Docker Rocks!

docker run -d -it centos:7 sh

#Dockerfile
-----------------------------------------------
FROM ubuntu:14.04

RUN \
  apt-get update && \
  apt-get -y install apache2

ADD index.html /var/www/html/index.html

CMD ["/usr/sbin/apache2ctl","-D","FOREGROUND"]
-----------------------------------------------

#index.html
<h1>Docker Rocks!</h1>

docker build -t apache2 .
docker run -d -p 80:80 apache2
curl localhost:80

docker pause <container-id>
docker unpause <container-id>

# Port mapping in container internally its through iptables rules
iptables -t nat -L

# Container linking
docker run -d --name db training/postgres
docker run -d -P --name web --link db:db training/webapp python app.py

# Container networking
docker network ls
docker run -it --network=host centos:7 sh
docker network create mynet
docker network inspect mynet
docker run -it --network=mynet centos:7 sh

# Volume management in containers
docker run -v /root/data:/volume1 -it alpine sh
docker run -it -v /data --name container1 busybox
docker run -it --volumes-from container1 --name container2 busybox
docker volume ls

# Control groups in containers
docker run -itd --kernel-memory 50M --cpus=".5" --blkio-weight 400 centos:7 sh

# Linux capabilities in containers
capsh --print
docker run -it --cap-drop=net_raw centos:7 sh

# Seccomp in containers
docker run -it busybox sh
docker run -it --security-opt seccomp:./profile.json busybox sh
#profile.json
{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "name": "chmod",
      "action": "SCMP_ACT_ERRNO"
    }
  ]
}
# docker default seccomp profile is here https://github.com/docker/docker/blob/master/profiles/seccomp/default.json

#containers from scratch
1. Get root filesystem (rootfs)
docker run -itd centos:7 sh
docker export <container-id> > centos7.tar
mkdir rootfs
tar -C rootfs/ -xf centos7.tar
2. chrooting
chroot rootfs /bin/bash
mount -t proc proc /proc
ps -ef
ls
/usr/bin/python -c 'print "Hello, container world!"'
3. Running application in chroot
chroot rootfs python -m SimpleHTTPServer
4. Creating separate PID namespace and chrooting
unshare -p -f --mount-proc=$PWD/rootfs/proc \
    chroot rootfs /bin/bash
5. Entering inside a namespace (try to do on VM instead on browser with "play with docker")
nsenter --pid=/proc/<pid>/ns/pid \
    unshare -f --mount-proc=$PWD/rootfs/proc \
    chroot rootfs /bin/bash
6. chroot with mount
mkdir readonlyfiles
echo "hello" > readonlyfiles/hi.txt
mkdir -p rootfs/var/readonlyfiles
mount --bind -o ro $PWD/readonlyfiles $PWD/rootfs/var/readonlyfiles
chroot rootfs /bin/bash
cat /var/readonlyfiles/hi.txt
echo "bye" > /var/readonlyfiles/hi.txt
7. cgroups
mkdir /sys/fs/cgroup/memory/demo
ls /sys/fs/cgroup/memory/demo/
echo "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes
echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness
echo <pid> > /sys/fs/cgroup/memory/demo/tasks
# Memory hungry program
--------------------------------------
f = open("/dev/urandom", "r")
data = ""

i=0
while True:
    data += f.read(10000000) # 10mb
    i += 1
    print "%dmb" % (i*10,)
--------------------------------------
pyhton hungry.py
8. Capabilities
capsh --print
capsh --drop=cap_chown --chroot=$PWD/rootfs --

https://ericchiang.github.io/post/containers-from-scratch/
http://training.play-with-docker.com/alacart/