Docker in Action, Second Edition you own this product

Jeff Nickoloff and Stephen Kuenzli
Foreword by Bret Fisher

October 2019
ISBN 9781617294761
336 pages

Included with a Manning Online subscription

printed in black & white

available in Simplified Chinese

catalog / Software Development / Cloud / Containerization / Docker

table of content

1 Welcome to Docker

1.1 What is Docker?

1.1.1 “Hello, World”

1.1.2 Containers

1.1.3 Containers are not virtualization

1.1.4 Running software in containers for isolation

1.1.5 Shipping containers

1.2 What problems does Docker solve?

1.2.1 Getting organized

1.2.2 Improving portability

1.2.3 Protecting your computer

1.3 Why is Docker important?

1.4 Where and when to use Docker

1.5 Docker in the Larger Ecosystem

1.6 Getting help with the Docker command line

Summary

Part 1: Process isolation and environment-independent computing

2 Running software in containers

2.1 Controlling containers: building a website monitor

2.1.1 Creating and starting a new container

2.1.2 Running interactive containers

2.1.3 Listing, stopping, restarting, and viewing output of containers

2.2 Solved problems and the PID namespace

2.3 Eliminating metaconflicts: Building a website farm

2.3.1 Flexible container identification

2.3.2 Container state and dependencies

2.4 Building environment-agnostic systems

2.4.1 Read-only file systems

2.4.2 Environment variable injection

2.5 Building durable containers

2.5.1 Automatically restarting containers

2.5.2 PID 1 and init systems

2.6 Cleaning up

Summary

3 Software installation simplified

3.1 Identifying software

3.1.1 What is a named repository?

3.1.2 Using tags

3.2 Finding and installing software

3.2.1 Working with Docker registries from the command line

3.2.2 Using alternative registries

3.2.3 Images as files

3.2.4 Installing from a Dockerfile

3.2.5 Docker Hub from the website

3.3 Installation files and isolation

3.3.1 Image layers in action

3.3.2 Layer relationships

3.3.3 Container file system abstraction and isolation

3.3.4 Benefits of this toolset and file system structure

3.3.5 Weaknesses of union file systems

Summary

4 Working with storage and volumes

4.1 File trees and mount points

4.2 Bind mounts

4.3 In-memory storage

4.4 Docker volumes

4.4.1 Volumes provide container-independent data management

4.4.2 Using volumes with a NoSQL database

4.5 Shared mount points and sharing files

4.5.1 Anonymous volumes and the volumes-from flag

4.6 Cleaning up volumes

4.7 Advanced storage with volume plugins

Summary

5 Single-host networking

5.1 Networking background (for beginners)

5.1.1 Basics: protocols, interfaces, and ports

5.1.2 Bigger picture: networks, NAT, and port forwarding

5.2 Docker container networking

5.2.1 Creating a user-defined bridge network

5.2.2 Exploring a bridge network

5.2.3 Beyond bridge networks

5.3 Special container networks: host and none

5.4 Handling inbound traffic with NodePort publishing

5.5 Container networking caveats and customizations

5.5.1 No firewalls or network policies

5.5.2 Custom DNS configuration

5.5.3 Externalizing network management

Summary

6 Limiting risk with resource controls

6.1 Setting resource allowances

6.1.1 Memory limits

6.1.2 CPU

6.1.3 Access to devices

6.2 Sharing memory

6.2.1 Sharing IPC primitives between containers

6.3 Understanding users

6.3.1 Working with the run-as user

6.3.2 Users and volumes

6.3.3 Introduction to the Linux user namespace and uid remapping

6.4 Adjusting OS feature access with capabilities

6.5 Running a container with full privileges

6.6 Strengthening containers with enhanced tools

6.6.1 Specifying additional security options

6.7 Building use-case-appropriate containers

6.7.1 Applications

6.7.2 High-level system services

6.7.3 Low-level system services

Summary

Part 2: Packaging software for distribution

7 Packaging software in images

7.1 Building Docker images from a container

7.1.1 Packaging Hello World

7.1.2 Preparing packaging for Git

7.1.3 Reviewing file system changes

7.1.4 Committing a new image

7.1.5 Configurable image attributes

7.2 Going deep on Docker images and layers

7.2.1 An exploration of union file systems

7.2.2 Reintroducing images, layers, repositories, and tags

7.2.3 Managing image size and layer limits

7.3 Exporting and importing flat filesystems

7.4 Versioning best practices

Summary

8 Building images automatically with Dockerfiles

8.1 Packaging Git with a Dockerfile

8.2 A Dockerfile primer

8.2.1 Metadata instructions

8.2.2 File system instructions

8.3 Injecting downstream build-time behavior

8.4 Creating maintainable Dockerfiles

8.5 Using startup scripts and multiprocess containers

8.5.1 Environmental preconditions validation

8.5.2 Initialization processes

8.5.3 The Purpose and Use of Health Checks

8.6 Building hardened application images

8.6.1 Content addressable image identifiers

8.6.2 User permissions

8.6.3 SUID and SGID permissions

Summary

9 Public and private software distribution

9.1 Choosing a distribution method

9.1.1 A distribution spectrum

9.1.2 Selection criteria

9.2 Publishing with hosted registries

9.2.1 Publishing with public repositories: Hello World via Docker Hub

