This blog post covers a brief overview of the topics covered and some common questions asked on Day 3 and Day 4 Live Interactive training on Docker and Kubernetes Certification i.e. CKA / CKAD and CKS.
This will help you to learn Docker & Kubernetes and prepare you for these certifications and get a better-paid job in the field of Microservices, Containers and Kubernetes.
In the Day 1 and Day 2 CKA Live session we covered an overview of Monolithic V/S Microservice, Introduction to Container, Docker Installation, Docker Architecture and Working with Containers. And in this week, Day 3 and Day 4 we covered Docker Image, Containers, Dockerfile, Docker Image Scanning. We also performed labs.
Dockerfile
A Dockerfile is a document file that contains collections of commands that will be executed in the docker environment for building a new docker image. This file is written in YAML Language. These images consist of read-only layers each of which represents a Dockerfile instruction. It is a more systematic, flexible and efficient way to build a Docker image.
Q/A’s asked in sessions are:
Q) What is commonly used Dockerfile statements?
Ans:
Q) What is Example of a DockerFile & explain about each layer?
Ans:
Q) From a single Dockerfile can we create multiple images?
Ans: yes, we can create multiple images from a single Docker file. Multi-Stage Dockerfile allows a single Dockerfile to contain multiple images.
To know More about images
Q) What is the difference between CMD and ENTRYPOINT in Dockerfile?
Ans: CMD is an instruction that is used if you need a default command which users can easily override and on the other hand ENTRYPOINT is used to configure a container that runs as an executable.
Q) How can I write a comment in Dockerfile?
Ans: You can use a ‘#’ symbol at the beginning of each comment line. In docker, you can use only single comments. Hence, to write multiple line comments you need to use ‘#’ at the beginning of every line.
Q)What is the difference between ARG and ENV in Dockerfile?
Ans: ARG and ENV are used to set environment variables and both are used for the same purpose. But with ARG only environment variables will be available at the image build process. On other hand, if you set it with ENV variable will be available for image build and it will retain when the container is running.
Q) Difference between the COPY and ADD commands in a Dockerfile
Ans: COPY takes in a src and destruction. It only lets you copy in a local or directory from your host (the machine-building the Docker image) into the Docker image itself.
$ COPY <src> <dest>
ADD lets you do that too, but it also supports 2 other sources. First, you can use a URL instead of a local file/directory. Secondly, you can extract tar from the source directory into the destination.
$ ADD <src> <dest>
Q) When to use ADD or COPY ?
Ans: According to the Dockerfile best practices guide, we should always prefer COPY over ADD unless we specifically need one of the two additional features of ADD. As noted above, using ADD command automatically expands tar files and certain compressed formats, which can lead to unexpected files being written to the file system in our images.
Q) What is Build Cache in Docker?
Ans: When we build an Image, Docker will process each line in Dockerfile. It will execute the commands on each line in the order that is mentioned in the file. But at each line, before running any command, Docker will check if there is already an existing image in its cache that can be reused rather than creating a new image.
Docker Image Overview
Docker Images are made up of multiple layers that are stacked on top of each other and represented as a single object. These are the read-only template that is used to create a Docker container. Because containers are intended to be fast and lightweight, images tend to be small. The official Alpine Linux image is about 5MB in size and official Ubuntu image is of 40MB.
These images are very similar to the VM image, but there is some difference between them:
- VM image is used to create VM machine and Docker images are used to create Docker containers.
- VM image is big in size while Docker images are lightweight.
Q/A’s asked in sessions are:
Q) What is Docker Image Layers?
Ans: Docker Image consists of read-only layers built on top of each other. Docker uses Union File System (UFS) to build an image. The image is shared across containers. This Dockerfile contains multiple sets of commands, each of them is used to create a layer. Each layer is only a set of differences from the layer before it. The layers are stacked on top of each other. All images start with a base layer, and as changes are made and new content is added, a new layer is added on top.
Each time Docker launches a container from an image, it adds a thin writable layer, known as the container layer, which stores all changes to the container throughout its runtime.
Q) Can you provide example depicting layered architecture?
Ans:
- Consider the following example of building a simple Python application.
- You might have a corporate policy that all applications are based on the official Ubuntu 20:04 image.
- This would be your image’s base layer.
- If you then add the Python package, this will be added as a second layer on top of the base layer.
- If you later add source code files, these will be added as additional layers.
