book

Docker for Developers

Name: Docker for Developers
ISBN: 9781789536058

by Richard Bullington-McGuire, Andrew K. Dennis, Michael Schwartz

September 2020

Intermediate to advanced

468 pages

10h 11m

English

Packt Publishing

Read now

Unlock full access

Docker for Developers
Why subscribe?ContributorsAbout the authorsAbout the reviewerPackt is searching for authors like you
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesCode in ActionDownload the color imagesConventions usedGet in touchReviews
Section 1: An Introduction to Docker – Containers and Local Development
Chapter 1: Introduction to Docker
The drivers for DockerCo-located hosting Self-hostingData centersUsing virtualization to economize resource usageAddressing the increasing power requirementsUsing containers to further optimize data center resourcesSummaryFurther reading
Chapter 2: Using VirtualBox and Docker Containers for Development
Technical requirementsHost filesystem pollution problemUsing VirtualBox for virtual machinesIntroduction to virtualizationCreating a virtual machineGuest additionsInstalling VirtualBoxUsing Docker containersIntroduction to containersUsing Docker for developmentGetting started with DockerAutomating Docker commands via sh scriptsSummaryFurther reading
Chapter 3: Sharing Containers Using Docker Hub
Technical requirementsIntroducing Docker HubInteracting with Docker Hub from the command lineUsing the Docker Hub websiteImplementing a MongoDB container for our applicationRunning a shell within a containerIntroducing the microservices architectureScalabilityInter-container communicationImplementing a sample microservices applicationSharing your containers on Docker HubSummaryFurther reading
Chapter 4: Composing Systems Using Containers
Technical requirementsIntroduction to Docker ComposeThe problem with .sh scriptsDocker Compose configuration filesInheritance using multiple configuration filesThe depends_on optionAdding port bindings using overridesUsing Docker local networkingNetworking using .sh scriptsNetworking with Docker ComposeBinding a host filesystem within containersOptimizing our container sizeUsing the build.sh scriptOther composition toolsDocker SwarmKubernetesPackerSummaryFurther reading
Section 2: Running Docker in Production
Chapter 5: Alternatives for Deploying and Running Containers in Production
Technical requirementsExample application – ShipIt ClickerRunning Docker in production – many paths, choose wiselyWhat is the minimum realistic production environment?Bare minimum – run Docker and Docker Compose on one hostDocker supportProblems with single-host deploymentManaged cloud services Google Kubernetes EngineAWS Elastic BeanstalkAWS ECS and FargateAWS EKSMicrosoft Azure Kubernetes ServiceDigital Ocean Docker SwarmRunning your own Kubernetes cluster – from bare metal to OpenStackDeciding on the right Docker production setup Exercise – join the ShipIt Clicker teamExercise – choosing from reasonable deployment alternativesExercise – Dockerfile and docker-compose.yml evaluation Summary
Chapter 6: Deploying Applications with Docker Compose
Technical requirementsExample application – ShipIt Clicker v2Selecting a host and operating system for single-host deploymentRequirements for single-host deploymentPreparing the host for Docker and Docker ComposeUsing operating system packages to install Docker and GitDeploying using configuration files and support scriptsRe-examining the initial DockerfileRe-examining the initial docker-compose.yml filePreparing the production .env fileSupporting scriptsExercise – keeping builds off the production serverExercise – planning to secure the production siteMonitoring small deployments – logging and alertingLimitations of single-host deploymentNo automatic failoverInability to scale horizontally to accept more loadTracking down unstable behavior based on incorrect host tuningLoss of single host could be disastrous – backups are essentialCase study – migrating from CoreOS and Digital Ocean to CentOS 7 and AWSSummaryFurther reading

