Hizlica ve Esitliklerle Docker – Adim 1

Amac = Dagitik uygulamalari yaratmak , bir yerden baska bir yere hizlica tasimak ve calistirmak .

Soyle bir amacda olabilir = Illa dagitik degil ya monolithic uygulamalar icinde kullanilabilir, kime ne !!!!

Paketlemek = Uygulamanin calismasi icin gerekli olan OS + library + dependency bir araya getirmek.

Baska Bir Deyisle Paketleme = Kodumuz (git uzerinde) + diyelimki  php + apache2 lazim + PHP icin ek moduller (SimpleXML) gibi

Docker = Open Platform + Amac + Paketleme

Docker = Benim icin karakutu demek !  + Icine ne koyduysaniz hersey problemsiz ve %100 calisiyor kabul edilmeli

Kurulum yapmadan once ;

sourcing (linux source command) = dosyayi oku ve komutlari calistir demek

Ubuntu icin docker paketi = docker.io

Kernel > 3.10 

{

noroot@kvm-ovs-server2:/etc/bash_completion.d$ uname -r”

3.16.0-55-generic

}

Kernel < {These older versions are known to have bugs which cause data loss and frequently panic under certain conditions.}

Kurulum Sekli Adim 1 = sudo apt-get install docker.io

Kurulum Notu 1 = Ben boyle bir komut caslistirmadim “source /etc/bash_completion.d/docker.io” , hali hazirda ”

vi /etc/bash_completion.d/docker ” baktiginizda zaten tab-complete olayi icin yerli yerinde duruyor gibi

Docker Deamon = {

noroot@kvm-ovs-server2:~$ ps -fe | grep docker

root      2837     1  0 12:00 ?        00:00:00 /usr/bin/docker -d

noroot    3495  1382  0 12:35 pts/1    00:00:00 grep –color=auto docker

}

Docker Version = {

noroot@kvm-ovs-server2:~$ sudo docker version

Client version: 1.6.2

Client API version: 1.18

Go version (client): go1.2.1

Git commit (client): 7c8fca2

OS/Arch (client): linux/amd64

Server version: 1.6.2

Server API version: 1.18

Go version (server): go1.2.1

Git commit (server): 7c8fca2

OS/Arch (server): linux/amd64 }

Networking Docker 1 = Docker0 adinda bir bridge yaratiliyor sistemde {

noroot@kvm-ovs-server2:~$ ifconfig

docker0   Link encap:Ethernet  HWaddr 56:84:7a:fe:97:99

inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0

UP BROADCAST MULTICAST  MTU:1500  Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

em1       Link encap:Ethernet  HWaddr 00:17:a4:77:0c:14

inet addr:10.111.21.151  Bcast:10.111.21.255  Mask:255.255.255.0

inet6 addr: fe80::217:a4ff:fe77:c14/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:30273 errors:0 dropped:0 overruns:0 frame:0

TX packets:18989 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:33486283 (33.4 MB)  TX bytes:1887461 (1.8 MB)

lo        Link encap:Local Loopback

inet addr:127.0.0.1  Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING  MTU:65536  Metric:1

RX packets:16 errors:0 dropped:0 overruns:0 frame:0

TX packets:16 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1184 (1.1 KB)  TX bytes:1184 (1.1 KB)

noroot@kvm-ovs-server2:~$ brctl show

bridge name bridge id STP enabled interfaces

docker0 8000.56847afe9799 no

}

Networking Docker 2 = Bridge interface’e ip atanmis durumda, bu ip Docker Container larin default gw ve Linux IP Stack’inde bir yeri olmus oldu.

IPTables Docker 1 = {

noroot@kvm-ovs-server2:~$ sudo iptables -L -v -n

Chain INPUT (policy ACCEPT 20214 packets, 31M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 DOCKER     all  —  *      docker0  0.0.0.0/0            0.0.0.0/0

0     0 ACCEPT     all  —  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

0     0 ACCEPT     all  —  docker0 !docker0  0.0.0.0/0            0.0.0.0/0

0     0 ACCEPT     all  —  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 18296 packets, 1484K bytes)

pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)

pkts bytes target     prot opt in     out     source               destination

}

Isletim sistemlerini cekelim = {

noroot@kvm-ovs-server2:~$ sudo docker pull centos

latest: Pulling from centos

47d44cb6f252: Pull complete

168a69b62202: Pull complete

812e9d9d677f: Pull complete

4234bfdd88f8: Pull complete

ce20c473cd8a: Pull complete

centos:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.

Digest: sha256:c96eeb93f2590858b9e1396e808d817fa0ba4076c68b59395445cb957b524408

Status: Downloaded newer image for centos:latest

}

Kurulu Isletim sistemlerini listeleyelim = {

noroot@kvm-ovs-server2:~$ sudo docker images

[sudo] password for noroot:

REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE

ubuntu              latest              d55e68e6cc9c        5 days ago          187.9 MB

centos              latest              ce20c473cd8a        8 weeks ago         172.3 MB

}

“bash” calisan bir Docker container yaratalim = -i (interactive demek – Eger -d yapmis olsa idik cli>command & gibi arkada calisacak idi/calisip cikacak idi ) (-t terminal anlaminda) {

noroot@kvm-ovs-server2:~$ docker run -i -t ubuntu /bin/bash

FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

noroot@kvm-ovs-server2:~$ sudo docker run -i -t ubuntu /bin/bash

Unable to find image ‘ubuntu:latest’ locally

latest: Pulling from ubuntu

9377ad319b00: Pull complete

a82f81f25750: Pull complete

b207c06aba70: Pull complete

d55e68e6cc9c: Pull complete

ubuntu:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.