Docker Image vs Container
Docker image and Container are closely related to each other the major difference between them is these images are a collection of File plus metadata which is required to run an application, and a container is a running instance of the image or container is a copy of the image.
Q/A’s asked in sessions are:
Q) Why do images share layers?
Ans: Image share layer to optimize
- Disk usage
- Transfer times
- Memory use
Docker Image Registry
Image Registry is centralized storage used to store container images, which makes these images easily shareable. We can pull and push our images into this repository. There are three main types of registries: Docker Hub, Third-party Registry services and Self-hosted registry.
Docker Hub
Docker Hub has the concept of official and unofficial registries. Official repositories include images curated by Docker Inc. and the popular images applications. Unofficial registries contain the private images that users push. These are not well-documented and should be used carefully.
Q/A’s asked in sessions are:
Q) What are all Third-party Registry services & why do we use them?
Ans: Third-party Registry services provides a central point to store and manage the user’s private Docker container images and related artifacts. We can even maintain control over who can access, view, or download Docker Images.
Examples: Red Hat Quay, Amazon ECR, Azure Container Registry, Google Container Registry
Q) What is Self-hosted registry and what is use-case of it?
Ans: Self-hosted registry: Organizations prefer to use their own on-premises infrastructure for storing the images. They do this because of security reasons. It allows for a greater level of privacy, to see storage size, to push/pull images without an internet connection, and it’s free
Q) What’s the difference between a repository and a registry?
Ans: Docker registry is a service for hosting and distributing images (the default one is the Docker Hub) whereas Docker repository is a collection of related Docker images (the same name but with different tags).
Pulling Docker Image
When we first install Docker host, it has no images in its local repository. The process of getting Images onto a Docker Host is called pulling. Images are stored in the Repositories, and we pull images from the repository.
Q/A’s asked in sessions are:
Q) What’s are different way of getting an image?
Ans:
- Download (pull) from Docker Hub or Private Registry.
- Commit the R/W container layer as a new R/O image layer.
- Load an image from the Tarball.
- Create Using
Q) What’s is command to check how many images are there in the local repository?
Ans: We can check how many images are there in the local repository using the following command:
$ docker images
Q) How to download or pull the image from the Docker Hub repository?
Ans: We can use the following command:
$ docker pull <image name>
Q) How to name Docker Images?
Ans: Image registries contain many repositories and repositories contains many images. As we have so many images, it becomes important to give a unique name. There is a general convention Username/image_name:tag_name, to name our images. If we do not specify an image tag after the repository name, Docker will assume that we are referring to the image tagged as latest. If the repository doesn’t have an image tagged as latest, then the command will fail.
$ docker image pull alpine:3.6
OR
$ docker pull alpine:3.6
Q) How to create a Docker Image?
Ans: We have 2 ways to create a Docker Image:
- Interactive Method
- Docker file Method
Q) What is Interactive method?
Ans: In this method, we run a container from an existing docker image and configure the container environment according to us. Then we save the resulting state as a new image using the docker commit command. When we do a commit, we essentially create a new image with an additional layer that modifies the base image layer.
Example
Step 1) Pull the Base Image
We first need an Image to run our docker container. We will use the latest Ubuntu docker image. To download or pull the image from DockerHub registry, docker pull can be used:
$ docker pull Ubuntu
Step2) Deploy the Container
We will run a Docker container using the Ubuntu image that we pulled in the previous step. We will use the run command. The -it options instruct the container to launch in interactive mode and enable a terminal typing interface.
$ docker run -it –name <name of container> ubuntu
Step 3) Modify the Container
Now we can do any changes we want. Here, we will be installing Nmap software in our container. As it is an Ubuntu image container, we will use apt-get command to install any software.
$ apt-get install nmap
Once you finish modifying the new container, exit out of it.
$ exit
We will need the CONTAINER ID to save the changes we have made to the existing image. Run the docker ps -a to list all the containers and copy the Container ID.
$ docker ps -a
Step 4) Commit changes to Image
Finally, we will create a new Image by committing the changes using the commit command.
$ docker commit <container Id> <new image name>
Our newly created image should now be available on the list of local images. We can verify by checking the image list again:
$ docker images
Linux Capabilities in Docker
Docker supports the Linux capabilities as part of the docker run command: with –cap-add and –cap-drop. By default, a container is started with several capabilities that are allowed by default and can be dropped. Other permissions can be added manually. Both –cap-add and –cap-drop support the ALL value, to allow or drop all capabilities.
