"Безрутовый" Docker в версии 19.03
Docker планируют добавить поддержку "безрутового" демона в экспериментальном режиме (уже доступен в ночных сборках). Безрутовый докер демон запускается от непривелигированного пользователя, но имеет ряд ограничений:
- cgroups, apparmor, overlay n/w и другие вещи, требующие привелигированного доступа не работают
- порты пробрасываются костылями
- пока что поддерживаются только образы на основе Ubuntu
#containers #docker
Docker планируют добавить поддержку "безрутового" демона в экспериментальном режиме (уже доступен в ночных сборках). Безрутовый докер демон запускается от непривелигированного пользователя, но имеет ряд ограничений:
- cgroups, apparmor, overlay n/w и другие вещи, требующие привелигированного доступа не работают
- порты пробрасываются костылями
- пока что поддерживаются только образы на основе Ubuntu
#containers #docker
Packt Hub
Docker 19.03 introduces an experimental rootless Docker mode | Packt Hub
Rootless Docker will help reduce the security footprint of the daemon and expose Docker capabilities to systems where users cannot gain root privileges
Dive - утилита для анализа сборки Docker образов.
Позволяет анализировать сборку слоёв и смотреть, что меняется в каждом из них.
Создана для оптимизации размера образов.
#containers #docker
Позволяет анализировать сборку слоёв и смотреть, что меняется в каждом из них.
Создана для оптимизации размера образов.
#containers #docker
GitHub
GitHub - wagoodman/dive: A tool for exploring each layer in a docker image
A tool for exploring each layer in a docker image. Contribute to wagoodman/dive development by creating an account on GitHub.
Товарищ написал тулзу GORT (GO-run-things) для запуска скриптов внутри контейнера по API запросу.
Принцип работы прост: вы говорите, какой скрипт запустить с какими параметрами и тулзовина его дёргает.
Удобно для ad-hoc задач внутри контейнера, который уже запущен.
#toolz #docker
Принцип работы прост: вы говорите, какой скрипт запустить с какими параметрами и тулзовина его дёргает.
Удобно для ad-hoc задач внутри контейнера, который уже запущен.
#toolz #docker
GitHub
GitHub - idestis/gort: Simple HTTP handler to receive remote calls to run scripts bundled in Docker containers
Simple HTTP handler to receive remote calls to run scripts bundled in Docker containers - GitHub - idestis/gort: Simple HTTP handler to receive remote calls to run scripts bundled in Docker containers
В свете последних событий с покупкой Mirantis Docker Enterprise, предлагаю вам историю в двух частях от Scott McCarty - Technical product manager в RedHat - про отношение OpenShift 4 и RHEL 8 к Docker. Рекомендую начать со второй.
- Часть I: Поддерживается ли Docker в OpenShift 4 и RHEL 8?
- Часть II: Почему Docker нет в OpenShift 4 и RHEL 8?
#docker #containers #kubernetes
- Часть I: Поддерживается ли Docker в OpenShift 4 и RHEL 8?
- Часть II: Почему Docker нет в OpenShift 4 и RHEL 8?
#docker #containers #kubernetes
Mirantis
Mirantis Acquires Docker Enterprise Platform Business | Mirantis
Industry-leading Docker Enterprise container platform complements existing Kubernetes technology from Mirantis Campbell, Calif - November 13, 2019 - | Mirantis
Docker is introducing a container image retention policy
TL;DR: Images not pushed or pulled more than 6 month in Free accounts will be deleted.
Policy will be enforced starting November 1, 2020 and apply to the following plans:
- Free plans will have a 6 month image retention limit
- Pro and Team plans will have unlimited image retention
#docker
TL;DR: Images not pushed or pulled more than 6 month in Free accounts will be deleted.
Policy will be enforced starting November 1, 2020 and apply to the following plans:
- Free plans will have a 6 month image retention limit
- Pro and Team plans will have unlimited image retention
#docker
Docker пытаются как-то монетизироваться. В своём блоге они объявили, что вводят рейт-лимит на pull операции из Docker hub
Многие уже успели раскритиковать это решение, как с точки зрения технической реализации, так и с точки зрения UX.
