DevOps & Container Labs - DCA Docker

🎯 Goal: Build a custom nginx-based image using a Dockerfile

📝 What is a Dockerfile?
A Dockerfile is a text file with instructions for building a Docker image. Each instruction creates a new layer. Common instructions include FROM (base image), COPY (add files), RUN (execute commands), and EXPOSE (document ports).

💻 Command:
docker build -t webapp:v1.0 .

🔍 What happens:
• Docker reads the Dockerfile in the current directory
• Each instruction creates a layer (cached for efficiency)
• The final image is tagged as "webapp:v1.0"
• You can see each layer's size with docker history

🎯 Goal: Tag the image with the registry URL for pushing

📝 Why Tag?
Docker images need to be tagged with the full registry path before pushing. The format is: registry-url/repository:tag. This tells Docker where to push/pull the image.

💻 Command:
docker tag webapp:v1.0 registry.local:5000/webapp:v1.0

🔍 What happens:
• Creates a new tag pointing to the same image layers
• No data is copied — tags are just pointers
• The image is now addressable by the registry path

🎯 Goal: Push the tagged image to the private Docker registry

💻 Command:
docker push registry.local:5000/webapp:v1.0

🔍 What happens:
• Docker uploads each layer that the registry doesn't already have
• Layers are deduplicated — shared layers are pushed only once
• The manifest (image metadata) is pushed last
• Other hosts can now pull this image from the registry

🎯 Goal: View all local Docker images and their sizes

💻 Command:
docker images

🔍 What to look for:
• REPOSITORY and TAG columns show how images are named
• IMAGE ID is a unique hash of the image
• SIZE shows the total disk usage per image
• Multiple tags with the same ID share layers

🎯 Goal: Examine the build history and layers of the image

💻 Command:
docker history webapp:v1.0

🔍 What to look for:
• Each row is a layer from a Dockerfile instruction
• SIZE column shows how much each layer adds
• <missing> in CREATED BY means it's from the base image
• Smaller layers = more efficient image

🎯 Goal: View detailed metadata including environment variables, ports, and entrypoint

💻 Command:
docker inspect webapp:v1.0

🔍 Key metadata fields:
• Config.Env — environment variables baked into the image
• Config.ExposedPorts — documented ports (not published)
• Config.Entrypoint — default process that runs
• RootFS.Layers — list of layer digests

🎯 Goal: Create an isolated bridge network for your application containers

📝 What is a Bridge Network?
Docker's default bridge network doesn't support DNS-based discovery. A custom bridge network gives containers automatic DNS resolution by name, network isolation, and better security. Containers on different networks can't communicate unless explicitly connected.

💻 Command:
docker network create --driver bridge --subnet app-network

🔍 What happens:
• Creates a new bridge network named "app-network"
• Assigns subnet for container IPs
• Enables DNS-based container name resolution
• Isolates traffic from other networks

🎯 Goal: Create a named volume for database data persistence

📝 Why Volumes?
Container filesystems are ephemeral — data is lost when the container is removed. Docker volumes store data outside the container's writable layer, surviving container recreation. They're managed by Docker and are the preferred way to persist data.

💻 Command:
docker volume create db-data

🔍 What happens:
• Creates a named volume at /var/lib/docker/volumes/db-data
• Volume persists even after containers using it are removed
• Can be mounted into any container with -v db-data:/path

🎯 Goal: Start a PostgreSQL container on the custom network with persistent storage

💻 Command:
docker run -d --name db-server --network app-network -v db-data:/var/lib/postgresql/data -e POSTGRES_PASSWORD=labpass123 postgres:15-alpine

🔍 Flag breakdown:
• -d — Run in detached (background) mode
• --name db-server — Container name (also its DNS hostname)
• --network app-network — Attach to custom bridge
• -v db-data:/var/lib/postgresql/data — Mount volume
• -e POSTGRES_PASSWORD=labpass123 — Set env variable

