meta data for this page
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:docker [2019/03/28 12:30] niziak [Linux Kernel drivers] |
linux:docker [2020/05/07 09:05] (current) niziak |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Docker ====== | ||
| * **Docker image** - operating system with preconfigured application (service) | * **Docker image** - operating system with preconfigured application (service) | ||
| Line 79: | Line 80: | ||
| * https://github.com/ClusterHQ/flocker | * https://github.com/ClusterHQ/flocker | ||
| - | ====== Volumes ====== | ||
| - | [[https://docs.docker.com/engine/tutorials/dockervolumes/]] | ||
| - | |||
| - | Data volumes are designed to persist data, independent of the container’s life cycle. Docker therefore never automatically delete volumes when you remove a container, nor will it “garbage collect” volumes that are no longer referenced by a container. | ||
| - | A Docker data volume persists after a container is deleted. | ||
| - | |||
| - | Volumes types: | ||
| - | * local storage (original image data located in specified directory are copied to volume during creation) | ||
| - | * bind-mounted host (original image data are **not copied**) | ||
| - | * volume plugins | ||
| - | |||
| - | ===== BTRFS Volume plugin for Docker ===== | ||
| - | [[https://github.com/anybox/buttervolume]] | ||
| - | |||
| - | |||
| - | Volume destination inside container must be a absolute path. | ||
| - | |||
| - | Run shell with mounted volume from another docker: | ||
| - | <code bash>docker run --rm -i --volumes-from dbdata busybox ash</code> | ||
| - | <code bash>docker run --rm -i --volumes-from dbdata debian:jessie-slim /bin/bash</code> | ||
| - | |||
| - | Single file can be mounted as volume: | ||
| - | <code bash>docker run --rm -it -v ~/.bash_history:/root/.bash_history debian:jessie-slim bash /bin/bash</code> | ||
| - | |||
| - | Create named volume and share it between multiple containers: | ||
| - | <code bash> | ||
| - | docker run -d -P -v my-named-volume:/opt --name test1 debian:jessie-slim bash | ||
| - | docker run -d -P -v my-named-volume:/opt --name test2 debian:jessie-slim bash | ||
| - | docker run -d -P -v my-named-volume:/opt --name test3 debian:jessie-slim bash | ||
| - | </code> | ||
| - | |||
| - | To protect data from being deleted with volume use ''local-persist'' plugin: [[https://github.com/CWSpear/local-persist]] | ||
| - | |||
| - | Find orphaned volumes | ||
| - | <code bash> | ||
| - | docker volume ls -f dangling=true | ||
| - | docker volume rm <volume name> | ||
| - | </code> | ||
| - | |||
| - | Transfer volume to another host [[https://www.guidodiepen.nl/2016/05/transfer-docker-data-volume-to-another-host/]] | ||
| - | |||
| - | [[https://github.com/gdiepen/docker-convenience-scripts/blob/master/docker_get_data_volume_info.sh]] | ||
| - | |||
| - | ====== Network ====== | ||
| - | |||
| - | [[http://blog.oddbit.com/2014/08/11/four-ways-to-connect-a-docker/]] | ||
| - | [[http://stackoverflow.com/questions/26539727/giving-a-docker-container-a-routable-ip-address]] | ||
| - | |||
| - | ===== Linux Kernel drivers ===== | ||
| - | |||
| - | * **bridge** - gives connectivity between endpoints, but external access requires NAT | ||
| - | * **macvlan** - to expose endpoints directly to LAN (can get address from network DHCP server) | ||
| - | * **macvlan** needs to be used in cases where common dhcp server is used since dhcp server would need unique mac address which **ipvlan** does not have. | ||
| - | * PROBLEMS: | ||
| - | * The switch the host is connected to may have a policy that limits the number of different MAC addresses on a physical port. | ||
| - | * Many NICs have a limit on the number of MAC addresses they support in hardware. Exceeding the limit may affect the performance. | ||
