Containers on Chen Kai Blog

Docker and Containers (8): Beyond Docker — Kubernetes, Swarm, and What Comes Next

Fri, 23 Jun 2023 09:00:00 +0000

So far, this series has focused on single-host Docker: one machine running containers. This setup works well for development, small projects, and applications with modest traffic. However, when you need your service to survive server failures, handle traffic spikes, or deploy updates without downtime, single-host Docker falls short. Container orchestration addresses these issues, and Kubernetes has become the go-to solution.

Why Single-Host Docker Isn’t Enough#

Consider what happens when your Docker host fails:

Docker and Containers (7): Security — Running Containers Without Giving Away the Keys

Thu, 22 Jun 2023 09:00:00 +0000

Docker’s default configuration prioritizes convenience over security. Containers run as root, have access to a broad set of Linux capabilities, and can write to their entire filesystem. This is fine for development but dangerous for production. A container escape vulnerability in a root-privileged container means an attacker can take over the host. Let’s fix that.

The Threat Model#

Before securing your setup, understand what you’re defending against:

Docker and Containers (6): Debugging and Logging — When Things Go Wrong Inside a Box

Wed, 21 Jun 2023 09:00:00 +0000

A container that works is invisible. A container that doesn’t work is a black box. The entire point of containerization is isolation — but that same isolation makes debugging harder. You can’t just ssh into a container or browse its filesystem from the host. Docker provides a specific set of tools for inspecting, diagnosing, and understanding what happens inside running (and crashed) containers.

Reading Container Logs#

Logs are your first line of investigation. Docker captures everything a container writes to stdout and stderr.

Docker and Containers (5): Docker Compose — Multi-Container Applications

Tue, 20 Jun 2023 09:00:00 +0000

The previous articles taught you how to run containers with docker run, pass port mappings with -p, create networks with docker network create, and mount volumes with -v. Now imagine doing that for a web server, an API backend, a database, a cache, and a task queue — every time you start your development environment. Docker Compose replaces those 20+ commands with a single file and a single command: docker compose up.

Docker and Containers (4): Networking and Volumes — How Containers Talk and Persist

Mon, 19 Jun 2023 09:00:00 +0000

Containers are deliberately isolated. That’s the point. But useful applications need to accept connections from the outside world, talk to databases, and store data that survives container restarts. Docker provides two mechanisms for this: networks (for communication) and volumes (for persistent storage). Getting these right makes the difference between a demo and a deployment.

Docker Networking#

When Docker starts, it creates a virtual network infrastructure on the host. Each container gets its own network namespace (with its own IP address, routing table, and network interfaces), and Docker manages the traffic flow between containers and the outside world.

Docker and Containers (3): Dockerfile Patterns — From Naive to Production

Sun, 18 Jun 2023 09:00:00 +0000

Most tutorials show you a 5-line Dockerfile and move on. When you deploy to production, you might find your image is 1.2 GB, builds take 8 minutes even for a one-line code change, and your security team flags vulnerabilities in packages you didn’t know were installed. Writing a good Dockerfile is a skill that pays off every time your CI pipeline runs.

Every Dockerfile Instruction#

Let’s go through every instruction you’ll use, with concrete examples.

Docker and Containers (2): Images and Layers — What docker pull Actually Downloads

Sat, 17 Jun 2023 09:00:00 +0000

The first time I ran docker pull ubuntu I expected to download an entire operating system. Instead, it finished in seconds and was only 77 MB. That seemed impossibly small for a Linux distribution. The secret is layers — and understanding how they work changes the way you think about building and shipping containers.

Image vs Container#

Before diving into layers, let’s clarify a fundamental distinction that trips up many beginners.

Docker and Containers (1): Why Containers — The Problem VMs Didn't Solve

Fri, 16 Jun 2023 09:00:00 +0000

Every developer has heard the phrase “it works on my machine.” Virtual machines were supposed to fix that, and they did — at the cost of gigabytes of RAM, minutes of boot time, and an entire duplicate operating system per application. Containers asked a different question: what if we could isolate applications without duplicating the kernel?

The Actual Problem#

Consider deploying a Python web application. You need Python 3.11, specific pip packages, a particular version of libssl, and some system-level configuration. Your colleague’s app needs Python 3.9 and a conflicting libssl version. The staging server runs Ubuntu 20.04 while production runs Amazon Linux 2.