docker container and daemon operation and maintenance management

Advanced Docker container configuration

Automatic restart of container

Docker provides a restart policy to control whether the container is automatically started when the container exits or when docker restarts.

The container does not support automatic restart by default. Use the -- restart option to specify the restart policy.

[root@localhost ~]# docker run --help
      --restart string                 Restart policy to apply when a container exits (default "no")  

Container restart policy option value:

Option value function
no Do not restart when the container exits. The default setting is
on-failure[:max-retries] Restart when the container exits in a non-0 state. Max retries specifies the number of restarts
always Always restart regardless of the exit state, unlimited times
unless-stopped Always restart regardless of the exit state (the container takes effect only when the Docker daemon is started and the container is running)
# Case 1: run a redis container that is always restarted. When the container exits, Docker restarts it
[root@localhost ~]# docker run -d --name testrs --restart=always redis
cdf90c50d38f712020f2bd75e10e20c5ba6aa980747176f7bff4b45d4844ab8a
[root@localhost ~]# docker ps
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS      NAMES
cdf90c50d38f   redis     "docker-entrypoint.s..."   7 seconds ago   Up 6 seconds   6379/tcp   testrs
# After Docker is stopped, the container restarts immediately
[root@localhost ~]# systemctl stop docker
[root@localhost ~]# docker ps
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS                  PORTS      NAMES
cdf90c50d38f   redis     "docker-entrypoint.s..."   2 minutes ago   Up Less than a second   6379/tcp   testrs

# Case 2: setting the maximum number of container restarts
# Set the maximum number of restarts in non-0 state for ten times
[root@localhost ~]# docker run -dti --restart=on-failure:10 redis bash
fe8f308023cfde7a738ba5a22098dbe8d5f35697db85094a2dc7778a7293f1d5
# Executed by another terminal
[root@localhost ~]# systemctl stop docker
[root@localhost ~]# docker ps -a
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS                      PORTS      NAMES
fe8f308023cf   redis     "docker-entrypoint.s..."   20 seconds ago   Up Less than a second       6379/tcp   serene_pascal

# Case 3: for containers that have been run or created, use docker update to change the restart policy
[root@localhost ~]# docker update --restart=on-failure:3 fe8f308
fe8f308

Function: automatic restart of container; The restart strategy can ensure that the associated multiple containers are started in the correct order.

Precautions when using restart strategy:

  1. The restart policy will take effect only after the container is successfully started. (effective after container operation)
  2. If a container is manually stopped, its restart policy will be ignored until the Docker daemon is restarted or the container is manually restarted. (manual stop, pause and restart strategy)
  3. The restart strategy of Docker Swarm service adopts different configuration methods. (the cluster adopts different restart strategies)
  4. The restart strategy is different from the -- live restore option of the dockerd command. This option enables the container to remain running even if the network and user input terminals are in the Docker upgrade.
  5. Docker suggests to use the restart strategy and avoid using the process manager to start the container: (1) using both at the same time will lead to conflict; (2) The process manager depends on the operating system and docker cannot monitor it.

Keep the container running when Docker stops

By default, when the Docker daemon terminates, the running container closes.

Live Restore: the administrator configures the daemon so that the container can still run when the daemon is unavailable.

Role of real-time recovery: reduce container downtime caused by Docker daemon crash, planned downtime or upgrade.

Enable real-time recovery

The first method is to set in the Docker daemon configuration file:

[root@localhost ~]# vi /etc/docker/daemon.json 
{
  "live-restore":true
}

# Configuration validation method I:
# After modifying the configuration, restart the daemon to take effect
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker

# Configuration validation method 2:
# Reload the Docker daemon to prevent the container from stopping
[root@localhost ~]# systemctl reload docker

# test
# 1. Start both containers
[root@localhost ~]# docker ps 
CONTAINER ID   IMAGE              COMMAND                  CREATED       STATUS          PORTS     NAMES
1dd65fa55b80   top                "/bin/sh -c 'exec to..."   5 weeks ago   Up 38 seconds             test_exec_entry
52a7de98ccc7   test_shell_entry   "/bin/sh -c 'top -b'"    5 weeks ago   Up 52 seconds             test

# 2. Stop the docker daemon
[root@localhost ~]# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket

[root@localhost ~]# systemctl status docker
‚óŹ docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2022-05-11 00:23:16 CST; 8s ago
     Docs: https://docs.docker.com
  Process: 1697 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1853 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock (code=exited, status=0/SUCCESS)
 Main PID: 1853 (code=exited, status=0/SUCCESS)

# 3. Check whether the container is still running
[root@localhost ~]# docker ps 
CONTAINER ID   IMAGE              COMMAND                  CREATED       STATUS              PORTS     NAMES
1dd65fa55b80   top                "/bin/sh -c 'exec to..."   5 weeks ago   Up About a minute             test_exec_entry
52a7de98ccc7   test_shell_entry   "/bin/sh -c 'top -b'"    5 weeks ago   Up 2 minutes                  test

Another recovery method: specify the -- live restore option when manually starting the dockerd process.
This method is not recommended because the environment of systemd or other process managers will not be set, which will lead to accidents.