Q/A’s asked in sessions are:
Q) What is good strategy for Linux capabilities in Docker?
Ans: For most applications in containers, from the default list, you can drop the following: AUDIT_WRITE, MKNOD, SETFCAP, SETPCAP. The command will be similar to the following:
$ docker run –cap-drop AUDIT_WRITE –cap-drop MKNOD –cap-drop SETFCAP –cap-drop SETPCAP <container> <command>
The rest of the capabilities are not enabled by default and can be added according to your application’s needs. You can see the full list in the capabilities(7) man page.
A good strategy is to drop all capabilities and add the needed ones back:
$ docker run –cap-drop ALL –cap-add SYS_TIME ntpd /bin/sh
Q/A’s on Docker Image Command:
Q) docker tag – To add tag to Docker images
$ docker tag IMAGE ID image/TAG
$ docker tag nodejsdocker fosstechnix/nodejsdocker:v1.0
Q) docker push– To push Docker Images to repository
$ docker push [OPTIONS] NAME[:TAG]
$ docker tag nodejs my_docker_registry.com/nodejs:v1.
Q) docker history – To show history of Docker Image
$ docker image history [OPTIONS] IMAGE
$ docker history <image-id> –no-trunc
Get full history in tabular format:
$ docker history <image-id> –format “table{{.ID}}, {{.CreatedBy}}” –no-trunc
Q) docker inspect– To show complete information in JSON format
$ docker inspect IMAGE_ID OR CONTAINER_ID
Q) docker save– To save an existing Docker Image
$ docker save ubuntu_image:tag | gzip > ubuntu_image.tar.gz
Q) docker import– Create Docker Image from Tarball
$ docker import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]
$ docker import ./ubuntu_image.tar.gz ubuntu:latest
Q) docker export– To export existing Docker container
$ docker export container_id | gzip > new_container.tar.gz
Q) docker load– To load Docker Image from file or archives
$ docker load < ubuntu_image.tar.gz
Q) docker rmi– To remove docker images
$ docker rmi IMAGE_ID
To remove all Docker Images
$ docker rmi $(docker images -q)
To remove All Docker Images forcefully
$ docker rmi -f $(docker images -q)
Docker Image Scanning:
Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images. Users trigger vulnerability scans through the CLI, and use the CLI to view the scan results. The scan results contain a list of Common Vulnerabilities and Exposures (CVEs), the sources, such as OS packages and libraries, versions in which they were introduced, and a recommended fixed version (if available) to remediate the CVEs discovered.
Q/A’s asked in sessions are:
Q) How to scan images
Ans: The docker scan command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
Q) How to get a detailed scan report
Ans: You can get a detailed scan report about a Docker image by providing the Dockerfile used to create the image. The syntax is docker scan –file PATH_TO_DOCKERFILE DOCKER_IMAGE. For example, if you apply the option to the docker-scan test image, it displays the following result:
Quiz Time
With CKA training program, we are going to cover 100+ sample exam questions to help you prepare for CKA certification.
Check out one of the questions and see if you can solve this.
Ques) Which of the following is a text document that contains all the commands a user could call on the command line to build an image?
A. Docker compose
B. Docker registry
C. Docker Hub
D. Docker file
Comment your answer in the comment box.
Related Post
- Certified Kubernetes Administrator (CKA): Step-by-Step Activity Guide (Hands-on Lab)
- Monolithic vs Microservices – Difference, Advantages & Disadvantages
- Docker Images: A Complete Guide For Beginners
- Docker Architecture: A Complete Docker Introduction
- Docker Network: An Introduction to Docker Networking
Join FREE Class
Begin your journey towards becoming a Certified Kubernetes Administrator [CKA] from our Certified Kubernetes Administrator (CKA) training program. To know about the Roles and Responsibilities of a Kubernetes administrator, why learn Docker and Kubernetes, Job opportunities for Kubernetes administrator in the market. Also, know about Hands-On labs you must perform to clear the Certified Kubernetes Administrator (CKA) Certification exam by registering for our FREE class.
The post Docker & Kubernetes [CKA/ CKS/ CKAD] Q/A (Docker Image vs Containers & Dockerfile): Day 3 and Day 4 Live Session Review appeared first on Cloud Training Program.