-
Notifications
You must be signed in to change notification settings - Fork 4
Docker
Easiest way in Fedora VM:
radia_run redhat-dockerList containers:
docker ps -a
Remove a container:
docker rm <name>
List images:
docker images -a
Remove an image:
docker rmi <image-id>
Attaching to a container with a new command, e.g. a non-interactive container running a server, can be attached to by replacing the command with bash:
docker exec -it <container> bash
docker ps -q | xargs docker inspect --format '{{.State.Pid}}, {{.ID}}'This should only be done inside a virtual machine, because Docker is not secure to run as a non-root user (allows privilege escalation attacks). However, this is very convenient if you are running with Vagrant.
Do this one time as the user to be able to run Docker:
$ sudo gpasswd -a $USER docker
$ sudo service docker restart
$ logoutLog back in to get the new group privileges. You should see something like this:
$ groups
vagrant dockerYou can also put a password on the docker group:
$ sudo gpasswd docker
New Password:Then as an order user:
$ newgrp docker
Password:VOLUME on a build in an base image can't be cleared via the Dockerfile or anything else it seems. Even if the volume is not mounted (VOLUME [/foo, ""]) it keeps that directory busy so you can't do anything with it. Noticed this on the postgresql data VOLUME.
Docker doesn't manage disk space on the loopback device (used by VirtualBox installs). The devicemapper just keeps on eating space in /var/lib/docker. The only thing to do is clear out your entire docker installation and restart:
systemctl stop docker
rm -rf /var/lib/docker
systemctl start dockerThere is a dm:trim-pool and dm:resize, but I can't figure out how
to run it. There's scant information out there about devicemapper
subcommands.
When you have two images docker.io/repo/name and repo/name, the
second one will be chosen for operations. This can be confusing when
you are debugging an image and creating local commits.
To change the user (e.g. from root) on a commit:
docker commit --change 'USER vagrant' container-id new-imagedocker-tls.sh creates the configuration for docker TLS configuration. You need a new certificate authority for every "trust group" (e.g. swarm or cluster) of docker daemons. Keep the CA private key secure and only on one machine, eg. salt-master. It gives root access (via Docker) to anyone who has it.
You should also keep the CA-signed client private key secure. It also gives root access to all those machines, which have the CA certificate installed.
The docker command doesn't have many features to query the docker registry.
The web GUI is even worse. You can't know from the interface which image is
associate with which tag.
To query all the tags in the registry, you use curl, e.g. for radiasoft/beasim:
curl https://registry.hub.docker.com/v1/repositories/radiasoft/beamsim/tagsVarious bugs related to swarm mode with docker 17.12ce on CentOS 7:
-
removal of container hanging https://github.com/moby/moby/issues/22312
-
Failed to deserialize netlink ndmsg: Link not found: https://github.com/docker/libnetwork/issues/2045
-
Swarm services hang forever in "new" status when using custom subnet with overlay networks: https://github.com/moby/moby/issues/35995
-
NFS hangs "forever" if the subnet is incorrect.
-
Swarm Mode: Docker Overlay network occasionally stop working https://github.com/moby/moby/issues/32738
-
Swarm is having occasional network connection problems between nodes https://github.com/moby/moby/issues/32195