /firewall/services/snmp/allowedall = "true"
Saving current state in /bootbank
Clock updated.
Time: 19:16:07 Date: 02/26/2015 UTC

Testing VMkernel network connectivity

# vmkping x.x.x.x

# vmkping -d -s 8972 x.x.x.x

# vmkping -I vmkX x.x.x.x

# esxcfg-nics -l

Name    PCI           Driver      Link Speed     Duplex MAC Address       MTU    Description
vmnic0  0000:02:00.00 e1000       Up   1000Mbps  Full   00:50:56:17:0a:60 9000   Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
vmnic1  0000:02:01.00 e1000       Up   1000Mbps  Full   00:50:56:17:0a:65 9000   Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

esxcfg-vmknic -l

# esxcfg-vmknic -l

Interface  Port Group/DVPort   IP Family IP Address                    Netmask         Broadcast   MAC Address          MTU     TSO     MSS       Enabled Type
vmk1       iSCSI  IPv4      10.10.10.10                                255.255.255.0   10.10.10.255 00:50:56:XX:XX:64    9000    65535     true    STATIC

# vmkping 10.0.0.1
PING server(10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=10.245 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.935 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.926 ms
--- server ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.926/4.035/10.245 ms

# vmkping 10.0.0.2
PING server (10.0.0.2) 56(84) bytes of data.
--- server ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 3017ms

Notes:

• If you see intermittent ping success, this might indicate you have incompatible NICs teamed on the VMotion port. Either team compatible NICs or set one of the NICs to standby.
• If you do not see a response when pinging by the hostname of the server, initiate a ping to the IP address. Initiating a ping to the IP address allows you to determine if the problem is a result of an issue with hostname resolution. If you are testing connectivity to another VMkernel port on another server remember to use the VMkernel port IP address because the server’s hostname usually resolves to the service console address on the remote server.

In vSphere 5.5 VXLAN has its own vmkernel networking stack therefore ping connectivity testing between two different vmknics on the transport VLAN must be done from the ESXi console with the either of this syntax:

vmkping ++netstack=vxlan <vmknic IP> -d -s <packet size> 

esxcli network diag ping --netstack=vxlan --host <vmknic IP> --df --size=<packet size>

Easy monitoring script for checking ESXi VMware logs:

# cd /var/log
# vi monitorlog.sh

while :
do
  clear
  echo "Current time: date"
  tail -10 vmksummary.log|grep heartbeat|tail -1|awk '{print $2, $3 "     Uptime: "$4 "    Total VMs: "$5}'
  echo  "======================================================="
  echo
  echo "Last 15 lines of : vmkernel.log"
  echo "-------------------------------------------"
  tail -100 vmkernel.log|grep -v " H:0x0 D:0x2 P:0x0 Valid sense data"|tail -15
  echo
  echo "Last 15 lines of : hostd.log"
  echo "-------------------------------------------"
  tail -200 hostd.log|egrep "trivia|info|error"|tail -15
  echo
  echo "Last 5 lines of : vmkwarning.log (Today's date only)"
  echo "-------------------------------------------"
  tail -5 vmkwarning.log|grep date '+%Y-%m-%d'
  echo
  echo "Sleeping 30 sec..."
  sleep 25
  echo "Refreshing in 5 sec..."
  sleep 5
done

./watchlog.sh