How to use docker linux

Post-installation steps for Linux

Estimated reading time: 15 minutes

This section contains optional procedures for configuring Linux hosts to work better with Docker.

Manage Docker as a non-root user

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo . The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

To create the docker group and add your user:

Create the docker group.

Add your user to the docker group.

Log out and log back in so that your group membership is re-evaluated.

If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

On Linux, you can also run the following command to activate the changes to groups:

Verify that you can run docker commands without sudo .

This command downloads a test image and runs it in a container. When the container runs, it prints a message and exits.

If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your

/.docker/ directory was created with incorrect permissions due to the sudo commands.

To fix this problem, either remove the

/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

Configure Docker to start on boot

Most current Linux distributions (RHEL, CentOS, Fedora, Debian, Ubuntu 16.04 and higher) use systemd to manage which services start when the system boots. On Debian and Ubuntu, the Docker service is configured to start on boot by default. To automatically start Docker and Containerd on boot for other distros, use the commands below:

To disable this behavior, use disable instead.

If you need to add an HTTP Proxy, set a different directory or partition for the Docker runtime files, or make other customizations, see customize your systemd Docker daemon options.

Use a different storage engine

For information about the different storage engines, see Storage drivers. The default storage engine and the list of supported storage engines depend on your host’s Linux distribution and available kernel drivers.

Configure default logging driver

Docker provides the capability to collect and view log data from all containers running on a host via a series of logging drivers. The default logging driver, json-file , writes log data to JSON-formatted files on the host filesystem. Over time, these log files expand in size, leading to potential exhaustion of disk resources.

To alleviate such issues, either configure the json-file logging driver to enable log rotation, use an alternative logging driver such as the “local” logging driver that performs log rotation by default, or use a logging driver that sends logs to a remote logging aggregator.

Configure where the Docker daemon listens for connections

By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients. It is possible to allow Docker to accept requests from remote hosts by configuring it to listen on an IP address and port as well as the UNIX socket. For more detailed information on this configuration option take a look at “Bind Docker to another host/port or a unix socket” section of the Docker CLI Reference article.

Before configuring Docker to accept connections from remote hosts it is critically important that you understand the security implications of opening docker to the network. If steps are not taken to secure the connection, it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check this article on how to protect the Docker daemon socket.

Configuring Docker to accept remote connections can be done with the docker.service systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the daemon.json file which is recommended for Linux distributions that do not use systemd.

Configuring Docker to listen for connections using both the systemd unit file and the daemon.json file causes a conflict that prevents Docker from starting.

Configuring remote access with systemd unit file

Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.

Add or modify the following lines, substituting your own values.

Источник

Orientation and setup

Estimated reading time: 4 minutes

Welcome! We are excited that you want to learn Docker.

This page contains step-by-step instructions on how to get started with Docker. In this tutorial, you’ll learn how to:

• Build and run an image as a container
• Share images using Docker Hub
• Deploy Docker applications using multiple containers with a database
• Running applications using Docker Compose

In addition, you’ll also learn about the best practices for building images, including instructions on how to scan your images for security vulnerabilities.

If you are looking for information on how to containerize an application using your favorite language, see Language-specific getting started guides.

We also recommend the video walkthrough from DockerCon 2020.

Download and install Docker

This tutorial assumes you have a current version of Docker installed on your machine. If you do not have Docker installed, choose your preferred operating system below to download Docker:

Start the tutorial

If you’ve already run the command to get started with the tutorial, congratulations! If not, open a command prompt or bash window, and run the command:

You’ll notice a few flags being used. Here’s some more info on them:

• -d — run the container in detached mode (in the background)
• -p 80:80 — map port 80 of the host to port 80 in the container
• docker/getting-started — the image to use

You can combine single character flags to shorten the full command. As an example, the command above could be written as:

The Docker Dashboard

Before going too far, we want to highlight the Docker Dashboard, which gives you a quick view of the containers running on your machine. The Docker Dashboard is available for Mac and Windows. It gives you quick access to container logs, lets you get a shell inside the container, and lets you easily manage container lifecycle (stop, remove, etc.).

To access the dashboard, follow the instructions in the Docker Desktop manual. If you open the dashboard now, you will see this tutorial running! The container name ( jolly_bouman below) is a randomly created name. So, you’ll most likely have a different name.

What is a container?

Now that you’ve run a container, what is a container? Simply put, a container is simply another process on your machine that has been isolated from all other processes on the host machine. That isolation leverages kernel namespaces and cgroups, features that have been in Linux for a long time. Docker has worked to make these capabilities approachable and easy to use.