Ну что тут сказать: кешируйте публичные образы в своих хранилищах
#docker
Многие уже успели раскритиковать это решение, как с точки зрения технической реализации, так и с точки зрения UX.
Ну что тут сказать: кешируйте публичные образы в своих хранилищах
#docker
Собрание статей про CloudNative. В основном там статьи про Kubernetes, Docker и Istio, но не только.
#kubernetes #docker #isio #cncf
#kubernetes #docker #isio #cncf
Готовь сани летом, как говорится.
В Kubernetes собираются задепрекейтить поддержку Docker в kubelet в версии 1.20
#kubernetes #docker
В Kubernetes собираются задепрекейтить поддержку Docker в kubelet в версии 1.20
#kubernetes #docker
Imgflip
everythings-fine
An image tagged everythings-fine
You can use multi-line RUN commands in Dockerfiles now.
It's not like you couldn't, it's just became more human readable.
To use this feature, set Dockerfile version to labs channel. Currently this feature is only available in docker/dockerfile-upstream:master-labs image.
#docker
It's not like you couldn't, it's just became more human readable.
To use this feature, set Dockerfile version to labs channel. Currently this feature is only available in docker/dockerfile-upstream:master-labs image.
# syntax=docker/dockerfile-upstream:master-labs
# syntax = docker/dockerfile-upstream:master-labs
FROM debian
RUN <<eot bash
apt-get update
apt-get install -y vim
eot
#docker
GitHub
buildkit/frontend/dockerfile/docs/syntax.md at master · moby/buildkit
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit - moby/buildkit
Ok. That's interesting.
Docker is updating their pricing model once again and here is the interesting part:
At Docker we remain committed to continuing to provide an easy-to-use, free experience for individual developers, open source projects, education, and small businesses. In fact, altogether these communities represent more than half of all Docker usage. Docker Personal and all its components – including Docker CLI, Docker Compose, Kubernetes, Docker Desktop, Docker Build/BuildKit, Docker Hub, Docker Official Images, and more – *remain free for these communities*.
Specifically, small businesses (fewer than 250 employees AND less than $10 million in revenue) may continue to use Docker Desktop with Docker Personal for free. The use of Docker Desktop in large businesses, however, requires a *Pro*, *Team*, or *Business* paid subscription, starting at $5 per user per month.
I'm still not 100%, but it sounds like you won't be able to use Docker Desktop on you corporate laptop starting from 31st January 2022 if your company is "big enough".
Here's a Twitter thread by Corey Quinn on this issue.
#docker
Docker is updating their pricing model once again and here is the interesting part:
At Docker we remain committed to continuing to provide an easy-to-use, free experience for individual developers, open source projects, education, and small businesses. In fact, altogether these communities represent more than half of all Docker usage. Docker Personal and all its components – including Docker CLI, Docker Compose, Kubernetes, Docker Desktop, Docker Build/BuildKit, Docker Hub, Docker Official Images, and more – *remain free for these communities*.
Specifically, small businesses (fewer than 250 employees AND less than $10 million in revenue) may continue to use Docker Desktop with Docker Personal for free. The use of Docker Desktop in large businesses, however, requires a *Pro*, *Team*, or *Business* paid subscription, starting at $5 per user per month.
I'm still not 100%, but it sounds like you won't be able to use Docker Desktop on you corporate laptop starting from 31st January 2022 if your company is "big enough".
Here's a Twitter thread by Corey Quinn on this issue.
#docker
Docker
Docker is Updating and Extending Our Product Subscriptions | Docker
Learn from Docker experts to simplify and advance your app development and management with Docker. Stay up to date on Docker events and new version
Docker Desktop had already became a paid option for corporate users and not all the companies are willing to pay. Some just haven't bought the licenses yet. This is bad news for Mac user stations, which are likely a majority in the corporate world.
