Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docker_notes:docker [2024-01-14 Sun wk02 11:23] baumkpdocker_notes:docker [2025-06-21 Sat wk25 12:15] (current) – [Networks] baumkp
Line 1: Line 1:
-{{tag>linux docker installation network volume iptables nftables portainer}} +{{tag>linux docker cli installation network volume iptables nftables portainer}}
-Much of this material was originally sourced from: [[https://github.com/xcad2k/cheat-sheets/blob/main/docker/docker.md|xcad2k cheat-sheets/docker/docker.md]] +
  
 ======Docker====== ======Docker======
Line 10: Line 8:
  
 =====Installation===== =====Installation=====
 +  *[[https://docs.docker.com/engine/install/debian/|Install Docker Engine on Debian]]
 One click installation script: One click installation script:
   *''%%curl -fsSL https://get.docker.com -o get-docker.sh%%''   *''%%curl -fsSL https://get.docker.com -o get-docker.sh%%''
Line 22: Line 20:
  
 Install Docker Engine : [Docker Engine](https://docs.docker.com/engine/install/) Install Docker Engine : [Docker Engine](https://docs.docker.com/engine/install/)
 +
 +====Docker Desktop for Linux====
 +I have preferred to run Docker command as a native Linux applications.  Docker Desktop originally was created to allow operating systems other than Linux to run Docker by creating a virtual Linux machine to operate them within.  Linux does not need this as the various docker programs run natively. A version of Docker Desktop was created for Linux that looks like it has some additional user interface features, but to date I have not wanted to setup an additional VM for this purpose and am happy to continues to use the Linux KVM VM solution.
  
 =====Uninstall===== =====Uninstall=====
 Both the install methods actually use the standard package manager to install docker. Both the install methods actually use the standard package manager to install docker.
-  -''dpkg -l|grep docker'' to check the docker packages actually installed+  -''dpkg -l|grep docker'' to check the docker packages actually installed and **which docker packages and versions are installed**
   -''sudo apt remove docker-ce''   -''sudo apt remove docker-ce''
   -Check the the ''var/lib/docker'' directory, ''sudo du -d 1 -h var/lib/docker''   -Check the the ''var/lib/docker'' directory, ''sudo du -d 1 -h var/lib/docker''
Line 31: Line 32:
   *[[https://stackoverflow.com/questions/62677013/uninstall-docker-version-installed-via-script|Uninstall docker version installed via script]]   *[[https://stackoverflow.com/questions/62677013/uninstall-docker-version-installed-via-script|Uninstall docker version installed via script]]
  
-=====Docker and iptables=====+=====Docker and iptables on Host=====
 Docker applies iptables on the host machine, see [[https://docs.docker.com/network/iptables/|Docker and iptables]]. Docker applies iptables on the host machine, see [[https://docs.docker.com/network/iptables/|Docker and iptables]].
  
Line 64: Line 65:
  
 ++++ ++++
 +
 +=====DNS and nftable / iptables / netfilter within containers=====
 +Docker has to perform some interesting network filtering both on the container host, as noted above and within containers as outlined here.  It looks like this is required to allow container DNS functionality on Docker containers using bridge networking.
 +
 +The containers DNS (''/etc/resolv.conf'') is assigned to a proxy on 127.0.0.11:53.  //(Note that DNS uses UDP not TCP datagrams.)//
 +
 +Further to this The container netfilter use NAT chains to operate on 127.0.0.11.  See the following nftables info:
 +++++nft list tables|
 +<code>table ip nat</code>
 +++++
 +++++nft list table ip nat|
 +<code># Warning: table ip nat is managed by iptables-nft, do not touch!
 +table ip nat {
 + chain DOCKER_OUTPUT {
 + meta l4proto tcp ip daddr 127.0.0.11 xt match "tcp" counter packets 0 bytes 0 xt target "DNAT"
 + meta l4proto udp ip daddr 127.0.0.11 xt match "udp" counter packets 329 bytes 20249 xt target "DNAT"
 + }
 +
 + chain OUTPUT {
 + type nat hook output priority dstnat; policy accept;
 + ip daddr 127.0.0.11 counter packets 329 bytes 20249 jump DOCKER_OUTPUT
 + }
 +
 + chain DOCKER_POSTROUTING {
 + meta l4proto tcp ip saddr 127.0.0.11 xt match "tcp" counter packets 0 bytes 0 xt target "SNAT"
 + meta l4proto udp ip saddr 127.0.0.11 xt match "udp" counter packets 0 bytes 0 xt target "SNAT"
 + }
 +
 + chain POSTROUTING {
 + type nat hook postrouting priority srcnat; policy accept;
 + ip daddr 127.0.0.11 counter packets 329 bytes 20249 jump DOCKER_POSTROUTING
 + }
 +}
 +/ # </code>
 +++++
 +
 +On VPN setup, at least openvpn, the /etc/resolv.conf is overwritten anyway so the Docker netfilter chains become irrelevant. 
 +
 +On the other hand where Docker bridge network DNS container name resolution is desirable then these netfilter chains must basically remain unadulterated.  So in these cases where I need to used netfilter within the container, the simple solution is to simply add extra chains without using the nft ''flush ruleset'' command first.  These means that if subsequent rule changes are made the container will need to be recreated.   This is effectively only for simple basic filter (input, output & forward) chains only, more complex netfilter nat requirements would need further consideration.
 +  
  
