Skip to content

Docker

What Is It?

Docker is a containerization platform that packages applications and their dependencies into portable, isolated containers. It uses images as immutable templates and provides networking, volume management, and a build system (Dockerfiles).

Installation

dnf install docker-ce docker-ce-cli containerd.io (from Docker repo)

Key Files and Directories

Path Purpose
/etc/docker/daemon.json Docker daemon configuration
Dockerfile Image build instructions
/var/lib/docker/ Images, containers, volumes

Configuration

Docker is configured via the daemon configuration file and per-image build instructions.

Minimal Working Configuration

Daemon config (/etc/docker/daemon.json) — controls networking, storage, and runtime behaviour:

{
  "bip": "10.200.0.1/24",
  "storage-driver": "overlay2",
  "default-address-pools": [
    { "base": "10.201.0.0/24", "size": 24 },
    { "base": "10.202.0.0/24", "size": 24 }
  ]
}
  • bip — the IP address and subnet for the docker0 bridge interface. Must not conflict with your host or cloud network.
  • storage-driveroverlay2 is the recommended storage driver for modern Linux.
  • default-address-pools — IP ranges assigned to Docker networks. Must not overlap with existing network ranges.

Installation (CentOS/RHEL):

# Add Docker repository
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

# Install Docker
sudo dnf install docker-ce docker-ce-cli containerd.io

# Create daemon.json BEFORE starting Docker
sudo systemctl start docker
sudo systemctl enable docker

# Add your user to the docker group (avoids needing sudo)
sudo usermod -aG docker $USER
# Log out and back in for group change to take effect

Dockerfile — instructions for building a custom image:

FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
EXPOSE 5000
CMD ["python", "app.py"]

Key Dockerfile instructions:

  • FROM — base image to build upon
  • WORKDIR — set the working directory inside the container
  • COPY / ADD — copy files from the build context into the image
  • RUN — execute a command during image build (e.g. install packages)
  • EXPOSE — document which port the container listens on
  • CMD — default command to run when the container starts
  • ENV — set environment variables

Important Directives

Port mapping (-p)
Maps a host port to a container port: -p 8080:80 makes the container's port 80 accessible on the host's port 8080.
Detached mode (-d)
Runs the container in the background.
Naming (--name)
Assigns a human-readable name to the container instead of a random ID.
Volume mounts (-v)
Mounts a host directory into the container: -v /host/path:/container/path. Data persists even if the container is removed.
Environment variables (-e)
Pass configuration into the container: -e MYSQL_ROOT_PASSWORD=secret.
Networks (--network)
Attach the container to a specific Docker network for inter-container communication.

Common Commands

# Run a container (detached, named, with port mapping)
docker run -d --name myapp -p 8080:80 nginx

# List running containers
docker ps

# List all containers (including stopped)
docker ps -a

# Stop / start / restart a container
docker stop myapp
docker start myapp
docker restart myapp

# Remove a container
docker rm myapp

# View container logs
docker logs myapp
docker logs -f myapp    # Follow (tail) logs

# Execute a command inside a running container
docker exec -it myapp /bin/bash

# Inspect container details (IP, mounts, config)
docker inspect myapp

# List images
docker image ls

# Build an image from a Dockerfile
docker build -t myimage:latest .

# Remove an image
docker rmi myimage:latest

# Pull an image from a registry
docker pull nginx:latest

# View disk usage
docker system df

# Clean up unused resources
docker system prune

Logging and Debugging

  • Container logs: docker logs <container> shows stdout/stderr output from the container process.
  • Follow logs: docker logs -f <container> for real-time log tailing.
  • Inspect: docker inspect <container> shows full configuration including network settings, mounts, and environment variables.
  • Exec into container: docker exec -it <container> /bin/sh opens an interactive shell inside a running container for debugging.
  • Events: docker events streams real-time events from the Docker daemon.
  • Resource usage: docker stats shows live CPU, memory, and network usage per container.

Troubleshooting checklist:

  1. docker ps -a — is the container running or has it exited?
  2. docker logs <container> — any application errors?
  3. docker inspect <container> — correct network/port/volume config?
  4. ss -tulpn | grep <port> — is the port mapped on the host?
  5. docker exec -it <container> /bin/sh — can you reach the application from inside?

Security Considerations

  • Do not run Docker commands with sudo: Add your user to the docker group instead. Running as root increases risk.
  • Network conflicts: Docker creates virtual networks. The bip and default-address-pools settings must not overlap with your host network or cloud VPC ranges, or you will lose network connectivity.
  • Image provenance: Only pull images from trusted registries. Use a local cache registry (e.g. registry.hpc.ut.ee/mirror) to avoid rate limits and verify image sources.
  • Non-root containers: Where possible, run container processes as a non-root user (use USER directive in Dockerfile).
  • Read-only filesystems: Use --read-only flag for containers that do not need to write to their filesystem.
  • Limit resources: Use --memory and --cpus flags to prevent a single container from consuming all host resources.
  • Do not store secrets in images: Use environment variables or Docker secrets at runtime, not baked into the image.

Further Reading

  • Concepts: Containers
  • SOPs: Container Operations