Chapter 7: Continuous Deployment with Jenkins
Technical requirementsExample application – ShipIt Clicker v3Using Jenkins to facilitate continuous deploymentAvoid these trapsUsing an existing Jenkins serverSetting up a new Jenkins serverHow Jenkins can support continuous deploymentThe Jenkinsfile and host connectivityTesting Jenkins and Docker with a pipeline scriptDriving configuration changes through JenkinsUsing Git and GitHub to store your JenkinsfileChanging the origin of all checked out repositoriesCreating Jenkins environment variables for production supportBuilding Docker containers and pushing them to Docker HubPushing to Docker Hub and triggering a production deploymentDeploying to multiple environments through multiple branchesCreating a staging environmentCreating Jenkins environment variables for staging supportDeploying by force-pushing to the staging branchComplexity and limits to scaling deployments through JenkinsManaging multiple hostsThe complexity of build scriptsHow do you know when you have hit the limit?SummaryFurther reading
Chapter 8: Deploying Docker Apps to Kubernetes
Technical requirementsOptions for Kubernetes local installationMinikubeVerifying that your Kubernetes installation worksDeploying a sample application – ShipIt Clicker v4Deploying the NGINX Ingress Controller and ShipIt Clicker locallyChoosing a Kubernetes distributionGoogle Kubernetes EngineAWS EKSMicrosoft Azure Kubernetes ServiceReviewing other relevant optionsObjectsConfigMapsPodsNodesServicesIngress ControllersSecretsNamespacesSpinning up AWS EKS with CloudFormationIntroducing the AWS EKS Quick Start CloudFormation templatesPreparing an AWS account Launching the AWS EKS Quick Start CloudFormation templatesConfiguring the EKS clusterDeploying an application with resource limits to Kubernetes on AWS EKSAnnotating ShipIt Clicker to use the ALB Ingress ControllerUsing AWS Elastic Container Registry with AWS EKSCreating an ECR repositoryLocal example – labeled environments in the default namespaceStaged environments – Dev, QA, staging, and productionSummary
Chapter 9: Cloud-Native Continuous Deployment Using Spinnaker
Technical requirementsImproving your setup for Kubernetes application maintenanceManaging the EKS cluster from your local workstationTroubleshooting kubectl connection failuresSwitching between local and cluster contextsVerifying that you have a working ALB Ingress ControllerPreparing a Route 53 domain and certificateBuilding and deploying ShipIt Clicker v5Spinnaker – when and why you might need more sophisticated deploymentsIntroduction to SpinnakerSetting up Spinnaker in an AWS EKS cluster using HelmConnecting to Spinnaker through the kubectl proxyExposing Spinnaker via ALB Ingress ControllersConfiguring Spinnaker using HalyardConnecting Spinnaker to JenkinsSetting up Jenkins to integrate with both Spinnaker and ECRConnecting Spinnaker to GitHubConnecting Spinnaker to Docker HubTroubleshooting Spinnaker issuesDeploying ShipIt Clicker with a simple deployment strategy in SpinnakerAdding a Spinnaker applicationAdding a Spinnaker pipelineSetting up a DNS entry for the Ingress ControllerSurveying Spinnaker's deployment and testing featuresCanary deploymentsRed/black deploymentsRolling backTesting with SpinnakerSummaryFurther reading
Chapter 10: Monitoring Docker Using Prometheus, Grafana, and Jaeger
Technical requirementsSetting up a demo application – ShipIt Clicker v7Docker logging and container runtime loggingUnderstanding Kubernetes container logging Ideal characteristics for a log management systemTroubleshooting Kubernetes control plane issues with logsStoring logs with CloudWatch LogsStoring logs for the long term with AWS S3Analyzing logs stored in S3 with AWS AthenaUsing the liveness, readiness, and startup probes in KubernetesUsing a liveness probe to see whether a container can respondChanging ShipIt Clicker to support separate liveness and readiness probesExercise – forcing ShipIt Clicker to fail the readiness checkGathering metrics and sending alerts with PrometheusPrometheus' historyExploring Prometheus through its query and graph web interfaceAdding Prometheus metrics to an applicationQuerying Prometheus for a custom metricConfiguring Prometheus alerts Sending notifications with the Prometheus AlertmanagerExploring Prometheus queries and external monitoring in-depthVisualizing operational data with GrafanaGaining access to GrafanaAdding a community-provided dashboardAdding a new dashboard with a custom queryApplication performance monitoring with JaegerUnderstanding the OpenTracing APIIntroduction to JaegerExploring the Jaeger client with ShipIt ClickerInstalling the Jaeger OperatorSummaryFurther reading
