Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

Docker note

More than 1 year has passed since last update.

ECS

move
https://qiita.com/h-imaoka/items/0bc296e8b0084e897cfa

warning: cannot increase max open fds from 1024 to 4140 ...

I found this issue on ecs-optimized ami & running unbound container.

[1555120344] unbound[1:0] warning: setrlimit: Operation not permitted
[1555120344] unbound[1:0] warning: cannot increase max open fds from 1024 to 4140
[1555120344] unbound[1:0] warning: continuing with less udp ports: 984
[1555120344] unbound[1:0] warning: increase ulimit or decrease threads, ports in config to remove this warning

Compared Docker's process on my desktop with on an ECS instance.

#my desktop
/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

#ecs-optimized
/usr/bin/dockerd --default-ulimit nofile=1024:4096

ECS optimized limits nofile by /etc/sysconfig/docker.

Solution

docker run with --cap-add SYS_RESOURCE option.

iptables in docker

docker run --cap-add=NET_ADMIN --rm -ti debian:stretch-slim
apt install iptables
apt install iputils-ping

iptables -A INPUT -p tcp --dport 80 -j DROP #sample
iptables -A INPUT -j DROP
ping google.com
# time out !
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ping google.com
# OK!

(Only Mac & Linux)? How to use docker command from docker-container without DinD

When docker run, set -v /var/run/docker.socket:/var/run/docker.socket.

d run -it -v /var/run/docker.sock:/var/run/docker.sock  alpine
# in the alpine container
apk add docker
...
docker ps
# Display this container, too and of course we can run `docker run` !

Wait for service port will be ready! @docker-compose

depend_on, wait container just will be started, not on service ready. e.g. a container A run web server. And container B access A 's web service port own init process/startup. Unfortunately, container B exit(non zero) due to A's web service is not ready.

There are some approaches.
1. In Container B's startup-process, wait for Container A's service ready.
dockerize
https://github.com/jwilder/dockerize

dockerize -wait tcp://db:5432 -wait http://web:80 -wait file:///tmp/generated-file

2. You can use docker-compose, add wait-for-dependencies container. B depends wait-for-dependencies, wait-for-dependencies depends A and wait for A's service ready.
2. wait-for-container & docker-compose up partial

version: '3.3'
services:
 localdynamo:
 image: dwmkerr/dynamodb
 ports:
 - "8000:8000"
 wait-dynamo:
 image: dadarek/wait-for-dependencies
 depends_on:
 - localdynamo
 command: localdynamo:8000
 my-service:
 depends_on:
 - wait-dynamo
 image: docker-ho:1.0
 ports:
 - "5000"
 environment:
 FLASK_APP_DYNAMO_HOST: "http://localdynamo:8000"

-v with relative path

brew install coreutils
docker run -v $(realpath ../../hoge):/work ...

Or docker-compose volume support relative path

Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Add this user to docker group.

Detach/Attach

Detach : Ctrl-p + Ctrl-q
Attach : docker attach [container]

Why can not detach?

docker run with -i , -t options.

http://stackoverflow.com/questions/20145717/how-to-detach-from-a-docker-container

Actually, you can SIGKILL the client, and reattach later.
However, this will disrupt stdin (the container will see EOF on stdin, and if it cares about stdin, e.g. if it's a shell, it will exit).

To recap:
docker run -t -i → can be detached with ^P^Q and reattached with docker attach
docker run -i → cannot be detached with ^P^Q; will disrupt stdin
docker run → cannot be detached with ^P^Q; can SIGKILL client; can reattach with docker attach

run without -it, but attach, so can not type CTRL-C

Close your terminal! Anything OK.

To safe detach...

docker run without -i , -t, but you want to detach, If you hit CTRL-C means signal SIGTERM to primary process, so, docker process will be killed.
To avoid it, attach with --sig-proxy=false .

I want to login a container...

docker exec -it [cont-name] bash

alpaine: /bin/bash -> /bin/sh

Portforward via auto host-ports.

run via -p options.

$ docker run --name cont01 -i -t -p :80 -p :443  [image_name] /bin/bash

$ docker port cont01
443/tcp -> 0.0.0.0:32769
80/tcp -> 0.0.0.0:32770

run via --expose options.

$ docker run --name cont02 -i -t --expose 80 --expose 443 -P [image_name] /bin/bash

Strace on Container

http://blog.johngoulah.com/2016/03/running-strace-in-docker/

Run container with these options.
--cap-add SYS_PTRACE
or
--security-opt seccomp:unconfined

start on os-boot

  • docker command --restart=always
  • docker compose add restart: always @ docker-compose.yaml

run single container via systemd @ container-instance

sample from
https://support.sysdig.com/hc/en-us/articles/204498905-Sysdig-Install-Standard-Linux-Docker-CoreOS-

[Service]
TimeoutStartSec=0
ExecStartPre=-/usr/bin/docker kill sysdig-agent
ExecStartPre=-/usr/bin/docker rm sysdig-agent
ExecStartPre=/usr/bin/docker pull sysdig/agent
ExecStart=/usr/bin/docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=[ACCESS_KEY] -e COLLECTOR=[COLLECTOR_ADDRESS] -e SECURE=false [-e TAGS=[TAGS]] -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro --shm-size=512m sysdig/agent
ExecStop=/usr/bin/docker stop sysdig-agen

freee
スモールビジネスのバックオフィス業務をテクノロジーで自動化し、日本のスモールビジネスを元気にする
http://www.freee.co.jp/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away