Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Gotchas

Dan Sosedoff
September 16, 2016
Technology
1
190

Docker Gotchas

Dan Sosedoff

September 16, 2016
Tweet

Other Decks in Technology

See All in Technology
SSMRunbook作成の勘所_20241120
koichiotomo
2
120
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
510
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
580
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
570
強いチームと開発生産性
onk
PRO
33
11k
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140

Featured

See All Featured
What's new in Ruby 2.0
geeforr
343
31k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Happy Clients
brianwarren
98
6.7k
Building Your Own Lightsaber
phodgson
103
6.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
A designer walks into a library…
pauljervisheath
203
24k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k

Transcript

  1. Docker Gotchas Dan Sosedoff Doejo github/twitter: @sosedoff

  2. • Docker and UFW don't play nice • Containers don't

    have persistent IP address • Port publishing creates docker proxy processes • Out-of-memory errors can knock down your OS • Dangling and untagged images pollute FS Gotchas

  3. Typical setup: $ ufw default deny incoming $ ufw allow

    22 # SSH $ ufw allow 80 # HTTP $ ufw allow from 10.0.1.25 to any port 5432 In multi host environment you need to publish ports: $ docker run -d -p 5432:5432 postgres:9.5 You still can access the host from unrestricted machines: $ psql -h ip-address mydb Docker and UFW

  4. Docker and UFW • Start docker daemon with “—iptables=false” •

    Audit your iptables setup • Do not publish ports (-p/-P flag) unless have to.

  5. Container IP is not persistent $ docker run -d --name=myapp

    ruby ping google.com a3bfaa3be952cb28b8a033d9121f86205d37966e9dd9e464b89c6c0a8d6e4810 $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp 172.17.0.2 $ docker stop myapp $ docker run -d --name=myapp2 ruby ping facebook.com 6cc90fc176d9fb2868abd2e998b8830e29a9e6262f81895a48babfd65b77534c $ docker start my app $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp 172.17.0.3 # <—- THIS IP CHANGED $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp2 172.17.0.2

  6. Container IP is not persistent • Never rely on container

    IP address • Create custom Docker networks • Reference containers by name • Set container IP with “—ip” flag

  7. Docker network proxy Start container with published port: $ docker

    run -d -p 5000:5000 myapp Check out processes: $ ps aux | grep docker-proxy docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.17.0.4 -container-port 5000

  8. Docker network proxy • Not really an issue. Be aware.

    • Runs TCP/UDP proxy process per container • Adds an extra overhead • Don’t publish ports on host unless needed

  9. Kernel OOM errors Docker containers will use all available memory

    $ docker run -d my-beefy-rails-app Restrict memory usage with flags: $ docker run -d \ —restart=always \ —memory=512 \ —memory-swap=0 \ my-beefy-rails-app

  10. Kernel OOM errors • Always specify memory restrictions • Always

    define restart policy • Use latest kernel, enable swap • Actively monitor container resource usage

  11. $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE myapp

    latest 3cfbce003800 43 hours ago 1.016 GB <none> <none> 58e12b181489 2 days ago 1.016 GB <none> <none> 09c6230a686f 2 days ago 1.024 GB <none> <none> 559efd23e19c 2 days ago 1.024 GB <none> <none> ec6f4f18c90c 2 days ago 1.035 GB <none> <none> c50506c9fa32 2 days ago 1.034 GB <none> <none> dd9429b92f28 3 days ago 1.033 GB <none> <none> 60534a5aa2b6 3 days ago 1.033 GB <none> <none> 46a302aa0da1 3 days ago 1.029 GB <none> <none> 3497cd79d8e0 3 days ago 1.029 GB <none> <none> b154ef538cb2 3 days ago 1.029 GB <none> <none> b6a176f9183c 3 days ago 1.027 GB # Or list ALL images $ docker images -a Dangling Images

  12. Dangling Images $ docker images -q | xargs docker rmi

    Deleted: sha256:58e12b18148976dda668b1d001745853d4997 Deleted: sha256:fd0161ef5c76870cd7a2afe8cada44de5474594 Deleted: sha256:22b96627b93798445d9af6e53bfbc68fde4df14 Deleted: sha256:03879b4386b3362486fc2fe209433dd7177e16 Deleted: sha256:09c6230a686f907721bc4bbfe4009c10872253 Deleted: sha256:088e3f6d5febe3ef82543345aacb12dd7df1ea2 Error response from daemon: conflict: unable to delete 3cfbce003800 (cannot be forced) - image is being used by running container 9298939fdffd Docker won’t delete images that are being used. Tag your images.

  13. Bonus! #!/bin/bash if [ $# -eq 0 ] ; then

    docker ps -aq | xargs docker rm -f else docker ps -a | grep $1 | awk {'print $1'} | xargs docker rm -f fi Simple script to clean your dev environment

  14. Thanks! Dan Sosedoff Doejo github/twitter: @sosedoff