Containerized Applications

Software applications typically depend on other libraries, configuration files, or services that
are provided by the runtime environment. The traditional runtime environment for a software
application is a physical host or virtual machine, and application dependencies are installed as part
of the host.

Alternatively, a software application can be deployed using a container. A container is a set of one or
more processes that are isolated from the rest of the system. Containers provide many of the same
benefits as virtual machines, such as security, storage, and network isolation. Containers require far
fewer hardware resources and are quick to start and terminate. They also isolate the libraries and
the runtime resources (such as CPU and storage) for an application to minimize the impact of any
OS update to the host OS.

The use of containers not only helps with the efficiency, elasticity, and reusability of the hosted
applications, but also with application portability

There are many container engines available to manage and execute individual containers,
including Rocket, Drawbridge, LXC, Docker, and Docker. Docker is available in Red Hat Enterprise
Linux 7.6 and later, and is used in this course to start, manage, and terminate individual containers.

The following are other major advantages to using containers:

www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646
  Low hardware footprint
 Environment isolation
 Quick deployment
 Multiple environment deployment
 Reusability

Introducing Container History

Containers have quickly gained popularity in recent years. However, the technology behind
containers have been around for a relatively long time. In 2001, Linux introduced a project named
VServer. VServer was the first attempt at running complete sets of processes inside a single server
with a high degree of isolation.
From VServer, the idea of isolated processes further evolved and became formalized around the
following features of the Linux kernel
Namespaces: limits what you can see
Namespaces: provides process isolation, complete isolation of containers, separate file system.
There are 6 types of namespaces:
1. mount ns - for file system.
2. UTS(Unique time sharing) ns- which checks for different hostnames of running containers
3. IPC ns - interprocess communication
4. Network ns- takes care of different ip allocation to different containers
5. PID ns - process id isolation
6. user ns- different username(uid)

Control groups (cgroups)

limits how much you can use;
Cgroups involve resource metering and limiting:
 memory
 CPU
 block I/O
 network

Seccomp
Seccomp limits how processes could use system calls. Seccomp defines a security profile for
processes, whitelisting the system calls.

SELinux
SELinux (Security-Enhanced Linux) is a mandatory access control system for processes.
Linux kernel uses SELinux to protect processes from each other and to protect the host
www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646
system from its running processes.
Describing Linux Container Architecture
From the Linux kernel perspective, a container is a process with restrictions. However, instead
of running a single binary file, a container runs an image. An image is a file-system bundle that
contains all dependencies required to execute a process: files in the file system, installed packages,
available resources, running processes, and kernel modules.

Like executable files are the foundation for running processes, images are the foundation for
running containers. Running containers use an immutable view of the image, allowing multiple
containers to reuse the same image simultaneously. As images are files, they can be managed by
versioning systems, improving automation on container and image provisioning.

Container images need to be locally available for the container runtime to execute them, but the
images are usually stored and maintained in an image repository. An image repository is just a
service - public or private - where images can be stored, searched and retrieved. Other features
provided by image repositories are remote access, image metadata, authorization or image version
control.

There are many different image repositories available, each one offering different features:
• Red Hat Container Catalog [https://registry.redhat.io]
• Docker Hub [https://hub.docker.com]
• Google Container Registry [https://cloud.google.com/container-registry/]
• Amazon Elastic Container Registry [https://aws.amazon.com/ecr/]

Docker architecture

Docker architecture. Docker uses a client-server architecture. The Docker client talks to the Docker
daemon, which does the heavy lifting of building, running, and distributing your Docker containers.
The Docker client and daemon can run on the same system, or you can connect a Docker client to a
remote Docker daemon.

www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646
The Docker Daemon
The Docker daemon (dockerd) listens for Docker API requests and manages Docker objects such as
images, containers, networks, and volumes. A daemon can also communicate with other daemons
to manage Docker services.

The Docker Client

The Docker client (docker) is the primary way that many Docker users interact with Docker. When you
use commands such as docker run, the client sends these commands to dockerd, which carries them
out. The docker command uses the Docker API. The Docker client can communicate with more than
one daemon

Docker registries
A Docker registry stores Docker images.
Public and private Registry
Docker Hub
Amazon Elastic Container Registry

Docker Objects
When you use Docker, you are creating and using images, containers, networks, volumes, plugins,
and other objects. This section is a brief overview of some of those objects.
 Images
 Containers

www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646
Docker vs podman

Managing Containers with Docker

To install docker in Red Hat Enterprise Linux, CentOS, Fedora or similar RPM-based systems, run

#yum install docker

#systemctl start docker
#systemctl enable docker

Docker Commands
docker - -version
This command is used to get the currently installed version of docker
#docker - -version
#docker run hello-world

docker pull
Usage: docker pull <image name>

This command is used to pull images from the docker repository(hub.docker.com)

#docker pull ubuntu

docker images
Usage: docker images
This command is used to list images
www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646
#docker images

docker run
Usage: docker run -it -d <image name>
This command is used to create a container from an image
-d run container background
-t input
-t terminal
#docker run -it -d ubuntu

docker ps
This command is used to list the running containers
#docker ps

docker ps –a
This command is used to show all the running and exited containers
#docker ps –a
docker exec
Usage: docker exec -it <container id> bash
This command is used to access the running container
#docker ps
#docker exec -it cont-id bash

docker stop
Usage: docker stop <container id>
This command stops a running container
#docker stop cont-id

docker start
Usage: docker start cont-id
This command starts a stopped container

#docker ps -a
www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646
#docker start cont-id

View docker resources

#docker stats (ctrl+z)

#docker run -d - -name web1 httpd

#docker ps
#docker inspect web1
#curl http://cont-ip

changing website content

#docker exec -it web1 bash
#pwd
#cd htdocs
# echo “Young Indian” >> index.html
#ctrl+p , ctrl+q (exit)

#docker ps
#curl http://cont-ip

Accessing a container from the host network can be a challenge. A container is assigned an IP
address from a pool of available addresses. When a container is destroyed, the container's address
is released back to the pool of available addresses. Another problem is that the container software
defined network is only accessible from the container host.
To solve these problems, define port forwarding rules to allow external access to a container
service. Use the -p [<IP address>:][<host port>:]<container port> option with the docker run
command to create an externally accessible container. Consider the following example:

#docker run –d –name cont-name –p hostport:contport image-name

#docker run -d - -name web2 -p 80:80 httpd

#EC-2 DashBroad—Network and Security – rule for http

#firefox http://aws_pub_ip

www.iteindia.in
131/13, Zone – II, MP Nagar Bhopal, 9111240646, 0755-4700646