 =====Portainer===== =====Portainer=====
Line 84: Line 125:
   * Then remove the agent container: ''%%docker rm portainer_agent%%''   * Then remove the agent container: ''%%docker rm portainer_agent%%''
   * Then pull the latest portainer/agent: ''%%docker pull portainer/agent%%'', default is latest if version is not specified.   * Then pull the latest portainer/agent: ''%%docker pull portainer/agent%%'', default is latest if version is not specified.
-<code yaml>docker run -d   -p 9001:9001   --name portainer_agent   --restart=always +<code yaml>docker run -d   -p 9001:9001   --name portainer_agent   --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes:/var/lib/docker/volumes portainer/agent</code> 
--v /var/run/docker.sock:/var/run/docker.sock + 
--v /var/lib/docker/volumes:/var/lib/docker/volumes +It would seem remote agents by default do not show out of date images, can be toggled on/off under ''Host > Setup "Show image up to date indicators for Stacks, Services and Containers"'' 
-portainer/agent</code>+
  
-=====Build Images===== 
  
 =====Docker CLI===== =====Docker CLI=====
 +Much of this material was originally sourced from: [[https://github.com/ChristianLempa/cheat-sheets/blob/main/docker/docker.md|cheat-sheets/docker/docker.md]]
  
 **Run Containers** **Run Containers**
Line 196: Line 237:
 |''docker volume rm VOLUME'' | Destroy a volume| |''docker volume rm VOLUME'' | Destroy a volume|
 |''%%docker volume ls --filter="dangling=true%%"'' | List all dangling volumes (not referenced by any container)| |''%%docker volume ls --filter="dangling=true%%"'' | List all dangling volumes (not referenced by any container)|
-|''docker volume prune'' | Delete all volumes (not referenced by any container)|+|''docker volume prune'' | Delete all volumes not referenced by any container|
  
