Docker in Action, Second Edition you own this product

Jeff Nickoloff and Stephen Kuenzli
Foreword by Bret Fisher

October 2019
ISBN 9781617294761
336 pages

Included with a Manning Online subscription

printed in black & white

available in Simplified Chinese

catalog / Software Development / Cloud / Containerization / Docker

table of content

1 Welcome to Docker

1.1 What is Docker?

1.1.1 “Hello, World”

1.1.2 Containers

1.1.3 Containers are not virtualization

1.1.4 Running software in containers for isolation

1.1.5 Shipping containers

1.2 What problems does Docker solve?

1.2.1 Getting organized

1.2.2 Improving portability

1.2.3 Protecting your computer

1.3 Why is Docker important?

1.4 Where and when to use Docker

1.5 Docker in the Larger Ecosystem

1.6 Getting help with the Docker command line

Summary

Part 1: Process isolation and environment-independent computing

2 Running software in containers

2.1 Controlling containers: building a website monitor

2.1.1 Creating and starting a new container

2.1.2 Running interactive containers

2.1.3 Listing, stopping, restarting, and viewing output of containers

2.2 Solved problems and the PID namespace

2.3 Eliminating metaconflicts: Building a website farm

2.3.1 Flexible container identification

2.3.2 Container state and dependencies

2.4 Building environment-agnostic systems

2.4.1 Read-only file systems

2.4.2 Environment variable injection

2.5 Building durable containers

2.5.1 Automatically restarting containers

2.5.2 PID 1 and init systems

2.6 Cleaning up

Summary

3 Software installation simplified

3.1 Identifying software

3.1.1 What is a named repository?

3.1.2 Using tags

3.2 Finding and installing software

3.2.1 Working with Docker registries from the command line

3.2.2 Using alternative registries

3.2.3 Images as files

3.2.4 Installing from a Dockerfile

3.2.5 Docker Hub from the website

3.3 Installation files and isolation

3.3.1 Image layers in action

3.3.2 Layer relationships

3.3.3 Container file system abstraction and isolation

3.3.4 Benefits of this toolset and file system structure

3.3.5 Weaknesses of union file systems

Summary

4 Working with storage and volumes

4.1 File trees and mount points

4.2 Bind mounts

4.3 In-memory storage

4.4 Docker volumes

4.4.1 Volumes provide container-independent data management

4.4.2 Using volumes with a NoSQL database

4.5 Shared mount points and sharing files

4.5.1 Anonymous volumes and the volumes-from flag

4.6 Cleaning up volumes

4.7 Advanced storage with volume plugins

Summary

5 Single-host networking

5.1 Networking background (for beginners)

5.1.1 Basics: protocols, interfaces, and ports

5.1.2 Bigger picture: networks, NAT, and port forwarding

5.2 Docker container networking

5.2.1 Creating a user-defined bridge network

5.2.2 Exploring a bridge network

5.2.3 Beyond bridge networks

5.3 Special container networks: host and none

5.4 Handling inbound traffic with NodePort publishing

5.5 Container networking caveats and customizations

5.5.1 No firewalls or network policies

5.5.2 Custom DNS configuration

5.5.3 Externalizing network management

Summary

6 Limiting risk with resource controls

6.1 Setting resource allowances

6.1.1 Memory limits

6.1.2 CPU

6.1.3 Access to devices

6.2 Sharing memory

6.2.1 Sharing IPC primitives between containers

6.3 Understanding users

6.3.1 Working with the run-as user

6.3.2 Users and volumes

6.3.3 Introduction to the Linux user namespace and uid remapping

6.4 Adjusting OS feature access with capabilities

6.5 Running a container with full privileges

6.6 Strengthening containers with enhanced tools

6.6.1 Specifying additional security options

6.7 Building use-case-appropriate containers

6.7.1 Applications

6.7.2 High-level system services

6.7.3 Low-level system services

Summary

Part 2: Packaging software for distribution

7 Packaging software in images

7.1 Building Docker images from a container

7.1.1 Packaging Hello World

7.1.2 Preparing packaging for Git

7.1.3 Reviewing file system changes

7.1.4 Committing a new image

7.1.5 Configurable image attributes

7.2 Going deep on Docker images and layers

7.2.1 An exploration of union file systems

7.2.2 Reintroducing images, layers, repositories, and tags

7.2.3 Managing image size and layer limits

7.3 Exporting and importing flat filesystems

7.4 Versioning best practices

Summary

8 Building images automatically with Dockerfiles

8.1 Packaging Git with a Dockerfile

8.2 A Dockerfile primer

8.2.1 Metadata instructions

8.2.2 File system instructions

8.3 Injecting downstream build-time behavior

8.4 Creating maintainable Dockerfiles

8.5 Using startup scripts and multiprocess containers

8.5.1 Environmental preconditions validation

8.5.2 Initialization processes

8.5.3 The Purpose and Use of Health Checks

8.6 Building hardened application images

8.6.1 Content addressable image identifiers

8.6.2 User permissions

8.6.3 SUID and SGID permissions

Summary

9 Public and private software distribution

9.1 Choosing a distribution method

9.1.1 A distribution spectrum

9.1.2 Selection criteria

