Docker  sandbox 

May 9, 2024 / Notes / 3 min
Table of Contents

Introduction

Dockerfile

FROM => a base image to use while building image
ADD  => copy from local to container 
RUN  => execute commands to generate the image, this does not run when container starts
CMD ["/usr/bin/nmap", "-s", "172.17.0.0/24"] => default command to run at container startup, if not specified, container starts and stops immediately

Docker cli

  • docker build . -t myawesomeimage:v1
  • docker run myawesomeimage:v1 pull image myawesomeimage:v1, and run container
  • docker run -d nginx run a container in background
  • docker run -it ubuntu:latest /bin/bash open an interactive shell within the container ctrl-p, ctrl-q does not kill the container started with it flag
  • docker inspect container_name json output of all properties of the container
  • docker inspect <container id> --format='{{.NetworkSettings.IPAddress}}' filter json output from inspect command to get a specific property
  • docker --help
  • docker start start a stopped container
  • docker ps -a show all containers, running, stopped, failed
  • docker rmi delete/untag images
  • docker rm remove containers

bash is PID 1 in linux

Networking

each container needs an IP!
docker networking is created via drivers

![[docker-nw.png]]

Drivers

Docker bridge is really a bridge that you should visualize as a physical device like like a network switch. This bridge is connected to the actual physical network. Uses NAT. Plug this in to the network switch, we have the virtual Ethernet interfaces veth. veth connects to container network interface.

overlay

software defined n/w, used in docker swarm

bridge

default

Usually docker uses 172.17.0.0/16, which falls within the private IP range.

~ docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
af439a7244c6   bridge    bridge    local
4b054ec242a6   host      host      local
076b498369ab   none      null      local

~ docker network inspect af439a7244c6 --format='{{json .IPAM.Config}}'
[{"Subnet":"172.17.0.0/16","Gateway":"172.17.0.1"}]

nmap - scan a network, https://github.com/instrumentisto/nmap-docker-image, https://nmap.org/

nmap can also be used to inspect the docker network, and available containers.

~ docker run --rm -it instrumentisto/nmap -sn 172.17.0.0/24     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-09 20:08 UTC
Nmap scan report for 172.17.0.1
Host is up (0.000058s latency).
MAC Address: 02:42:59:2C:33:19 (Unknown)
Nmap scan report for 172.17.0.2
Host is up (0.000018s latency).
MAC Address: 02:42:AC:11:00:02 (Unknown)
Nmap scan report for 172.17.0.3
Host is up (0.000046s latency).
MAC Address: 02:42:AC:11:00:03 (Unknown)
Nmap scan report for f1b89c1009ab (172.17.0.4)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 second

host

mcvlan

assign a mac address to a container

none

no networking defined!

Ports

Publish ports by using the -p flag with docker run

Each container gets an IP from the network it is attached to.

issue, publishing ports as -p 8080:8080 opens them to the world, prefer to use -p 127.0.0.1:8080:8080

Hosts within the same L2 segment (for example, hosts connected to the same network switch) can reach ports published to localhost. For more information, see moby/moby#45610

DNS

Container’s hostname defaults to it’s ID in docker, but can be overridden with --hostname.

Containers inherit the DNS settings of the host.

Containers in custom network, use docker embedded DNS server, and forward external DNS queries to DNS as defined on host.

Containers DON’T inherit entries defined in /etc/hosts, use --add-host flag in docker run to specify container specific host entries.

DNS servers can be specified on per container basis using the --dns, --dns-search, --dns-opt flags with docker run

Storage

bind-mount mechanism

References