 +**Network:**
 +|<50em>|
 +^COMMAND ^ DESCRIPTION^
 +|''docker network ls'' | List all volumes|
 +|''docker network create NETWORK'' | Create a NETWORK|
 +|''docker network inspect NETWORK'' | Show information (json formatted)|
 +|''docker network rm NETWORK'' | Destroy a NETWORK|
 +|''%%docker network ls --filter="dangling=true%%"'' | List all dangling networks (not referenced by any container)|
 +|''docker network prune'' | Delete all networks volumes not referenced by any container|
 +
 +=====DOCKER DNS=====
 +Docker has an internal DNS for each discrete type network.  This allows docker containers to be referenced by container name and compose name and allows repeatable inter-container referencing by name, so dynamic  container internal IP addressing is not a reference issue.  Container names are automatically assigned or can be specifically assigned with ''--name CONTAINER_NAME'' in Docker, and ''container_name: CONTAINER_NAME'' in Docker compose file.
 +====docker ps command====
 +The ''docker ps'' command output is long and often difficult to read on the terminal for this reason.
 +  *''%%docker ps --format 'table {{ .ID }}\t{{.Image}}\t{{ .Names }}'%%''
 +<code>CONTAINER ID   IMAGE                    NAMES</code>
 +  *''%%docker ps -s --format 'table {{ .ID }}\t{{.Status}}\t{{.Image}}\t{{ .Names }}'%%''
 +<code>CONTAINER ID   STATUS                  IMAGE                 NAMES</code>
 +  *''%%docker ps -s --format 'table {{ .ID }}\t{{.Status}}\t{{.Image}}\t{{ .Names }}\t{{.Size}}'%%''
 +<code>CONTAINER ID   STATUS                  IMAGE                 NAMES               SIZE</code>
 +
 +===reference===
 +  *[[https://devdojo.com/bobbyiliev/how-to-change-the-docker-ps-output-format|How to change the docker ps output format]]
 +  *[[https://dev.to/cicube/docker-cheat-sheet-most-useful-commands-ghl|Docker Cheat Sheet - Most Useful Commands]]
 +  *Docker Docs
 +    *[[https://docs.docker.com/reference/cli/docker/container/ls/|docker container ls]]
 +    *[[https://docs.docker.com/storage/storagedriver/#container-size-on-disk|Container size on disk]]
 ====Backup a container==== ====Backup a container====
 Backup docker data from inside container volumes and package it in a tarball archive.\\ Backup docker data from inside container volumes and package it in a tarball archive.\\
Line 221: Line 289:
     * ''docker network create network_named''     * ''docker network create network_named''
   - Host (Appears on the host machine as if installed there, no separate network.)   - Host (Appears on the host machine as if installed there, no separate network.)
-  - MACVLAN +    -If you use the host network mode for a container, that container's network stack isn't isolated from the Docker host (the container shares the host's networking namespace), and the container doesn't get its own IP-address allocated.   
 +  - MACVLAN 
 +    -The macvlan network assigns a unique MAC address to each container, making it appear to be a physical device on your network, just like a traditional virtual machine. The Docker daemon then routes the traffic to containers on the basis of their MAC address. It also allows you to assign an IP address from the same subnet in which the Docker host resides. This avoids the use of the host network, there is no NAT overhead, and you won't run into network performance issues.  
     - MACVLAN (without subVLAN) this create a new ip address on the host machine     - MACVLAN (without subVLAN) this create a new ip address on the host machine
-      * <code bash>docker network create -d macvlan \+      * <code bash>docker network create 
 +-d macvlan \
 --subnet 192.168.1.0/24 \ --subnet 192.168.1.0/24 \
 --gateway 192.168.1.1 \ --gateway 192.168.1.1 \
--o parent=br0 +-o parent=br0 network_named</code>
-network_named</code>+
       * No host DHCP access so need to specify ip address when creating container (docker cli ''%%--ip 192.168.1.14%%''). If not specified docker DHCP will assign and could cause clash with host.       * No host DHCP access so need to specify ip address when creating container (docker cli ''%%--ip 192.168.1.14%%''). If not specified docker DHCP will assign and could cause clash with host.
       * May be problem with multiple MACs on common switch port.  Need to set promiscuous mode on network, e.g. ''sudo ip link set br0 promisc on''.       * May be problem with multiple MACs on common switch port.  Need to set promiscuous mode on network, e.g. ''sudo ip link set br0 promisc on''.
Line 233: Line 303:
   - IPVLAN    - IPVLAN 
     - IPVLAN on host subnet, this create a new ip address on the host machine, but not with new MAC number, it uses the host MAC number     - IPVLAN on host subnet, this create a new ip address on the host machine, but not with new MAC number, it uses the host MAC number
-      * <code bash>docker network create -d ipvlan \+      * <code bash>docker network create 
 +-d ipvlan \
 --subnet 192.168.1.0/24 \ --subnet 192.168.1.0/24 \
 --gateway 192.168.1.1 \ --gateway 192.168.1.1 \
--o parent=br0 +-o parent=br0 network_named</code>
-network_named</code>+
