Manage Docker

1️⃣ Installation & Setup – Deep Dive

✅ Install Docker (CE or EE) on Linux, Windows, or macOS

Docker comes in two editions:

• Community Edition (CE) – Free, for developers and small teams.

• Enterprise Edition (EE) – Paid, with advanced security and support.

📌 Install Docker on Linux

1. Update system packages

   Copy

   sudo apt update && sudo apt upgrade -y  # For Ubuntu/Debian
   sudo yum update -y  # For CentOS/RHEL

2. Install dependencies

   Copy

   sudo apt install -y ca-certificates curl gnupg lsb-release

3. Add Docker’s official GPG key

   Copy

   curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

4. Set up Docker repository

   Copy

   echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

5. Install Docker Engine

   Copy

   sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io

6. Verify installation

   Copy

   docker --version
   docker info

📌 Install Docker on Windows

1. Download and install Docker Desktop from Docker’s official site.

2. Enable WSL 2 backend (Recommended for Windows 10/11).

3. Run Docker Desktop and verify using:

   Copy

   docker --version

📌 Install Docker on macOS

1. Install Docker Desktop via Homebrew:

   Copy

   brew install --cask docker

2. Start Docker Desktop and verify with:

   Copy

   docker --version

The Docker daemon (dockerd) is the background service managing containers.

📌 Key Configuration Options

• Storage driver (overlay2, aufs, etc.)

• Logging driver (json-file, syslog, etc.)

• Registry mirrors (to speed up image pulls)

• IP binding for remote API

Example /etc/docker/daemon.json:

jsonCopyEdit{
  "storage-driver": "overlay2",
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m",
    "max-file": "3"
  },
  "bip": "192.168.1.1/24",
  "dns": ["8.8.8.8", "8.8.4.4"]
}

📌 Restart Docker after changes:

bashCopyEditsudo systemctl restart docker

📌 Log in to Docker Hub (or private registry)

bashCopyEditdocker login

For private registry:

bashCopyEditdocker login myregistry.com

📌 Manage multiple Docker contexts

Useful for switching between local, remote, or Kubernetes-based Docker environments.

bashCopyEditdocker context create myremote --docker "host=ssh://user@remote-host"
docker context use myremote
docker context ls  # List all contexts

Ensure Docker starts automatically on system reboot.

📌 On Linux (systemd)

bashCopyEditsudo systemctl enable docker
sudo systemctl start docker

📌 On Windows/macOS

Docker Desktop starts automatically unless disabled in settings.

📌 Basic container run

• -d → Runs container in detached mode (background).

• --name → Assigns a custom name to the container.

• nginx → The image name used to create the container.

📌 Run with Port Mapping

• -p 8080:80 → Maps host port 8080 to container port 80.

📌 Run with Environment Variables

• -e → Sets environment variables inside the container.

📌 Run with Volume Mounting

• -v /host/data:/container/data → Maps host directory /host/data to /container/data inside the container.

📌 Run with Resource Limits

• --memory=512m → Limits container to 512MB RAM.

• --cpus=1 → Limits container to 1 CPU core.

List all running containers

• Shows active containers only.

📌 List all containers (including stopped ones)

• Includes both running and exited containers.

📌 Show only container IDs

• Useful for scripting (e.g., bulk operations).

📌 Filter containers by status

• Lists only stopped containers.

📌 Filter by name or image

• First filters by container name, second by image name.

Start a stopped container

• Resumes a previously stopped container.

📌 Stop a running container

• Gracefully stops the container by sending a SIGTERM signal.

📌 Force-stop a container

• Immediately stops the container using SIGKILL.

📌 Restart a container

• Equivalent to docker stop + docker start.

📌 Remove a container

• Removes a stopped container.

📌 Force remove a running container

• Stops and deletes the container in one command.

📌 Remove multiple containers

• Removes all stopped containers.

Open an interactive shell inside a container

• -it → Enables interactive mode for running a shell session.

• Only works if the container has bash installed.

📌 For Alpine-based containers (no bash)

• Alpine Linux uses sh instead of bash.

📌 Run a single command inside a container

• Runs ls /var/www inside myapp and prints the output.

📌 Run as a different user inside the container

• -u root → Executes commands as the root user inside the container.

View logs for a container

• Shows stdout/stderr output from the container.

📌 Follow real-time logs

• -f → Keeps following logs in real-time (useful for debugging).

📌 Show last 50 log lines

• Helps in filtering recent log output.

📌 Filter logs by timestamps

• Shows logs from the last 30 minutes only.

📌 Combine filters

• Shows last 100 logs from the past 1 hour while continuously following logs.

Get all metadata for a container

• Returns detailed JSON output of container properties.

📌 Filter specific information

• Extracts the IP address of the container.

📌 Get the container's mount points

• Shows mounted volumes inside the container.

📌 View container’s environment variables

• Displays all environment variables set inside the container.

📌 Get container state (Running, Stopped, etc.)