However, there are projects out there, which aim to solve the problem of virtual machine to run your Docker containers.
This article tells a story of migration to Lima from Docker Desktop on MacOS.
There is also a complimentary project with a funny name - Colima, which simplifies the migration even further.
#docker #containers
However, there are projects out there, which aim to solve the problem of virtual machine to run your Docker containers.
This article tells a story of migration to Lima from Docker Desktop on MacOS.
There is also a complimentary project with a funny name - Colima, which simplifies the migration even further.
#docker #containers
Naomi Aro
Replacing Docker Desktop with Lima on Mac OS
Creating a writable projects mount with Lima to run your node_modules in development properly.
A small article about how to reverse engineer Docker images.
It provides some theoretical information on how Docker images are built as well as some practical tools to reverse engineer Docker images yourself.
Probably, not something you do every day, but I can recall a few times when I had search for a Dockerfile to understand how an image works. I wish I knew these tools back then!
#docker
It provides some theoretical information on how Docker images are built as well as some practical tools to reverse engineer Docker images yourself.
Probably, not something you do every day, but I can recall a few times when I had search for a Dockerfile to understand how an image works. I wish I knew these tools back then!
#docker
Medium
Reverse Engineer Docker Images Into Dockerfiles
Reverse Engineer Docker Images by Examining the Internals of How Docker Images Store Data
A nice overview of how Docker works on non-Linux hosts as well as an explanation, why I/O operations are so slow. Plus, some hints on how to make it faster for the local development.
tl;dr. Because Docker requires Linux capabilities, thus is has to have Linux VM to run Linux-based images on MacOS and Windows. This VM shares filesystem with the host, which is slow. There’s a new implementation VirtioFS, which is faster, but still not ideal.
We briefly discussed ways of running Docker on the new M-based Macs on our previous voice chat and this article has links to some tools we mentioned there, specifically: Rancher Desktop and Colima.
Also, I recall developers at my previous job complaining about slow-ish Docker performance, but IIRC VirtioFS was not widely adopted back then.
#docker #linux
tl;dr. Because Docker requires Linux capabilities, thus is has to have Linux VM to run Linux-based images on MacOS and Windows. This VM shares filesystem with the host, which is slow. There’s a new implementation VirtioFS, which is faster, but still not ideal.
We briefly discussed ways of running Docker on the new M-based Macs on our previous voice chat and this article has links to some tools we mentioned there, specifically: Rancher Desktop and Colima.
Also, I recall developers at my previous job complaining about slow-ish Docker performance, but IIRC VirtioFS was not widely adopted back then.
#docker #linux
Paolomainardi
Docker on MacOS is slow and how to fix it
Thanks to the DALL·E 2, we finally have a very nice graphic representation of the feelings of a Docker container inside a macOS environment, I will try with this article to make this poor container safe to the coast.
TL;DR Link to heading At the time of writing…
TL;DR Link to heading At the time of writing…
Docker Buildkit has a new `COPY --link` feature.
With
#docker
With
--link
enabled, files added with COPY
won't be copied to the previous layer, but a new layer will be created. This can help you to better cache specific things and accelerate your Docker builds.#docker
How-To Geek
How to Accelerate Docker Builds and Optimize Caching With “COPY –link”
COPY --link is a new BuildKit feature which could substantially accelerate your Docker image builds. It works by copying files into independent image layers that don’t rely on the presence of their predecessors. You can add new content to images without the…
And not so great news about Docker.
Apparently, Docker is now deleting Open Source organizations.
Basically, the bottom line is that you cannot have an organization on a free account. At the first glance, it looks ok: you want a production-grade SaaS - you pay for it.
The main concern is that there's no official statement from Docker that existing names of such organizations will be locked, so no one can get those except original owners, even with paid accounts. Otherwise, it will open a gate for potential malicious code injection attacks.
#docker
Apparently, Docker is now deleting Open Source organizations.
Basically, the bottom line is that you cannot have an organization on a free account. At the first glance, it looks ok: you want a production-grade SaaS - you pay for it.