Real time recovery during upgrade

The real-time recovery function supports the Docker daemon to keep the container running during the upgrade.

Existing problems:

  1. Only the patch version upgrade of Docker is supported, and the upgrade of major version and minor version is not supported.
  2. The version of the daemon in the container could not be recovered by skipping the upgrade process.

Real time recovery at restart

Qualification: the container can only be recovered by real-time recovery if the Docker daemon option has not changed.

Influence of real-time recovery function on running container

When the daemon stops, the running container may fill the FIFO log normally read by the daemon, preventing the container from recording more log data.

When the buffer is full, the Docker daemon must be restarted to refresh.
You can change / proc / sys / FS / pipe max = size to modify the buffer size of the kernel.

[root@localhost ~]# cat /proc/sys/fs/pipe-max-size 
1048576

Running multiple services in a container

Note: a container can have multiple processes, but in order to make efficient use of Docker, do not let one container be responsible for multiple aspects of the entire application, but connect multiple containers through user-defined network and shared volume to realize multiple aspects of the application.

The main process of the container is responsible for managing all the processes it starts.

Solve child process recycling: - init option can insert a simplified initialization process into the container as the main process, and recycle all processes when the container exits.

The best way to solve the problem of multi process startup and shutdown is to set up an upper-level process to uniformly handle the life cycle of these processes (systeminit \ upstart \ SYSTEMd)

How to run multiple services in one container:

  1. Put all commands into the wrapper script, provide testing and debugging information, and run the wrapper script with CMD instructions.
  2. If a main process needs to be started and kept running first, but some other processes need to be run temporarily (may interact with the main process), you can use the job control implementation of bash script.
  3. Use process managers such as supervisor in the container.

Container health inspection mechanism

Process level health check: the simplest is to check whether the process is running. The restart policy can restart the stopped container according to the inspection. This check is insufficient: application problems cannot be found.

Docker provides a health check mechanism, which can be injected into the image through the Dockerfile file, or through the corresponding options when starting the container.

Using the HEALTHCHECK instruction in Dockerfile

The HEALTHCHECK command can be used in Dockerfile to declare the health detection configuration, which is used to judge whether the service status of the main process of the container is normal and reflect the actual health status of the container.

When Dockerfile builds an image, it adds the HEALTHCHECK instruction. Based on this, the container started by the image has the ability to check the health status and can automatically check the health status.

In Dockerfile, the HEALTHCHECK instruction can only appear once. It appears multiple times and only takes effect for the last time.

Once a health check is successful, Docker will confirm that the container is in a healthy state.

HEALTHCHECK instruction format:

  1. Set the command to check the health of the container
HEALTHCHECK [option] CMD <command> 

# Options:
    --interval:Set the time interval for health check after the container is running. The default is 30 s. 
    --timeout:Set the maximum time allowed for the health check command. The default is 30 s. Timeout means failure.
    --start-period:Set the initialization time when the container starts. (no error will be reported if the health check fails during startup)
    --retries:Set the number of consecutive retries allowed. The default is 3. (it is considered unhealthy after continuous inspection failure)

# Command after CMD command: Specifies the specific command to perform health check. You can use shell format or exec format.

# Return value: after the "command" following the CMD instruction is executed, the return value indicates the health status of the container.
    0: success. The container is healthy and usable.
    1: Failed. The container is unhealthy and does not work properly.
    2: Keep value. Don't use it for the time being.

# Case: check the health every 5 minutes and visit the web server home page within 3 seconds each time
HEALTHCHECK --interval=5m --timeout=3s CMD curl -f http://Localhost / | Exit 1 | | | indicates that the next command is executed after the execution of the previous command fails. The exit return value is 1, which tells docker that the health check fails
  1. Indicates that inheriting the HEALTHCHECK instruction setting from the underlying image is prohibited
HEALTHCHECK NONE 

When starting the container, the health check is realized through the corresponding options

You can specify the health check policy of the container when you execute the docker run or docker create command to start creating the container.

