Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Gotchas

Dan Sosedoff
September 16, 2016

Docker Gotchas

Dan Sosedoff

September 16, 2016
Tweet

Other Decks in Technology

Transcript

  1. Docker Gotchas
    Dan Sosedoff
    Doejo
    github/twitter: @sosedoff

    View Slide

  2. • Docker and UFW don't play nice
    • Containers don't have persistent IP address
    • Port publishing creates docker proxy processes
    • Out-of-memory errors can knock down your OS
    • Dangling and untagged images pollute FS
    Gotchas

    View Slide

  3. Typical setup:
    $ ufw default deny incoming
    $ ufw allow 22 # SSH
    $ ufw allow 80 # HTTP
    $ ufw allow from 10.0.1.25 to any port 5432
    In multi host environment you need to publish ports:
    $ docker run -d -p 5432:5432 postgres:9.5
    You still can access the host from unrestricted machines:
    $ psql -h ip-address mydb
    Docker and UFW

    View Slide

  4. Docker and UFW
    • Start docker daemon with “—iptables=false”
    • Audit your iptables setup
    • Do not publish ports (-p/-P flag) unless have to.

    View Slide

  5. Container IP is not persistent
    $ docker run -d --name=myapp ruby ping google.com
    a3bfaa3be952cb28b8a033d9121f86205d37966e9dd9e464b89c6c0a8d6e4810
    $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp
    172.17.0.2
    $ docker stop myapp
    $ docker run -d --name=myapp2 ruby ping facebook.com
    6cc90fc176d9fb2868abd2e998b8830e29a9e6262f81895a48babfd65b77534c
    $ docker start my app
    $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp
    172.17.0.3 # <—- THIS IP CHANGED
    $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp2
    172.17.0.2

    View Slide

  6. Container IP is not persistent
    • Never rely on container IP address
    • Create custom Docker networks
    • Reference containers by name
    • Set container IP with “—ip” flag

    View Slide

  7. Docker network proxy
    Start container with published port:
    $ docker run -d -p 5000:5000 myapp
    Check out processes:
    $ ps aux | grep docker-proxy
    docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip
    172.17.0.4 -container-port 5000

    View Slide

  8. Docker network proxy
    • Not really an issue. Be aware.
    • Runs TCP/UDP proxy process per container
    • Adds an extra overhead
    • Don’t publish ports on host unless needed

    View Slide

  9. Kernel OOM errors
    Docker containers will use all available memory
    $ docker run -d my-beefy-rails-app
    Restrict memory usage with flags:
    $ docker run -d \
    —restart=always \
    —memory=512 \
    —memory-swap=0 \
    my-beefy-rails-app

    View Slide

  10. Kernel OOM errors
    • Always specify memory restrictions
    • Always define restart policy
    • Use latest kernel, enable swap
    • Actively monitor container resource usage

    View Slide

  11. $ docker images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    myapp latest 3cfbce003800 43 hours ago 1.016 GB
    58e12b181489 2 days ago 1.016 GB
    09c6230a686f 2 days ago 1.024 GB
    559efd23e19c 2 days ago 1.024 GB
    ec6f4f18c90c 2 days ago 1.035 GB
    c50506c9fa32 2 days ago 1.034 GB
    dd9429b92f28 3 days ago 1.033 GB
    60534a5aa2b6 3 days ago 1.033 GB
    46a302aa0da1 3 days ago 1.029 GB
    3497cd79d8e0 3 days ago 1.029 GB
    b154ef538cb2 3 days ago 1.029 GB
    b6a176f9183c 3 days ago 1.027 GB
    # Or list ALL images
    $ docker images -a
    Dangling Images

    View Slide

  12. Dangling Images
    $ docker images -q | xargs docker rmi
    Deleted: sha256:58e12b18148976dda668b1d001745853d4997
    Deleted: sha256:fd0161ef5c76870cd7a2afe8cada44de5474594
    Deleted: sha256:22b96627b93798445d9af6e53bfbc68fde4df14
    Deleted: sha256:03879b4386b3362486fc2fe209433dd7177e16
    Deleted: sha256:09c6230a686f907721bc4bbfe4009c10872253
    Deleted: sha256:088e3f6d5febe3ef82543345aacb12dd7df1ea2
    Error response from daemon: conflict: unable to delete 3cfbce003800
    (cannot be forced) - image is being used by running container 9298939fdffd
    Docker won’t delete images that are being used.
    Tag your images.

    View Slide

  13. Bonus!
    #!/bin/bash
    if [ $# -eq 0 ] ; then
    docker ps -aq | xargs docker rm -f
    else
    docker ps -a | grep $1 | awk {'print $1'} | xargs docker rm -f

    Simple script to clean your dev environment

    View Slide

  14. Thanks!
    Dan Sosedoff
    Doejo
    github/twitter: @sosedoff

    View Slide