Book Image

Docker for Developers

By : Richard Bullington-McGuire, Andrew K. Dennis, Michael Schwartz
2 (1)
Book Image

Docker for Developers

2 (1)
By: Richard Bullington-McGuire, Andrew K. Dennis, Michael Schwartz

Overview of this book

Docker is the de facto standard for containerizing apps, and with an increasing number of software projects migrating to containers, it is crucial for engineers and DevOps teams to understand how to build, deploy, and secure Docker environments effectively. Docker for Developers will help you understand Docker containers from scratch while taking you through best practices and showing you how to address security concerns. Starting with an introduction to Docker, you’ll learn how to use containers and VirtualBox for development. You’ll explore how containers work and develop projects within them after you’ve explored different ways to deploy and run containers. The book will also show you how to use Docker containers in production in both single-host set-ups and in clusters and deploy them using Jenkins, Kubernetes, and Spinnaker. As you advance, you’ll get to grips with monitoring, securing, and scaling Docker using tools such as Prometheus and Grafana. Later, you’ll be able to deploy Docker containers to a variety of environments, including the cloud-native Amazon Elastic Kubernetes Service (Amazon EKS), before finally delving into Docker security concepts and best practices. By the end of the Docker book, you’ll be able to not only work in a container-driven environment confidently but also use Docker for both new and existing projects.
Table of Contents (21 chapters)
1
Section 1: An Introduction to Docker – Containers and Local Development
6
Section 2: Running Docker in Production
14
Section 3: Docker Security – Securing Your Containers

A note on cgroups

Linux cgroups are a mechanism used to control the number of processes that can be spawned and so prevent a system from suffering severe performance loss or worse, crashing.

By using cgroups, we can set a limit to the number of processes that can be spawned through the fork() and clone() operations. Once a limit is hit, it's not possible to generate any further processes under the cgroup. Additionally, cgroups support the ability to set CPU and memory limits. You can read about their comprehensive list of options at https://www.man7.org/linux/man-pages/man7/cgroups.7.html

Using this feature enables you to have more granular control over the system resources that your container is using. In an unfortunate event where a container is compromised, preventing it from over-consuming system resources is a useful mechanism to limit the damage until you can remediate the problem.

Having looked at how Docker Engine and containerd use best practices from Linux...