Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Shipping Manifests, Bill of Lading and Docker - Metadata and Container

Shipping Manifests, Bill of Lading and Docker - Metadata and Container

Talk from #dockercon EU in Barcelona, all about Docker labels and building higher level tools on top of metadata

Gareth Rushgrove

November 16, 2015

More Decks by Gareth Rushgrove

Other Decks in Technology


  1. Shipping Manifests, Bill of Lading and Docker Metadata and Container

    Gareth Rushgrove Senior Software Engineer, Puppet Labs
  2. A manifest or ship's manifest is a document listing the

    cargo, passengers, and crew of a ship, aircraft, or vehicle, for the use of customs and other officials.
  3. A bill of lading is a document issued by a

    carrier which details a shipment of merchandise and gives title of that shipment to a specified party.
  4. —State of the Software Supply Chain 2015 A once safe

    component may be found to be vulnerable at any time” “
  5. Provide information about the host $ docker daemon \ --label

    com.example.environment="production" \ --label com.example.storage="ssd"
  6. Labels to guide Swarm scheduling $ docker run -d -P

    \ -e constraint:storage==ssd --name db mysql
  7. Don’t do this - new layer per label LABEL vendor=ACME\

    Incorporated LABEL com.example.version.is-beta LABEL com.example.version="0.0.1-beta" LABEL com.example.release-date="2015-02-12"
  8. Better - only one layer LABEL vendor="ACME\ Incorporated" \ com.example.is-beta

    \ com.example.version="0.0.1-beta" \ com.example.release-date="2015-02-12"
  9. $ docker inspect 4fa6e0f0c678 ... "Labels": { "vendor": "ACME Incorporated",

    "com.example.is-beta": "", "com.example.version": "0.0.1-beta", "com.example.release-date": "2015-02-12" } ... Access labels via inspect
  10. Add labels at docker run time $ docker run \

    -d \ --label com.example.group="webservers" \ --label com.example.environment="production" \ busybox \ top
  11. Summary: A CD player app that rocks! Name: cdplayer Version:

    1.0 Release: 1 Copyright: GPL Group: Applications/Sound Source: ftp://ftp.gnomovision.com/pub/cdplayer/cdplayer URL: http://www.gnomovision.com/cdplayer/cdplayer.html Distribution: WSS Linux Vendor: White Socks Software, Inc. Packager: Santa Claus <[email protected]> %description It slices! It dices! It's a CD player app that can't be beat. By using the resonant frequency of the CD itself, it is able to simulate 20X Example RPM spec file
  12. $ dpkg -L lynx /. /usr /usr/share /usr/share/doc /usr/share/doc/lynx /usr/share/doc/lynx/copyright

    /usr/share/doc/lynx/changelog.gz /usr/share/doc/lynx/changelog.Debian.gz List files from package
  13. $ apticron The following packages are currently pending an upgrade:

    xfree86-common 4.3.0.dfsg.1-14sarge3 libice6 4.3.0.dfsg.1-14sarge3 libsm6 4.3.0.dfsg.1-14sarge3 xlibs-data 4.3.0.dfsg.1-14sarge3 libx11-6 4.3.0.dfsg.1-14sarge3 libxext6 4.3.0.dfsg.1-14sarge3 libxpm4 4.3.0.dfsg.1-14sarge3 Find outdated packages
  14. All (third-party) tools should prefix their keys with the reverse

    DNS notation of a domain controlled by the author. For example, com.example.some-label. 1
  15. Check against Docker guidelines $ dli lint ========> Check all

    labels have namespaces [WARN] Label 'vendor' should use a namespace based on reverse DNS notation ========> Check labels don't use reserved namespaces ========> Check labels only use valid characters ========> Check labels start and end with alpanumeric characters ========> Check labels for double dots and dashes
  16. $ dli validate ========> Check labels based on schema in

    'schema.json' [ERROR] u'com.example.is-beta' is a required property Check against a schema
  17. { "title": "Dockerfile schema", "type": "object", "properties": { "com.example.release-date": {

    "type": "string" }, "com.example.is-beta": { "type": "string" }, "com.example.version": { "description": "Version", "type": "integer", "minimum": 0 } }, "required": ["com.example.is-beta", "com.example.version"] } Define labels in JSON schema
  18. Discover out API $ docker inspect -f "{{json .Config.Labels }}"

    \ garethr/alpine \ | jq { "net.morethanseven.dockerfile": "/Dockerfile", "net.morethanseven.exec.packages": "apk info -vv" }
  19. Read the Dockerfile $ docker run -i -t garethr/alpine cat

    /Dockerfile FROM alpine LABEL net.morethanseven.dockerfile="/Dockerfile" \ net.morethanseven.exec.packages="apk info -vv" RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile /
  20. $ docker run -i -t garethr/alpine apk info -vv musl-1.1.11-r2

    - the musl c library (libc) implementati busybox-1.23.2-r0 - Size optimized toolbox of many comm alpine-baselayout-2.3.2-r0 - Alpine base dir structure openrc-0.15.1-r3 - OpenRC manages the services, startup alpine-conf-3.2.1-r6 - Alpine configuration management List installed packages