Creating containers from scratch

If you’d like to see how containers are built from scratch, Liz Rice from Aqua Security has a fantastic talk in which she creates a container from scratch in Go. While she makes a simple container, this talk doesn’t go into networking, using images for the filesystem, and more. But, it gives a fantastic deep dive into how things are working.

What is a container image?

When running a container, it uses an isolated filesystem. This custom filesystem is provided by a container image. Since the image contains the container’s filesystem, it must contain everything needed to run an application — all dependencies, configuration, scripts, binaries, etc. The image also contains other configuration for the container, such as environment variables, a default command to run, and other metadata.

We’ll dive deeper into images later on, covering topics such as layering, best practices, and more.

If you’re familiar with chroot , think of a container as an extended version of chroot . The filesystem is simply coming from the image. But, a container adds additional isolation not available when simply using chroot.

CLI references

Refer to the following topics for further documentation on all CLI commands used in this article:

Источник

Install Docker Engine

Estimated reading time: 6 minutes

Supported platforms

Docker Engine is available on a variety of Linux platforms, macOS and Windows 10 through Docker Desktop, and as a static binary installation. Find your preferred operating system below.

Desktop

Platform	x86_64 / amd64	arm64 (Apple Silicon)
Docker Desktop for Mac (macOS)
Docker Desktop for Windows		В

Server

Docker provides .deb and .rpm packages from the following Linux distributions and architectures:

Platform	x86_64 / amd64	arm64 / aarch64	arm (32-bit)	s390x
CentOS			В	В
Debian				В
Fedora			В	В
Raspbian	В	В		В
RHEL	В	В	В
SLES	В	В	В
Ubuntu
Binaries				В

Other Linux distributions

While the instructions below may work, Docker does not test or verify installation on derivatives.

• Users of Debian derivatives such as “BunsenLabs Linux”, “Kali Linux” or “LMDE” (Debian-based Mint) should follow the installation instructions for Debian, substituting the version of their distro for the corresponding Debian release. Refer to the documentation of your distro to find which Debian release corresponds with your derivative version.
• Likewise, users of Ubuntu derivatives such as “Kubuntu”, “Lubuntu” or “Xubuntu” should follow the installation instructions for Ubuntu, substituting the version of their distro for the corresponding Ubuntu release. Refer to the documentation of your distro to find which Ubuntu release corresponds with your derivative version.
• Some Linux distributions are providing a package of Docker Engine through their package repositories. These packages are built and maintained by the Linux distribution’s package maintainers and may have differences in configuration or built from modified source code. Docker is not involved in releasing these packages and bugs or issues involving these packages should be reported in your Linux distribution’s issue tracker.

Docker provides binaries for manual installation of Docker Engine. These binaries are statically linked and can be used on any Linux distribution.

Release channels

Docker Engine has three types of update channels, stable, test, and nightly:

• The Stable channel gives you latest releases for general availability.
• The Test channel gives pre-releases that are ready for testing before general availability (GA).
• The Nightly channel gives you latest builds of work in progress for the next major release.

Stable

Year-month releases are made from a release branch diverged from the master branch. The branch is created with format . , for example 20.10 . The year-month name indicates the earliest possible calendar month to expect the release to be generally available. All further patch releases are performed from that branch. For example, once v20.10.0 is released, all subsequent patch releases are built from the 20.10 branch.

In preparation for a new year-month release, a branch is created from the master branch with format YY.mm when the milestones desired by Docker for the release have achieved feature-complete. Pre-releases such as betas and release candidates are conducted from their respective release branches. Patch releases and the corresponding pre-releases are performed from within the corresponding release branch.

Nightly

Nightly builds give you the latest builds of work in progress for the next major release. They are created once per day from the master branch with the version format:

where the time is the commit time in UTC and the final suffix is the prefix of the commit hash, for example 0.0.0-20180720214833-f61e0f7 .

These builds allow for testing from the latest code on the master branch. No qualifications or guarantees are made for the nightly builds.

Support

Docker Engine releases of a year-month branch are supported with patches as needed for one month after the next year-month general availability release.

This means bug reports and backports to release branches are assessed until the end-of-life date.

After the year-month branch has reached end-of-life, the branch may be deleted from the repository.

Backporting

Backports to the Docker products are prioritized by the Docker company. A Docker employee or repository maintainer will endeavour to ensure sensible bugfixes make it into active releases.

If there are important fixes that ought to be considered for backport to active release branches, be sure to highlight this in the PR description or by adding a comment to the PR.

Upgrade path

Patch releases are always backward compatible with its year-month version.

Licensing

Docker is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Reporting security issues

The Docker maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!

Please DO NOT file a public issue; instead send your report privately to security@docker.com.

Security reports are greatly appreciated, and Docker will publicly thank you for it.

Get started

After setting up Docker, you can learn the basics with Getting started with Docker.

Источник