🎯 Goal: Start an nginx frontend on the same network, publishing port 8080

💻 Command:
docker run -d --name web-frontend --network app-network -p 8080:80 nginx:alpine

🔍 What happens:
• Runs nginx container on app-network alongside db-server
• -p 8080:80 publishes container port 80 to host port 8080
• web-frontend can reach db-server by name via DNS
• External traffic reaches nginx at http://localhost:8080

🎯 Goal: Verify that containers can communicate via DNS on the custom network

💻 Command:
docker exec web-frontend ping -c 3 db-server

🔍 What to look for:
• DNS resolves "db-server" to its container IP (172.20.x.x)
• ICMP replies confirm network connectivity
• 0% packet loss means the network is working perfectly
• Round-trip time should be <1ms (same host)

🎯 Goal: Examine the network configuration and connected containers

💻 Command:
docker network inspect app-network

🔍 Key sections:
• Containers — shows all connected containers and their IPs
• IPAM.Config — shows subnet and gateway
• Driver — shows "bridge" network type
• Internal — shows if external access is blocked

🎯 Goal: Initialize this node as a Docker Swarm manager

📝 What is Docker Swarm?
Docker Swarm is Docker's native orchestration engine. It turns a pool of Docker hosts into a single virtual host. A Swarm has managers (control plane) and workers (run containers). Managers use Raft consensus for high availability.

💻 Command:
docker swarm init --advertise-addr

🔍 What happens:
• This node becomes the first Swarm manager
• A join token is generated for adding workers
• An internal PKI is created for TLS communication
• The Raft consensus database is initialized

🎯 Goal: Create an encrypted overlay network for service-to-service communication

📝 Why Overlay Networks?
Overlay networks span across multiple Docker hosts in a Swarm. They use VXLAN tunneling to enable containers on different hosts to communicate as if on the same network. The --opt encrypted flag adds IPsec encryption for data-in-transit security.

💻 Command:
docker network create --driver overlay --opt encrypted prod-overlay

🔍 What happens:
• Creates a multi-host overlay network
• IPsec encryption protects all traffic between nodes
• Services on this network get automatic DNS load balancing
• Only Swarm services can attach to overlay networks

🎯 Goal: Store the database password as a Swarm secret

📝 What are Docker Secrets?
Docker secrets securely store sensitive data (passwords, TLS certs, API keys) in the Swarm's encrypted Raft log. Secrets are mounted as files inside containers at /run/secrets/<name>. They're never stored on disk on worker nodes.

💻 Command:
echo "SuperSecurePass2024!" | docker secret create db_password -

🔍 What happens:
• The secret is encrypted and stored in the Raft log
• Only services explicitly granted access can read it
• The secret value is NEVER exposed in docker inspect
• Workers only receive secrets for services they're running

🎯 Goal: Deploy a replicated service on the overlay network with the secret

💻 Command:
docker service create --name webapp-svc --replicas 3 --network prod-overlay --secret db_password -p 80:80 nginx:alpine

🔍 Flag breakdown:
• --replicas 3 — Run 3 identical task containers
• --network prod-overlay — Attach to encrypted overlay
• --secret db_password — Mount secret at /run/secrets/db_password
• -p 80:80 — Publish port with routing mesh
• Swarm load-balances traffic across all 3 replicas

🎯 Goal: Scale the service and perform a rolling update

💻 Command:
docker service update --replicas 5 --update-parallelism 2 --update-delay 10s webapp-svc

🔍 What happens:
• Scales from 3 to 5 replicas
• Sets rolling update policy: 2 tasks at a time with 10s delay
• Swarm performs zero-downtime updates
• If an update fails, Swarm automatically rolls back

🎯 Goal: Verify the service is running with all replicas healthy

💻 Command:
docker service ls

🔍 What to look for:
• REPLICAS should show 5/5 (all running)
• MODE should be "replicated"
• PORTS show the published port mapping
• Use docker service ps webapp-svc to see individual tasks