docker – Hackfi

On demand ecs fargate as Jenkins worker node

Create separate ecs-farget template for different kind of workload.
Do the proper tagging of resources so that we get proper costing

Docker with TLS:

###### server
dockerd \
    --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=server-cert.pem \
    --tlskey=server-key.pem \
    -H=0.0.0.0:2376

##### client
docker --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=cert.pem \
    --tlskey=key.pem \
    -H=$HOST:2376 version

##### secure by default
mkdir -pv ~/.docker
cp -v {ca,cert,key}.pem ~/.docker
export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1


##### make sure to have correct host/DNS name while creating the server cert

https://aws.amazon.com/blogs/containers/building-container-images-on-amazon-ecs-on-aws-fargate/

Docker socket remote access

Remote access docker:

   ┌─────────┐               port ┌────────┐
   │         │                    │        │
   │         │               2375 │        │
   │         ├────────────────────┤        │
   │         │           2376(TLS)│        │
   └─────────┘                    └────────┘
      client                      Docker Host

    192.168.0.10                  192.168.0.11

On docker client:

export DOCKER_HOST="tcp://192.168.0.11:2375"

With socat:

On docker host(192.168.0.114):

socat TCP-LISTEN:6644,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock

On docker client:

socat UNIX-LISTEN:/var/run/docker.sock,fork,reuseaddr,unlink-early,user=root,group=docker,mode=770 TCP:192.168.0.114:6644

Docker client:

root@lp-arm-2:~# docker ps
CONTAINER ID   IMAGE         COMMAND                  CREATED          STATUS          PORTS           NAMES
18f7aff52a13   docker:dind   "dockerd-entrypoint.…"   32 minutes ago   Up 32 minutes   2375-2376/tcp   nostalgic_jang

https://unix.stackexchange.com/questions/683688/is-it-possible-to-access-a-unix-socket-over-the-network

https://serverfault.com/questions/127794/forward-local-port-or-socket-file-to-remote-socket-file

Push multi-arch docker image

#ARM64
arm64_image_digest=$(docker manifest inspect nginx | jq '.manifests[] | select(.platform.architecture == "arm64")' | jq '.digest'| sed 's/"//g')

#AMD64
amd64_image_digest=$(docker manifest inspect nginx | jq '.manifests[] | select(.platform.architecture == "arm64")' | jq '.digest'| sed 's/"//g')


docker tag nginx your-username/nginx:amd64
docker tag nginx your-username/nginx:arm64

docker push your-username/nginx:amd64
docker push your-username/nginx:arm64


docker manifest create \
your-username/nginx:latest \
--amend your-username/nginx:amd64 \
--amend your-username/nginx:arm64

docker manifest push your-username/nginx:latest

https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/

export DOCKER_BUILDKIT=1

docker buildx create --use

docker buildx build --push --platform linux/arm64,linux/amd64 -t httpd-custom .

docker buildx stop
docker buildx rm

##10 0.064 .buildkit_qemu_emulator: /bin/sh: Invalid ELF image for this architecture

docker run --rm --privileged multiarch/qemu-user-static:register --reset

docker run --rm --privileged multiarch/qemu-user-static --reset -p yes



docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
docker buildx rm builder
docker buildx create --name builder --driver docker-container --use
docker buildx inspect --bootstrap

https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx

Networking basic command for kubernetes

list namespace

lsns

all ns for process id

ps -ef | grep nginx

lsns -p 400055

pause pod creates ipc and net namespace

https://learnk8s.io/kubernetes-network-packets

Build haskell static binary with docker

Why?
– Reduce surface attack
– Reduce docker image size

hola.sh

{-# LANGUAGE OverloadedStrings #-}
import Web.Scotty

import Data.Monoid (mconcat)

main = scotty 3000 $
    get "/:word" $ do
        beam <- param "word"
        html $ mconcat ["<h1>Scotty, ", beam, " me up!</h1>"]

alpine.Dockerfile

FROM haskell:8 AS build
WORKDIR /opt
RUN cabal update
RUN cabal install --lib scotty
COPY hola.hs .
#RUN ghc --make -threaded hola.hs  -o hola
RUN ghc --make -threaded -optl-static -optl-pthread hola.hs -o hola

FROM alpine:3.15.0
RUN addgroup -S group1 && adduser -S user1 -G group1
USER user1
WORKDIR /opt
COPY --from=build /opt/hola .
EXPOSE 3000
CMD ["/opt/hola"]

Grafana docker compose

version: '3'
services:
  grafana:
    image: grafana/grafana
    container_name: grafana
    restart: unless-stopped
    environment:
      TZ: "Asia/Kolkata"
      GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,simpod-json-datasource,marcusolsson-json-datasource"
    volumes:
      - /root/grafana/data:/var/lib/grafana
    ports:
      - 3000:3000

ELK on docker-compose

version: '2.2'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.0
    container_name: elasticsearch
    environment:
      discovery.type: "single-node"
    volumes:
      - /root/elasticsearch:/usr/share/elasticsearch/data
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:7.12.0
    container_name: kibana
    environment:
      elasticsearch.hosts: "elasticsearch:9200"
    ports:
      - 5601:5601

docker ARG and ENV

ARG is only available during build
ENV is available can be available during build as well as after the build

FROM httpd
ARG arg1
ENV env1=evalue1
ENV env2=${arg1}
ENV env3=evalue3

docker build --build-arg arg1=atest -t httpd-test .

docker run -d --env-file=env_file  httpd-test

Rabbitmq docker-compose

version: '3'
services:
  rabbitmq:
    image: rabbitmq:3-management
    restart: always
    container_name: rabbitmq
    environment:
      TZ: "Asia/Kolkata"
      RABBITMQ_DEFAULT_USER: username
      RABBITMQ_DEFAULT_PASS: password
    volumes:
      - /opt/rabbitmq/data:/var/lib/rabbitmq
    ports:
      - 5671:5671
      - 5672:5672
      - 15672:15672

Docker command :

dodocker run -d -p 5671:5671 -p 5672:5672 -p 15672:15672 -v /opt/rabbitmq/data:/var/lib/rabbitmq -e RABBITMQ_DEFAULT_USER=user -e RABBITMQ_DEFAULT_PASS=password  -e TZ="Asia/Kolkata" --restart unless-stopped rabbitmq:3-management

Access sidecar/multi-container pod with kubectl

Get container names in pod:

kubectl describe pod1

kubectl exec pod_name1 -c container_name1 -- bash

kubectl exec pod_name1 -c container_name2 -- bash

kunbectl exec --help

more : https://www.mirantis.com/blog/multi-container-pods-and-container-communication-in-kubernetes/