9.2.2 Private hosted repositories

9.3 Introducing private registries

9.3.1 Using the registry image

9.3.2 Consuming images from your registry

9.4 Manual image publishing and distribution

9.4.1 A sample distribution infrastructure using the File Transfer Protocol

9.5 Image source-distribution workflows

9.5.1 Distributing a project with Dockerfile on GitHub

Summary

10 Image Pipelines

10.1 Goals of an image build pipeline

10.2 Patterns for building images

10.2.1 All-in-one images

10.2.2 Separate build and runtime images

10.2.3 Create variations of application runtime image using multi-stage builds

10.3 Record metadata at image build time

10.3.1 Orchestrating the build with make

10.4 Testing images in a build pipeline

10.5 Patterns for tagging images

10.5.1 Background

10.5.2 Continuous Delivery with Unique Tags

10.5.3 Configuration image per deployment stage

10.5.4 Semantic Versioning

Summary

Part 3: Higher-level abstractions and orchestration

11 Services with Docker and Compose

11.1 A Service “Hello, World!”

11.1.1 Automated resurrection and replication

11.1.2 Automated Rollout

11.1.3 Service health and rollback

11.2 Declarative Service Environments with Compose V3

11.2.1 A YAML Primer

11.2.2 Collections of Services with Compose V3

11.3 Stateful services and preserving data

11.4 Load balancing, service discovery, and networks with Compose

Summary

12 First-class configuration abstractions

12.1 Configuration distribution and management

12.2 Separating application and configuration

12.2.1 The Config Resource

12.2.2 Deploy the application

12.2.3 Managing Config Resources Directly

12.3 Secrets—A special kind of configuration

12.3.1 Using Docker Secrets

Summary

13 Orchestrating services on a cluster of Docker hosts with Swarm

13.1 Clustering with Docker Swarm

13.1.1 Introducing Docker Swarm Mode

13.1.2 Deploying a Swarm Cluster

13.2 Deploying an application to a Swarm cluster

13.2.1 Introducing Docker Swarm Cluster Resource Types

13.2.2 Define an Application and its Dependencies Using Docker Services Service

13.2.3 Deploy the Application

13.3 Communicating with services running on a Swarm cluster

13.3.1 Routing Client Requests to Services Using the Swarm Routing Mesh

13.3.2 Overlay Networks

13.3.3 Discovering Services on an Overlay Network

13.3.4 Isolating Service-Service Communication with Overlay Networks

13.3.5 Load Balancing

13.4 Placing service tasks on the cluster

13.4.1 Replicated Services

13.4.2 Constraining Where Tasks Run

13.4.3 Global Services for One Task per Node

13.4.4 Deployment of Real Applications Onto Real Clusters

Summary

Overview

1 Welcome to Docker

Docker is introduced as an open-source tool that standardizes how software is packaged, shipped, and run by using containers. It lowers the cost of adopting best practices—such as isolation, reproducibility, and clean installation/removal—by making them the default. Unlike full virtual machines, containers leverage operating system features for process isolation, enabling faster startup and lower resource usage. The chapter argues Docker’s importance lies in its practical abstraction, broad industry support, and the way it simplifies software management in a cross-platform, open way, bringing app-store-like simplicity to servers and developer workflows.

The chapter explains the core model: images are the shippable units that bundle files and metadata; containers are runtime instances of those images. A simple “hello world” walk-through illustrates how Docker fetches an image from a registry and runs it in an isolated process. Under the hood, Docker relies on Linux namespaces, cgroups, capability drops, and security modules to scope access to processes, filesystems, networks, and resources. This approach mitigates dependency conflicts, improves portability (with Mac and Windows using a lightweight Linux VM), and strengthens security by containing the blast radius of misbehaving or malicious programs. Teams benefit through faster scaling, higher CI/CD fidelity, reproducible test environments, and easier developer onboarding with versioned, shareable setups.

Guidance on where to use Docker emphasizes typical server and desktop workloads—web services, databases, command-line tools, and many user applications—while noting limits: it won’t help programs that require full machine access, and it doesn’t natively run non-Linux desktop apps. Used thoughtfully, containers keep systems clean, simplify fleet management, and support defense-in-depth, though untrusted or privileged workloads still demand caution. The chapter situates Docker within a larger ecosystem that includes registries, plugins, and orchestration platforms like Kubernetes, which runs containers built with Docker but adds operational complexity best handled via managed offerings. It closes by highlighting Docker’s built-in command-line help and reiterating the central payoff: a reusable, reliable abstraction that saves time and reduces risk across the software lifecycle.

What happens after running docker run

Running docker run a second time. Because the image is already installed, Docker can start the new container right away.