| - | * IEEE 802.11 doesn’t like multiple MAC addresses on a single client. It is likely macvlan sub-interfaces will be blocked by your wireless interface driver, AP or both | ||
| - | * **Note**: Linux Macvlan interface types are not able to ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host's eth0 it will not work. That traffic is explicitly filtered by the kernel to offer additional provider isolation and security. This is a common gotcha when a user first uses those Linux interface types since it is natural to ping local addresses when testing. | ||
| - | |||
| - | * **ipvlan** - [[https://www.kernel.org/doc/Documentation/networking/ipvlan.txt|ipvlan.txt]] similar to macvlan, but endpoints have the same MAC address. Ipvlan has two modes of operation. Only one of the two modes can be selected on a single parent interface. All sub-interfaces operate in the selected mode: | ||
| - | * **L2** - bridge mode (requires external router if endpoints are in different networks) | ||
| - | * **L3** - packets are routed between endpoints (without touching TTL) | ||
| - | * *ipvlan* - should be used in cases where some switches restrict the maximum number of mac address per physical port due to port security configuration. | ||
| - | * use it if parent interface is wireless | ||
| - | * PROBLEMS: | ||
| - | * Shared MAC address can affect DHCP operations. If your VMs or containers use DHCP to acquire network settings, make sure they use unique ClientID in the DHCP request and ensure your DHCP server assigns IP addresses based on ClientID, not client’s MAC address. | ||
| - | * Autoconfigured EUI-64 IPv6 addresses are based on MAC address. All VMs or containers sharing the same parent interface will auto-generate the same IPv6 address. Ensure that your VMs or containers use static IPv6 addresses or IPv6 privacy addresses and disable SLAAC. | ||
| - | |||
| - | ==== macvlan details ==== | ||
| - | |||
| - | [[https://hicu.be/bridge-vs-macvlan]] | ||
| - | Macvlan modes: | ||
| - | * private - frames are sent into cable. But even if exernal switch forwards packets back according to mac address, packet will be dropped. | ||
| - | * VEPA - alla frames are sent int cable. External switch has to forward it back to provide communication between maclvan interfaces. | ||
| - | * IEEE 802.1Qbg aka Virtual Ethernet Port Aggregator physical switch | ||
| - | * Bridge - all macvlan interfaces bridged internally. Traffic between macvlans are forwarded locally. Broadcast packets are formwared locally and into the cable. But if external switch reflects packets, packets are filtered to prevent duplicates. | ||
| - | * **passtrhru** - assign real physical interface for single VM (and gives full controll to interface) | ||
| - | |||
| - | |||
| - | |||
| - | ==== macvlan ==== | ||
| - | |||
| - | There can be only one macvlan network with the same subnet and gateway. So better is to create network manually: | ||
| - | <code bash> | ||
| - | docker network create --driver=macvlan \ | ||
| - | -o parent="br0" \ | ||
| - | --subnet="192.168.0.0/22" \ | ||
| - | --gateway="192.168.0.1" \ | ||
| - | ${NETWORK_NAME} | ||
| - | </code> | ||
| - | |||
| - | and then attach containers to existing network: | ||
| - | <file yaml docker-compose.yml> | ||
| - | version: '2' | ||
| - | |||
| - | services: | ||
| - | myservice: | ||
| - | networks: | ||
| - | lan: | ||
| - | ipv4_address: "192.168.0.241" | ||
| - | |||
| - | networks: | ||
| - | lan: | ||
| - | external: | ||
| - | name: real_lan | ||
| - | </file> | ||
| - | |||
| - | or | ||
| - | <code bash>docker network connect --ip="192.168.0.241" real_lan myservice</code> | ||
| - | |||
| - | ====== data persistence in swarm ====== | ||
| - | [[http://mysqlrelease.com/2016/08/trying-out-mysql-in-docker-swarm-mode/]] | ||
| - | [[https://forums.docker.com/t/data-base-persistence-in-docker-swarm-mode/20665/7]] | ||
| ====== Backup ====== | ====== Backup ====== | ||