Docker

Konfiguration

Die Konfiguration erfolgt unter /etc/docker/daemon.json.

zfs

{
  "storage-driver": "zfs"
}

Es sollte die Umgebungsvariable DOCKER_CONTENT_TRUST=1 gesetzt sein. Zudem sollte man die digest (alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad) anstatt einem Tag (alpine:3.16) verwenden.

Kommandos

Container beim beenden löschen

docker run --rm

Container wiederverwenden

docker stop
docker start

compose container mit neuen Images starten

docker-compose up -d --no-deps <service>

syslog in Container durchreichen

docker run -v '/dev/log:/dev/log'

image bauen

docker build . --pull --no-cache --tag <name>:<version>

aus Docker Image extrahieren

docker create --name vw vaultwarden/server:alpine
docker cp vw:/vaultwarden .
docker rm vw

sicheres Image

FROM alpine:3.16@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad as builder
RUN apk add --no-cache ca-certificates tzdata && update-ca-certificates

# ...

ENV USER=app
ENV UID=10100
RUN addgroup -g $UID -S $USER
RUN adduser -h /data -g '' -G $USER -u $UID -S -H $USER

FROM scratch
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

# ...

USER app:app

#...

Tipps

intermediate images nach build entfernen

How to remove intermediate images from a build after the build? (stackoverflow)

Dockerfile

FROM node as builder
LABEL stage=builder
...

FROM node:dubnium-alpine
...

docker image prune --filter label=stage=builder

Dockerfile for automation

FROM node as builder
ARG BUILD_ID
LABEL stage=builder
LABEL build=$BUILD_ID
...

FROM node:dubnium-alpine
...

build and prune for automation

docker build --build-arg BUILD_ID .
docker image prune --filter label=stage=builder --filter label=build=${BUILD_ID}

Zeit von Host in Container durchreichen

How to make sure docker’s time syncs with that of the host? (stackoverflow.com)

compose.yaml

volumes:
  - "/etc/timezone:/etc/timezone:ro"
  - "/etc/localtime:/etc/localtime:ro"

docker run

-v /etc/timezone:/etc/timezone:ro -v /etc/localtime:/etc/localtime:ro

go time

Go’s time doesn’t work under the docker image from scratch (stackoverflow.com)

Dockerfile

FROM golang:alpine AS build
RUN apk update && apk add ca-certificates && apk add tzdata
WORKDIR /app
ADD . .
RUN CGO_ENABLED=0 GOOS=linux go build -o myapp

FROM scratch AS final
COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /app/myapp /

ENV TZ Australia/Sydney
ENTRYPOINT ["/myapp"]

Void

https://github.com/void-linux/void-docker / https://github.com/void-linux/void-docker/pkgs/container/void-linux

minimal x86-64 musl

docker pull ghcr.io/void-linux/void-linux:latest-thin-bb-x86_64-musl
docker run --rm -it ghcr.io/void-linux/void-linux:latest-thin-bb-x86_64-musl sh

Dockerfile vmgb (void-musl-go-builder)

FROM ghcr.io/void-linux/void-linux:latest-thin-bb-x86_64-musl

RUN xbps-install -Sy
RUN xbps-install -uy xbps
RUN xbps-install -y go make git

WORKDIR /build

vmgb Image bauen

docker build --rm -t vmgb .