[root@localhost ~]# docker run --help
      --health-cmd string              Command to run to check health                                      # Specify and run health checks
      --health-interval duration       Time between running the check (ms|s|m|h) (default 0s)              # Set the time interval (unit: ms/s/m/h) for starting health check after the container is running. The default is 0s
      --health-retries int             Consecutive failures needed to report unhealthy                     # Set the number of consecutive failures to report
      --health-start-period duration   Start period for the container to initialize before starting        # Set the initialization time of container startup (unit: ms/s/m/h). The default is 0s
                                       health-retries countdown (ms|s|m|h) (default 0s)
      --health-timeout duration        Maximum time to allow one check to run (ms|s|m|h) (default 0s)      # Set the maximum time allowed for the health check command (unit: ms/s/m/h). The default is 0s
      --no-healthcheck                 Disable any container-specified HEALTHCHECK                         # Disable container health check instruction

The runtime option overrides the Dockerfile directive

The FROM, MAINTAINER, RUN and ADD instructions in the Dockerfile cannot be overwritten at runtime. Other instructions will be overwritten accordingly when the docker run (or docker create) command is executed.

When running a container from an image, you can specify a new command to override the CMD instruction of Dockerfile.

If the mirrored Dockerfile also declares the ENTRYPOINT instruction, the CMD instruction of Dockerfile or the command specified by the container runtime are appended to the ENTRYPOINT instruction as parameters.

Override CMD instruction

When running a container from the image, you can specify a new command to override the CMD instruction in the Dockerfile.

[root@localhost ~]# docker history ubuntu
IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
ff0fea8310f3   7 weeks ago   /bin/sh -c #(NOP) CMD ["bash"] 0b -- -- default command
<missing>      7 weeks ago   /bin/sh -c #(nop) ADD file:1d3b09cf9e041d608...   72.8MB  

# grammar
[root@localhost ~]# docker run --help
Usage:  docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

# Cases not covered: use CMD's default command
[root@localhost ~]# docker run -tid ubuntu 
d6adcb9ca10de89dcb1a1f8ab49b33a715b502e4aa4f1ec240774a7f4d2aa9f5

# Coverage case
[root@localhost ~]# docker run -tid ubuntu top -- top replaces the default bash
0485fee218e64e858ca5b2214b9349b523a3bd41d1ad86c08877240635fa0d32

If the mirrored Dockerfile also declares the ENTRYPOINT instruction, the CMD instruction of Dockerfile or the command specified by the container runtime are appended to the ENTRYPOINT instruction as parameters.

Override ENTRYPOINT instruction

Use the -- ENTRYPOINT option to override the ENTRYPOINT instruction setting in the Dockerfile that defines the image.

The mirrored ENTRYPOINT instruction defines the command to be executed when the container is started, which is not easy to be overwritten when the container is started.

Note: using the -- entrypoint option at runtime will clear any default commands.

# grammar
[root@localhost ~]# docker run --help
      --entrypoint string              Overwrite the default ENTRYPOINT of the image

# case
[root@localhost ~]# docker pull redis
[root@localhost ~]# docker history redis
IMAGE          CREATED        CREATED BY                                      SIZE      COMMENT
7614ae9453d1   4 months ago   /bin/sh -c #(nop)  CMD ["redis-server"]         0B        
<missing>      4 months ago   /bin/sh -c #(nop)  EXPOSE 6379                  0B        
<missing>      4 months ago   /bin/sh -c #(nop)  ENTRYPOINT ["docker-entry...   0B        
<missing>      4 months ago   /bin/sh -c #(nop) COPY file:df205a0ef6e6df89...   374B      
<missing>      4 months ago   /bin/sh -c #(nop) WORKDIR /data                 0B        
<missing>      4 months ago   /bin/sh -c #(nop)  VOLUME [/data]               0B        
<missing>      4 months ago   /bin/sh -c mkdir /data && chown redis:redis ...   0B        
...ellipsis

# By default, redis server is automatically run in the container, and then a shell is run
[root@localhost ~]# docker run -ti --entrypoint /bin/bash redis
root@484cb9c42858:/usr/local/bin# ls
docker-entrypoint.sh  redis-benchmark  redis-check-rdb	redis-sentinel
gosu		      redis-check-aof  redis-cli	redis-server
root@bd7640ba7206:/data# exit
exit