• Returns the current state of the container.

Restart Policies in Docker:

• no → Container doesn’t restart automatically (default).

• always → Container restarts regardless of the exit code.

• on-failure → Container restarts only if it exits with a non-zero status.

• unless-stopped → Container restarts unless manually stopped.

docker run -d --restart=always nginx

3️⃣ Image Management – Deep Dive

Efficient image management ensures optimized storage, security, and faster deployments. Let’s break down each aspect in detail.

✅ Pull Images from Docker Hub

📌 Pull the latest version of an image

• By default, pulls the latest tag of the image from Docker Hub.

📌 Pull a specific version of an image

• Downloads a specific version (1.25.0) of the image.

📌 Pull an image from a private registry

• Requires authentication if the registry is private.

📌 Check the progress of an image pull

• Displays detailed layer-wise download progress.

📌 Pull multiple images at once

• Useful for preparing dependencies in advance.

✅ List Available Images

📌 Show all locally stored images

• Displays a table with REPOSITORY, TAG, IMAGE ID, CREATED, and SIZE.

📌 Show images with digests (for immutable reference)

• Displays SHA256 digests for each image version.

📌 List images from a specific repository

• Filters results for nginx images only.

📌 List only image IDs

• Useful when scripting (docker rmi $(docker images -q)).

📌 Filter images based on age

• Helps clean up older images efficiently.

✅ Build Custom Images

📌 Basic image build

• Builds an image using the Dockerfile in the current directory.

📌 Build with a custom Dockerfile

• Uses Dockerfile.dev instead of the default Dockerfile.

📌 Build with a specific build context

• Context is set to ../app-directory.

📌 Multi-stage build to reduce image size

• Uses two stages to reduce final image size.

📌 Use BuildKit for faster and efficient builds

• Enables parallel builds, caching, and smaller images.

✅ Remove Unused Images

📌 Remove a specific image by ID

• Deletes the image only if no container is using it.

📌 Force remove an image

• Forces removal even if the image is in use.

📌 Remove multiple images

• Removes all images.

📌 Remove all dangling (untagged) images

• Deletes orphaned images that are not referenced by containers.

📌 Remove all unused images (safe cleanup)

• Cleans up all unused images, even if they have tags.

✅ Tag Images

📌 Tag a local image

• Tags the local myapp:latest as myrepo/myapp:v1.

📌 Tag an image with multiple names

• Helps in versioning and tracking image updates.

📌 List all image tags for a repository

• Shows all available tags for myrepo/myapp.

✅ Push Images to a Registry

📌 Log in to Docker Hub or a private registry

• Authenticates for pushing images.

📌 Push an image to Docker Hub

• Pushes the image myrepo/myapp:v1 to Docker Hub.

📌 Push to a private registry

• Requires authentication for private registries.

📌 Push multiple tags at once

• Pushes all available tags (v1, v2, latest) of myrepo/myapp.

📌 Enable content trust for verified image pushes

• Ensures cryptographic signing of pushed images.

🔹 Best Practices for Image Management

✅ Keep Images Minimal

• Use Alpine-based images when possible (e.g., node:18-alpine).

• Multi-stage builds help reduce image size.

✅ Always Pin Image Versions

• Instead of nginx:latest, use nginx:1.25.0 to prevent unexpected changes.

✅ Enable Build Caching

• Order Dockerfile layers efficiently to reuse cached steps.

✅ Use Private Registries for Security

• Consider Amazon ECR, Google GCR, or Harbor for storing internal images.

✅ Regularly Clean Up Unused Images

• Set up docker image prune -a as a scheduled job.

This covers Image Management in-depth. 🚀 Let me know the next section to continue!

4️⃣ Network Management – Deep Dive

Networking in Docker is essential for communication between containers, hosts, and external systems. Here’s a detailed breakdown of each step.

✅ List Networks

📌 Show all available networks

• Displays network name, ID, driver, and scope.

• By default, Docker creates three networks:

  • bridge (default network for standalone containers)

  • host (directly uses host networking)

  • none (isolated containers)

📌 List only custom networks

• Filters networks based on the driver type.

📌 Get detailed network info

• Shows connected containers, IP ranges, and subnet info.

✅ Create a Custom Network

📌 Create a new bridge network

• Creates a custom bridge network named mynet.

• Containers within this network can communicate without exposing ports.

📌 Create a network with a specific subnet

• Assigns a custom subnet for precise control over IP allocation.

📌 Create an overlay network for Swarm mode

• Used for multi-host communication in a Docker Swarm cluster.

📌 Create a macvlan network for direct host communication

• Allows containers to have direct IP addresses on the host network.

✅ Attach a Container to a Network

📌 Connect an existing container to a network

• Attaches the app container to mynet, allowing communication.

📌 Attach a container to multiple networks

• Useful when connecting to different services securely.

📌 Start a container in a specific network

• Ensures the container starts inside the network from the beginning.