9.2 Publishing with hosted registries

9.2.1 Publishing with public repositories: Hello World via Docker Hub

9.2.2 Private hosted repositories

9.3 Introducing private registries

9.3.1 Using the registry image

9.3.2 Consuming images from your registry

9.4 Manual image publishing and distribution

9.4.1 A sample distribution infrastructure using the File Transfer Protocol

9.5 Image source-distribution workflows

9.5.1 Distributing a project with Dockerfile on GitHub

Summary

10 Image Pipelines

10.1 Goals of an image build pipeline

10.2 Patterns for building images

10.2.1 All-in-one images

10.2.2 Separate build and runtime images

10.2.3 Create variations of application runtime image using multi-stage builds

10.3 Record metadata at image build time

10.3.1 Orchestrating the build with make

10.4 Testing images in a build pipeline

10.5 Patterns for tagging images

10.5.1 Background

10.5.2 Continuous Delivery with Unique Tags

10.5.3 Configuration image per deployment stage

10.5.4 Semantic Versioning

Summary

Part 3: Higher-level abstractions and orchestration

11 Services with Docker and Compose

11.1 A Service “Hello, World!”

11.1.1 Automated resurrection and replication

11.1.2 Automated Rollout

11.1.3 Service health and rollback

11.2 Declarative Service Environments with Compose V3

11.2.1 A YAML Primer

11.2.2 Collections of Services with Compose V3

11.3 Stateful services and preserving data

11.4 Load balancing, service discovery, and networks with Compose

Summary

12 First-class configuration abstractions

12.1 Configuration distribution and management

12.2 Separating application and configuration

12.2.1 The Config Resource

12.2.2 Deploy the application

12.2.3 Managing Config Resources Directly

12.3 Secrets—A special kind of configuration

12.3.1 Using Docker Secrets

Summary

13 Orchestrating services on a cluster of Docker hosts with Swarm

13.1 Clustering with Docker Swarm

13.1.1 Introducing Docker Swarm Mode

13.1.2 Deploying a Swarm Cluster

13.2 Deploying an application to a Swarm cluster

13.2.1 Introducing Docker Swarm Cluster Resource Types

13.2.2 Define an Application and its Dependencies Using Docker Services Service

13.2.3 Deploy the Application

13.3 Communicating with services running on a Swarm cluster

13.3.1 Routing Client Requests to Services Using the Swarm Routing Mesh

13.3.2 Overlay Networks

13.3.3 Discovering Services on an Overlay Network

13.3.4 Isolating Service-Service Communication with Overlay Networks

13.3.5 Load Balancing

13.4 Placing service tasks on the cluster

13.4.1 Replicated Services

13.4.2 Constraining Where Tasks Run

13.4.3 Global Services for One Task per Node

13.4.4 Deployment of Real Applications Onto Real Clusters

Summary

Overview

1 Welcome to Docker

Docker is introduced as an open source tool that makes modern software packaging, distribution, and execution simple by default through Linux containers. Rather than being a language or framework—or a hardware virtualization technology—it provides a consistent, CLI-driven way to build, ship, and run applications as isolated processes that share the host kernel. The chapter shows this with a “Hello, World” example that pulls an image, creates a container, runs a command, and then stops, illustrating how images (the shippable units) become containers (the runnable units) via registries. It contrasts containers with virtual machines, emphasizing faster startup, lower overhead, and complementary use with VMs on macOS, Windows, and in the cloud.

The narrative frames Docker as a practical antidote to dependency conflicts, inconsistent installations, and drift across machines. By isolating applications and their dependencies per container, teams get cleaner systems, repeatable deployments, and trusted removal. Portability improves because the same image can run in development, CI, and production, boosting confidence and iteration speed. Security is strengthened by default isolation (namespaces, cgroups, capability drops, and security modules), limiting the blast radius of misbehaving or malicious software. Operationally, containers start quickly and scale efficiently; development teams can version, share, and update complete environments; and system administrators gain a declarative, expressive runtime to control configuration and resource access.

Docker’s importance stems from its clear abstraction for install/run/remove workflows, broad industry adoption, and its app-store-like simplicity that accelerates safe software use across platforms. The chapter advises using containers widely for server and many desktop workloads that suit Linux (or Windows containers on Windows Server), while noting limitations for apps that require full machine access or elevated privileges. It also situates Docker within a larger ecosystem—images, registries, and higher-level tools like Kubernetes for orchestration—encouraging readers to master Docker fundamentals before adopting more complex platforms. Finally, it points to the built-in command help as the fastest path to learn exact syntax and capabilities on any installation.