       * No host DHCP access so need to specify ip address when creating container (docker cli ''%%--ip 192.168.1.14%%''). If not specified docker DHCP will assign and could cause clash with host.       * No host DHCP access so need to specify ip address when creating container (docker cli ''%%--ip 192.168.1.14%%''). If not specified docker DHCP will assign and could cause clash with host.
       * May be problem with shared MAC with multiple IP address, but less likely than MACVLAN.       * May be problem with shared MAC with multiple IP address, but less likely than MACVLAN.
     - IPVLAN on separate subnet using the host machine as gateway, but not with new MAC number, it uses the host MAC number     - IPVLAN on separate subnet using the host machine as gateway, but not with new MAC number, it uses the host MAC number
-      * <code bash>docker network create -d ipvlan \+      * <code bash>docker network create 
 +-d ipvlan \
 --subnet 192.168.1.0/24 \ --subnet 192.168.1.0/24 \
 -o parent=br0 -o ipvlan_mode=l3 \ -o parent=br0 -o ipvlan_mode=l3 \
---subnet 192.168.10.0/24 +--subnet 192.168.10.0/24 network_named</code>
-network_named</code>+
       * No host DHCP access so need to specify ip address when creating container (docker cli ''%%--ip 192.168.1.14%%''). If not specified docker DHCP will assign and could cause clash with host.       * No host DHCP access so need to specify ip address when creating container (docker cli ''%%--ip 192.168.1.14%%''). If not specified docker DHCP will assign and could cause clash with host.
       * May be problem with shared MAC with multiple IP address, but less likely than MACVLAN.       * May be problem with shared MAC with multiple IP address, but less likely than MACVLAN.
   - Overlay network, an even more obscure network arrangement I know nothing about.   - Overlay network, an even more obscure network arrangement I know nothing about.
   - None network - no assigned network, container has no external network connectivity   - None network - no assigned network, container has no external network connectivity
-====Troubleshooting====+ 
 +====References==== 
 +  *[[https://www.aidenwebb.com/posts/dockers-seven-network-types-and-when-to-use-them/|Dockers seven network types and when to use them]] 
 +  *[[https://dev.to/wallacefreitas/docker-networking-a-comprehensive-guide-3d5j|Docker Networking: A Comprehensive Guide]] 
 +  *[[https://dev.to/abhay_yt_52a8e72b213be229/unlocking-advanced-docker-networking-macvlan-vs-ipvlan-38o4|Unlocking Advanced Docker Networking: Macvlan vs. Ipvlan]] 
 +  *[[https://ipwithease.com/macvlan-vs-ipvlan-understand-the-difference/|MacVLAN vs IPvlan: Understand the difference]] 
 +  *[[https://medium.com/@dyavanapellisujal7/docker-macvlan-and-ipvlan-explained-advanced-networking-guide-b3ba20bc22e4|Docker MacVLAN and IPVLAN Explained: Advanced Networking Guide]] 
 +  *[[https://4sysops.com/archives/macvlan-network-driver-assign-mac-address-to-docker-containers/|Macvlan network driver: Assign MAC address to Docker containers]] 
 +  *[[https://4sysops.com/archives/configuring-ipvlan-networking-in-docker/|Configuring IPvlan networking in Docker]] 
 +=====network troubleshooting===== 
 +A lot of containers are setup to be small and hence do not include many, if any of the tools required to diagnose problems.  A small docker image ''netshoot'' includes the most common networking tools and when attached to the same docker network can be used to diagnose the network and containers networks thereon. 
 +  *''%%docker run --rm --name netshoot --network proxy -it nicolaka/netshoot /bin/bash%%'' 
 + 
 + 
 +====Network Troubleshooting====
   *[[https://github.com/nicolaka/netshoot|netshoot: a Docker + Kubernetes network trouble-shooting swiss-army container]] ''%%docker run --name netshoot --rm -it nicolaka/netshoot /bin/bash%%''   *[[https://github.com/nicolaka/netshoot|netshoot: a Docker + Kubernetes network trouble-shooting swiss-army container]] ''%%docker run --name netshoot --rm -it nicolaka/netshoot /bin/bash%%''
   *[[https://gist.github.com/bastman/5b57ddb3c11942094f8d0a97d461b430|Docker - How to cleanup (unused) resources]]   *[[https://gist.github.com/bastman/5b57ddb3c11942094f8d0a97d461b430|Docker - How to cleanup (unused) resources]]
 +
 +=====Docker Cleanup=====
 +Docker can take a lot of disk space.  While I store my docker containers and data on a separate drive with a lot of space, docker is run on a VM that has about 55GB space, which is usually enough for Linux.  
 +Docker stores the container images and other operating information in ''/var/lib/docker'', with a lot of information in ''/var/lib/docker/overlay2'', the command ''sudo du -d 1 -h /var/lib/docker'' lists the sub-directories and used space.   See [[https://www.virtualizationhowto.com/2023/11/docker-overlay2-cleanup-5-ways-to-reclaim-disk-space/|Docker Overlay2 Cleanup: 5 Ways to Reclaim Disk Space]], in particular the following commands:
 +  *''docker system prune'', which will remove stopped containers, networks not associated with any container, and dangling images, the ''-a'' flag will also remove all unused images.  The ''-f'' flag is to force removal.
 +  *''docker image prune''  removes older images.
 +
  
 <- docker_notes:vm-container|Back ^ docker_notes:index|Start page ^ docker_notes:docker-compose|Next -> <- docker_notes:vm-container|Back ^ docker_notes:index|Start page ^ docker_notes:docker-compose|Next ->