# Pass more parameters to ENTRYPOINT
# Pass -- help to redis server by default
[root@localhost ~]# docker run -ti  redis --help
Usage: ./redis-server [/path/to/redis.conf] [options] [-]
       ./redis-server - (read config from stdin)
       ./redis-server -v or --version
       ./redis-server -h or --help
...ellipsis
# Pass -- help to redis cli
[root@localhost ~]# docker run -ti --entrypoint redis-cli redis --help
redis-cli 6.2.6
Usage: redis-cli [OPTIONS] [cmd [arg [arg ...]]]
  -h <hostname>      Server hostname (default: 127.0.0.1).
  -p <port>          Server port (default: 6379).
  -s <socket>        Server socket (overrides hostname and port).
...ellipsis

# Pass an empty string to reset the entry command of the container
[root@localhost ~]# docker run -ti --entrypoint="" redis bash
root@5cb647f12d63:/data# exit
exit

Override the export incoming port instruction

The export instruction defines the initial incoming ports for providing services to the outside world, which can be used for processes in the container.

[root@localhost ~]# docker run --help
      --expose list                    Expose a port or a          # A port or range of ports of an exposed container
                                       range of ports
      --link list                      Add link to another         # Connections added to other containers
                                       container
  -p, --publish list                   Publish a container s       # Publish a port or port range of the container to the host
                                       port(s) to the host
  -P, --publish-all                    Publish all exposed         # Publish all ports to the host random port
                                       ports to random ports

Override ENV instruction

For containers in linux, Docker automatically sets the following environment variables (default values):

  • Home: set according to the USER value
  • Hostname: the default is the container name
  • Path (default path of execution file): common directory
  • Term: xterm if the container is assigned a pseudo TTY.

You can use several - e options to set any environment variable and override the above default environment variable or the environment variable defined by the ENV instruction in Dockerfile.

# grammar
[root@localhost ~]# docker run --help
  -e, --env list                       Set environment variables             # Setting environment variables
      --env-file list                  Read in a file of                     # Read environment variables in file
                                       environment variables

# case
[root@localhost ~]# export today=Sunday
[root@localhost ~]# echo $today
Sunday
[root@localhost ~]# docker run -t -e "deep=purple" \
> -e today \
> --rm alpine env
# Output the following information
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=40951973766d
TERM=xterm
deep=purple
today=Sunday
HOME=/root

HEALTHCHECK and WORDDIR instructions

Override options related to HEALTHCHECK:

[root@localhost ~]# docker run --help
      --health-cmd string              Command to run to check health                                      # Specify and run health checks
      --health-interval duration       Time between running the check (ms|s|m|h) (default 0s)              # Set the time interval (unit: ms/s/m/h) for starting health check after the container is running. The default is 0s
      --health-retries int             Consecutive failures needed to report unhealthy                     # Set the number of consecutive failures to report
      --health-start-period duration   Start period for the container to initialize before starting        # Set the initialization time of container startup (unit: ms/s/m/h). The default is 0s
                                       health-retries countdown (ms|s|m|h) (default 0s)
      --health-timeout duration        Maximum time to allow one check to run (ms|s|m|h) (default 0s)      # Set the maximum time allowed for the health check command (unit: ms/s/m/h). The default is 0s
      --no-healthcheck                 Disable any container-specified HEALTHCHECK                         # Disable container health check instruction

The default working directory of binary files running in the container is the root directory (/), and the working directory can be customized in Dockerfile using the WORDDIR instruction. You can also override the WORKDIR directive settings with the - w option.

[root@localhost ~]# docker run --help
  -w, --workdir string                 Working directory              # Modify the working directory of the container
                                       inside the container

USER

The default USER of the container is root(UID=0). The USER instruction of Dockerfile can specify the default USER when the container runs the first process.

When starting the container, you can use the - u(--user) option to specify a new default USER to override the USER instruction of the image.

# grammar
[root@localhost ~]# docker run --help
  -u, --user string                    Username or UID            # Specify the default user for the container to run the first process. You can use user name, UID, group name and GID parameters
                                       (format:
                                       <name|uid>[:<group|gid>])

# case
[root@localhost home]# docker run  -t -u daemon ubuntu env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=88f322b48026
TERM=xterm
HOME=/usr/sbin

[root@localhost ~]# docker run -ti -u ftp  alpine env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=a5f4455a2407
TERM=xterm
HOME=/var/lib/ftp

VOLUME instruction

In Dockerfile, you can use the VOLUME directive to define one or more volumes associated with a mirror.

When the container starts, you can use the - v, -- mount, -- volume from options to specify the mount volume. See: Docker storage management

Tags: Docker

Posted by leena86 on Wed, 11 May 2022 14:47:33 +0300