Chapter 11: Scaling and Load Testing Docker Applications
Technical requirementsUsing the updated ShipIt Clicker v8Scaling your Kubernetes clusterScaling the cluster manuallyScaling the cluster dynamically (autoscaling)What is Envoy, and why might I need it?Network traffic management with an Envoy service meshSetting up Envoy Testing scalability and performance with k6Recording and replaying network sessionsHand-crafting a more realistic load testRunning a stress testSummaryFurther reading
Section 3: Docker Security – Securing Your Containers
Chapter 12: Introduction to Container Security
Technical requirementsVirtualization and hypervisor security models Virtualization and protection ringsDocker and protection ringsContainer security modelsDocker Engine and containerd – Linux security featuresPID namespacesMNT namespacesNET namespacesIPC namespacesUTS namespacesUSER namespacesA note on cgroupsAn overview of best practicesKeeping Docker patchedSecuring the Docker daemon socketDocker won't fix bad codeAlways set an unprivileged userSummary
Chapter 13: Docker Security Fundamentals and Best Practices
Technical requirementsDocker image securityImage verificationUsing minimal base imagesRestricting privilegesAvoiding data leakages from your imageSecurity around Docker commandsCOPY versus ADD – what's the story?Recursive COPY – use with cautionSecurity around the build process Using multi-stage buildsLimiting resources and capabilities when deploying your buildsLimiting resourcesDropping capabilitiesSummary
Chapter 14: Advanced Docker Security – Secrets, Secret Commands, Tagging, and Labels
Technical requirementsSecurely storing secrets in Docker The Raft logAdding, inspecting, and removing secrets  CreatingInspectingDeletingSecrets in action – examples Docker tags for securityUsing labels for metadata application Summary
Chapter 15: Scanning, Monitoring, and Using Third-Party Tools
Technical requirementsScanning and monitoring – cloud and DevOps security for containersScanning using Anchore EngineA brief mention of Chef InSpecNative monitoring locally using Docker statsAggregating monitoring data in the cloud with Datadog Securing your containers using AWSSecurity alerts for AWS with GuardDuty Securing your containers using AzureContainer monitoring in AzureUsing Security Center to secure your containers in AzureSecuring your containers using GCPContainer Analysis and Binary Authorization in GCPUnderstanding your attack surface with Security Command CenterSummaryFurther reading
Chapter 16: Conclusion – End of the Road, but not the Journey
Technical requirementsWrapping up – let's get startedWhat we learned about developmentGoing deeper – design patternsNext steps for taking your DevOps knowledge furtherChaos engineering and building resilient production systemsA summary on security and where to go nextMetasploit – container-based penetration testingSummary
Other Books You May Enjoy
Leave a review - let other readers know what you think

Content preview from Docker for Developers

Chapter 14: Advanced Docker Security – Secrets, Secret Commands, Tagging, and Labels

We've seen several examples so far of the need to use files that contain secrets. We can think of secrets as a generic term for the types of sensitive data that would typically be stored in config and ENV files, such as database access credentials or API tokens. Docker provides a handy method for securing this type of data and sharing it. For legacy systems using swarm mode instead of Kubernetes, having an understanding of how to apply security to these environments is important, as you may have to retroactively fix environments in your career.

Along with managing secret data, we can also use labels and tags to help ensure we are working with security in mind. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781789536058

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Docker for Developers

by Richard Bullington-McGuire, Andrew K. Dennis, Michael Schwartz

Chapter 14: Advanced Docker Security – Secrets, Secret Commands, Tagging, and Labels

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.