What happens after running docker run

Running docker run a second time. Because the image is already installed, Docker can start the new container right away.

A basic computer stack running two programs that were started from the command line

Docker running three containers on a basic Linux computer system

Example programs running inside containers with copies of their dependencies Figure 1.5 Dependency relationships of example programs

Figure 1.5 Dependency relationships of example programs

A close up of text on a white background Description automatically generated

Left: a malicious program with direct access to sensitive resources. Right: a malicious program inside a container.

A picture containing text, map Description automatically generated

Summary

This chapter has been a brief introduction to Docker and the problems it helps system administrators, developers, and other software users solve. In this chapter you learned that:

Docker takes a logistical approach to solving common software problems and simplifies your experience with installing, running, publishing, and removing software. It’s a command-line program, an engine background process, and a set of remote services. It’s integrated with community tools provided by Docker Inc.
The container abstraction is at the core of its logistical approach.
Working with containers instead of software creates a consistent interface and enables the development of more sophisticated tools.
Containers help keep your computers tidy because software inside containers can’t interact with anything outside those containers, and no shared dependencies can be formed.
Because Docker is available and supported on Linux, OS X, and Windows, most software packaged in Docker images can be used on any computer.
Docker doesn’t provide container technology; it hides the complexity of working directly with the container software; and turns best practices into reasonable defaults.
Docker works with the greater container ecosystem; that ecosystem is rich with tooling that solves new and higher-level problems.
If you need help with a command you can always consult the docker help subcommand.

FAQ

What is Docker, in simple terms?

Docker is an open-source toolset for building, shipping, and running software as containers. It includes a background service (engine/daemon), a command-line interface, and supporting services that package your app and its dependencies into portable images and run them as isolated containers.

How are containers different from virtual machines?

Containers share the host operating system kernel and isolate processes using OS features, so they start fast and use fewer resources. Virtual machines emulate hardware and run a full guest OS, which adds overhead and slower startup. The two are complementary—Docker often runs inside a small VM on macOS/Windows and in many cloud setups.

How do I run my first container and what happens behind the scenes?

Run docker run dockerinaction/hello_world. Docker checks for the image locally, pulls it from Docker Hub if missing, creates a container, executes the image’s default command (prints “hello world”), then stops the container when the process exits. Running the command again reuses the cached image but creates a new container each time.

What are images, containers, registries, and how do they relate?

- Image: a read-only package of files plus metadata (the “shipping container” for software).
- Container: a runnable instance created from an image, with its own writable layer and isolated resources.
- Registry/Index: infrastructure that stores and locates images (e.g., Docker Hub).
You can create many containers from one image; file changes are isolated to each container.

Which problems does Docker help solve?

- Dependency conflicts and “it works on my machine” issues via per-app isolation.
- Inconsistent installs and difficult removals through standardized packaging and cleanup.
- Portability across dev, test, and prod (and across OSes via a common Linux base).
- Faster startup and lower resource use than VM-per-app approaches.
- Reduced security blast radius with scoped access to files, networks, and resources.
- Declarative, repeatable, and trustworthy deployments.

When should I use Docker—and when should I avoid it?

Use Docker for server apps (web, databases, proxies), CLI tools, and even some desktop apps; for dynamic scaling; CI/CD; and modeling reproducible dev environments. Avoid it for software that must control the entire host or requires full administrative access, and don’t run untrusted privileged containers. Note: Docker runs Linux apps everywhere and can run Windows apps on Windows Server.

How do containers improve security and isolation?

Docker applies Linux features—namespaces (PID, UTS, MNT, IPC, NET, USER), cgroups (resource limits), chroot-like filesystem scoping, capability drops, and security modules (MAC)—to restrict what a process can see and do. This limits the impact of bugs or malicious behavior, though containers are not a complete security solution.

How does Docker help development teams and CI/CD?

Teams can version and share identical dev environments, cut onboarding time, and build expressive CI/CD pipelines where tests run against the exact images that go to production. This yields faster iterations, higher confidence in changes, and tighter control over releases.

Where does Docker fit in the larger ecosystem (e.g., Kubernetes)?

Docker provides the container runtime, packaging, and distribution. Higher-level tools like Kubernetes orchestrate containers across clusters. Many ecosystem tools integrate with Docker or use its subcomponents (such as runc, libcontainerd, and notary). For most teams, a managed Kubernetes service is the easiest on-ramp once you’ve mastered Docker basics.

How do I get help with the Docker command line?

Run docker help to see commands and general usage. For details on a specific command, use docker help <command> (for example, docker help cp) to view syntax, flags, and examples tailored to your installed version.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$39.99 $25.99

you save $14.00 (35%)

include audio $19.99 $12.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$39.99 $25.99

you save $14.00 (35%)

include audio $19.99 $12.99

eBook

pdf, ePub, online

$39.99 $25.99

you save $14.00 (35%)

include audio $19.99 $12.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more