A basic computer stack running two programs that were started from the command line

Docker running three containers on a basic Linux computer system

Example programs running inside containers with copies of their dependencies Figure 1.5 Dependency relationships of example programs

Figure 1.5 Dependency relationships of example programs

A close up of text on a white background Description automatically generated

Left: a malicious program with direct access to sensitive resources. Right: a malicious program inside a container.

A picture containing text, map Description automatically generated

Summary

This chapter has been a brief introduction to Docker and the problems it helps system administrators, developers, and other software users solve. In this chapter you learned that:

Docker takes a logistical approach to solving common software problems and simplifies your experience with installing, running, publishing, and removing software. It’s a command-line program, an engine background process, and a set of remote services. It’s integrated with community tools provided by Docker Inc.
The container abstraction is at the core of its logistical approach.
Working with containers instead of software creates a consistent interface and enables the development of more sophisticated tools.
Containers help keep your computers tidy because software inside containers can’t interact with anything outside those containers, and no shared dependencies can be formed.
Because Docker is available and supported on Linux, OS X, and Windows, most software packaged in Docker images can be used on any computer.
Docker doesn’t provide container technology; it hides the complexity of working directly with the container software; and turns best practices into reasonable defaults.
Docker works with the greater container ecosystem; that ecosystem is rich with tooling that solves new and higher-level problems.
If you need help with a command you can always consult the docker help subcommand.

FAQ

What is Docker?

Docker is an open source platform for building, shipping, and running software. It includes a command-line interface, a background engine, and supporting services that use operating system containers to simplify installing, running, updating, and removing applications.

How does the “Hello, World” example work in Docker?

Run docker run dockerinaction/hello_world. Docker checks for the image locally; if missing, it pulls it from Docker Hub, creates a new container, and runs its default command (which prints “hello world”). The container stops when that command exits. Running the same command again reuses the already-downloaded image but creates a new container each time.

What’s the difference between a Docker image and a container (and how are images distributed)?

- Image: a packaged snapshot of files plus metadata (including the default command). It’s the shippable unit you share and pull. - Container: a running (or stopped) instance created from an image. You can start many containers from the same image; their file system changes are isolated from each other. - Distribution: Images are stored and shared via registries and indexes (for example, Docker Hub). docker run will pull from a registry if the image isn’t local.

Are containers the same as virtual machines?

No. Virtual machines virtualize hardware and boot full operating systems, which adds startup time and resource overhead. Containers are an OS feature: processes run directly on the host kernel with isolation. They start quickly and are lightweight. The technologies are complementary—Docker on macOS/Windows typically uses a small VM to host Linux containers, and you can run Docker inside VMs in the cloud.

How does Docker isolate applications?

Docker builds containers using Linux isolation and security features so processes see only the resources you permit. Key features include: - PID namespace: process IDs/capabilities - UTS namespace: host and domain names - MNT namespace: file system view and mounts - IPC namespace: shared memory communication - NET namespace: networks and interfaces - USER namespace: users and IDs - chroot(): file system root location - cgroups: CPU, memory, and I/O limits - Capability drops: restrict privileged operations - Security modules: mandatory access controls (e.g., AppArmor/SELinux)

What problems does Docker solve for developers, operators, and users?

- Dependency conflicts and “it works on my machine” issues via per-app containers - Inconsistent installs and difficult removals by making software packaging declarative and self-contained - Faster scaling: containers start quickly and use fewer resources than VMs - CI/CD: identical images in test and prod improve confidence and speed - Developer onboarding: versioned, reproducible dev environments - Operations: declarative runs, environment-specific configuration, and controlled resource access

When and where should I use Docker?

Use it for most Linux-based server and desktop applications (web servers, databases, proxies, CLI tools, etc.) and for Windows applications on Windows Server. It’s great for local development, CI/CD pipelines, production services, and for distributing software to users with a single, portable dependency.

What are Docker’s limitations and security caveats?

- Docker runs Linux software on most systems; macOS/Windows desktop apps aren’t run natively in Docker. Native Windows apps require Windows Server containers. - Containers aren’t a complete security solution and won’t help software that must run with full machine privileges. - Don’t run untrusted or privileged containers in multi-tenant environments without strong controls.

How can I get help with Docker commands?

Use docker help for top-level syntax and available commands. For detailed usage of a specific command, run docker help <command> (for example, docker help cp).

How does Docker fit into the larger ecosystem (e.g., Kubernetes)?

Docker images and containers are the building blocks many tools rely on. Kubernetes orchestrates containers across clusters and depends on container engines like Docker. You can run the same images locally and in Kubernetes. While Kubernetes is powerful, consider managed offerings to reduce operational overhead; learning Docker fundamentals first makes adopting orchestration smoother.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$39.99 $29.99

you save $10.00 (25%)

include audio $19.99 $14.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$39.99 $29.99

you save $10.00 (25%)

include audio $19.99 $14.99

eBook

pdf, ePub, online

$39.99 $29.99

you save $10.00 (25%)

include audio $19.99 $14.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more