✅ Inspect Network Details

📌 Get full details of a network

• Displays subnet info, IP range, connected containers, and driver details.

📌 Get only the IP address of a container in a network

• Useful for service discovery within Docker.

📌 Check the network of a running container

• Quickly finds the associated network of a container.

✅ Disconnect/Remove a Network

📌 Disconnect a container from a network

• Removes the app container from mynet.

📌 Remove a custom network

• Networks cannot be removed if containers are still connected.

📌 Force remove a network

• Disconnects all attached containers before deletion.

📌 Remove all unused networks

• Deletes all networks not in use by containers.

✅ Expose Container Ports

📌 Run a container with port mapping

• Maps port 8080 on the host to port 80 inside the container.

📌 Expose multiple ports

• Allows external traffic on both HTTP (80) and HTTPS (443).

📌 Expose a container only on localhost

• Binds 8080 only to localhost, making it inaccessible externally.

📌 Expose a dynamic port

• Automatically assigns random high ports for all exposed container ports.

📌 Check which ports are mapped

• Displays host-to-container port mappings.

🔹 Best Practices for Network Management

✅ Use Custom Networks for Security

• Always create separate networks for frontend, backend, and database services.

✅ Limit External Exposure

• Only expose necessary ports and bind them to localhost when possible.

✅ Prefer Internal Networking Over Port Mapping

• Containers in the same custom network can communicate without exposed ports.

✅ Regularly Prune Unused Networks

• Prevents unnecessary clutter and improves efficiency.

✅ Monitor Network Traffic

• Use docker stats or external tools like cAdvisor and Prometheus for traffic analysis.

This covers Network Management in depth. 🚀 Let me know the next section to continue!

5️⃣ Security & Access Control – Deep Dive

Security is a critical aspect of containerized applications. This section covers various best practices and configurations to enhance container security.

✅ Run Containers as Non-Root

📌 Run a container with a specific user ID (UID)

• Prevents running containers as root, reducing the risk of privilege escalation.

• The user must exist inside the container or be mapped correctly.

📌 Run as a named user

• The myuser must be defined inside the container’s /etc/passwd.

📌 Modify Dockerfile to run as a non-root user

• Ensures that the container runs with least privileges by default.

✅ Limit Container Permissions

📌 Run a container in read-only mode

• Prevents modifications to the root filesystem, improving security.

📌 Allow specific writable directories in read-only mode

• Only /app/data is writable while the rest remains read-only.

📌 Disable new privileges inside a container

• Prevents privilege escalation from processes inside the container.

📌 Drop unnecessary Linux capabilities

• Removes all Linux capabilities, ensuring minimal privileges.

📌 Allow only specific capabilities

• Allows only binding to privileged ports (below 1024).

✅ Use Secrets Management

📌 Create a Docker secret (Docker Swarm required)

• Stores sensitive data securely inside Docker Swarm.

📌 List all secrets

• Displays available secrets and their IDs.

📌 Use a secret inside a service

• Mounts the mysecret inside /run/secrets/mysecret.

📌 Inspect a secret (metadata only)

• Does not expose the secret value.

📌 Remove a secret

• Deletes the secret from Swarm.

📌 Alternative: Use environment variables for secrets

• Less secure but can be used in non-Swarm environments.

✅ Scan Images for Vulnerabilities

📌 Scan an image for known vulnerabilities

• Uses Snyk to identify security flaws in the image.

📌 Scan using Trivy (alternative to Docker Scan)

• Provides a detailed report of vulnerabilities in installed packages.

📌 Enable automatic scanning in Docker Hub

• Docker Hub can automatically scan images on push (requires a Pro/Team plan).

📌 Check for outdated base images

• Helps identify base image vulnerabilities.

✅ Enable User Namespace Remapping

📌 Edit Docker daemon configuration

Add:

• Maps container users to non-root users on the host, preventing privilege escalation.

📌 Restart Docker to apply changes

• Ensures the new settings take effect.

📌 Verify remapping

• Confirms that user namespace remapping is enabled.

✅ Restrict Access with RBAC (Docker Enterprise)

📌 Enable Role-Based Access Control (RBAC)

• Available in Docker Enterprise for fine-grained access control.

📌 Assign users to roles

• Grants read-only access to john.

📌 Restrict access to certain nodes/services

• Ensures only developers can modify myservice.

📌 Use Docker Content Trust (DCT) for image signing

• Ensures only trusted images are deployed.

📌 Audit user actions

• Monitors actions performed by different users on the Docker system.

🔹 Best Practices for Container Security

✅ Always run containers as non-root users ✅ Use read-only filesystems when possible ✅ Regularly scan images for vulnerabilities ✅ Rotate secrets and use secure storage (Docker Secrets, Vault, AWS KMS, etc.) ✅ Limit network access with firewalls and custom networks ✅ Keep Docker updated to the latest stable release

This completes the Security & Access Control section. 🚀 Let me know the next section to continue!