The main concern is that there's no official statement from Docker that existing names of such organizations will be locked, so no one can get those except original owners, even with paid accounts. Otherwise, it will open a gate for potential malicious code injection attacks.
#docker
Alex Ellis' Blog
Docker is deleting Open Source organisations - what you need to know
This controversial decision coupled with poor messaging has created anxiety the Open Source community. Learn what's happening and how we can move forward.
An article about why you should think twice before using Alpine Linux for your container images.
In nutshell, Alpine uses
TBH, Alpine got more stable in the recent years, but still…
The article also provides some alternatives like Wolfi, UBI, and of course, Debian/Ubuntu images. You can use Distroless images as well if you are looking for a small and secure images.
Also, here’s a related Reddit thread, so you can follow the discussion there as well.
#docker #alpine #dns #Kubernetes
In nutshell, Alpine uses
musl
- an implementation of C standard library and many things depend on C standard library including DNS. Since musl
doesn’t support DNS over TCP by design, you may get nxdomain
errors if the DNS response is more than 512 bytes. And it can happen in Kubernetes.TBH, Alpine got more stable in the recent years, but still…
The article also provides some alternatives like Wolfi, UBI, and of course, Debian/Ubuntu images. You can use Distroless images as well if you are looking for a small and secure images.
Also, here’s a related Reddit thread, so you can follow the discussion there as well.
#docker #alpine #dns #Kubernetes
VictoriaMetrics have released their first iteration of the log platform!
Here’s the info:
The first release of VictoriaLogs!
Release page on GitHub
Documentation
Docker demos
Helm Chart
Here you can find a Benchmark for VictoriaLogs
Since I’m not a user, it’s hard for me to provide feedback right away. Yet, if you use it or want to try and want to provide any feedback to the maintainers, do not hesitate to submit bug reports and feature requests on GitHub.
#victoriametrics #logs #observability
Here’s the info:
The first release of VictoriaLogs!
Release page on GitHub
Documentation
Docker demos
Helm Chart
Here you can find a Benchmark for VictoriaLogs
Since I’m not a user, it’s hard for me to provide feedback right away. Yet, if you use it or want to try and want to provide any feedback to the maintainers, do not hesitate to submit bug reports and feature requests on GitHub.
#victoriametrics #logs #observability
GitHub
Release v0.1.0-victorialogs · VictoriaMetrics/VictoriaMetrics
This is VictoriaLogs Preview release
It provides the following key features:
VictoriaLogs can accept logs from popular log collectors. See these docs.
VictoriaLogs is much easier to setup and oper...
It provides the following key features:
VictoriaLogs can accept logs from popular log collectors. See these docs.
VictoriaLogs is much easier to setup and oper...
A couple of articles I stumbled upon when researching some things for work.
- You can use ARG in the FROM definition in a Dockerfile. I didn't know that it's possible. Back in a day I tried using ENV there and it didn't work, so I assumed it's non-configurable. Apparently, it is. You may argue if it's a good practice to alter the
- A workaround for Terraform's `default_tags` definition. This way you can "exclude" the
Again, these two articles have no relation whatsoever, just want to share them with you.
#aws #terraform #docker
- You can use ARG in the FROM definition in a Dockerfile. I didn't know that it's possible. Back in a day I tried using ENV there and it didn't work, so I assumed it's non-configurable. Apparently, it is. You may argue if it's a good practice to alter the
FROM
configuration this way, but I can clearly see use cases for that.- A workaround for Terraform's `default_tags` definition. This way you can "exclude" the
default_tags
for some resoures in Terraform. For example, if you're using the default
subnets, etc. that were imported in Terraform. You cannot change tags for those things in AWS, so you need to workaround that. Again, using default
s in AWS is probably not a good practice, but sometimes those things are in use for historical reasons, etc.Again, these two articles have no relation whatsoever, just want to share them with you.
#aws #terraform #docker
DEV Community
Terraform: Prevent default_tags on a specific resource
Prevent AWS default_tags from being applied to a specific resource