Digest: sha256:a2b67b6107aa640044c25a03b9e06e2a2d48c95be6ac17fb1a387e75eebafd7c

Status: Downloaded newer image for ubuntu:latest

root@44f2b099b441:/#

}


Docker Containerlari Listeleyelim
(–name ile bir isim vermedigimizden isimleri atti bizim icin sagolsun)

noroot@kvm-ovs-server2:~$ sudo docker ps

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

1156297160d2        ubuntu:latest       “bash”              About an hour ago   Up About an hour                        sleepy_bell

44f2b099b441        ubuntu:latest       “/bin/bash”         2 hours ago         Up 2 hours                              suspicious_mccarthy


Docker Container’lardaki Network Interface’ler
= Burada her bir docker Container icin bir veth interface yaratiliyor , Docker Container tarafinda eth0 olarak Host tarafinda ise vethXZTQUV olarak gozukmekte.

Veth pairs demek aslinda bir boru diye dusunun borunun bir ucunda Docker Container var , diger ucunda Docker Container i host eden isletim sistemi/sunucu , Docker Container ile iletisime gecmek icin bu borudan bisiyler yolluyorsunuz , Docker Container da bu borudan yine size cevabi yolluyor.  Host tarafindaki interface sniffer gibi , ip atanmiyor bu interface’e ama Docker Container kismina IP adresi set ediliyor.

HOST > tarafindan bakildiginda 

vethead1d1f Link encap:Ethernet  HWaddr a2:0f:53:f3:b1:25

inet6 addr: fe80::a00f:53ff:fef3:b125/64 Scope:Link

UP BROADCAST RUNNING  MTU:1500  Metric:1

RX packets:299 errors:0 dropped:0 overruns:0 frame:0

TX packets:624 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:22845 (22.8 KB)  TX bytes:1106254 (1.1 MB)

” vethead1d1f ” interface’inin veth pair bulmak icin ifindex leri nasil gorebilecegimizi bilmemiz lazim ….

noroot@kvm-ovs-server2:~$ sudo ip link show  (bakiniz 6: a kendisi vethead1d1f in ifindex numarasi)

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

link/ether 00:17:a4:77:0c:14 brd ff:ff:ff:ff:ff:ff

3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000

link/ether 00:17:a4:77:0c:16 brd ff:ff:ff:ff:ff:ff

4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether 56:84:7a:fe:97:99 brd ff:ff:ff:ff:ff:ff

6: vethead1d1f: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether a2:0f:53:f3:b1:25 brd ff:ff:ff:ff:ff:ff

10: vethfc4e79c: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether f2:8a:e8:d1:be:55 brd ff:ff:ff:ff:ff:ff

Container >  tarafindan bakildiginda

root@44f2b099b441:/# ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

5: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether 02:42:ac:11:00:01 brd ff:ff:ff:ff:ff:ff

Simdi yine HOST > tarafindan bakip veth pair’i bulmayacalisalim

noroot@kvm-ovs-server2:~$ ethtool -S vethead1d1f

NIC statistics:

peer_ifindex: 5

Boru diye belki kotu bir benzetme yaptik ama simdi borunun HOST tarafini bir dinleyelim . Docker Container uzerinden google i pingleyelim

noroot@kvm-ovs-server2:~$ sudo tcpdump -i vethead1d1f

tcpdump: WARNING: vethead1d1f: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on vethead1d1f, link-type EN10MB (Ethernet), capture size 65535 bytes

14:31:19.088992 IP 172.17.0.1 > google-public-dns-a.google.com: ICMP echo request, id 107, seq 1, length 64

14:31:19.127786 IP google-public-dns-a.google.com > 172.17.0.1: ICMP echo reply, id 107, seq 1, length 64

14:31:20.090960 IP 172.17.0.1 > google-public-dns-a.google.com: ICMP echo request, id 107, seq 2, length 64

14:31:20.128787 IP google-public-dns-a.google.com > 172.17.0.1: ICMP echo reply, id 107, seq 2, length 64

14:31:24.128698 ARP, Request who-has 172.17.0.1 tell 172.17.42.1, length 28

14:31:24.128735 ARP, Reply 172.17.0.1 is-at 02:42:ac:11:00:01 (oui Unknown), length 28

 

Bunla beraber docker0 bridge’ine bagli olan Docker Container sanla kartlarini bu sekildede gorebiliriz

noroot@kvm-ovs-server2:~$ brctl show

bridge name bridge id STP enabled interfaces

docker0 8000.56847afe9799 no vethead1d1f

vethfc4e79c


NAT Tablosunu gorelim
(Varsayili olarak tum Docker Containerlar Host’un public ip adresiyle internete cikacaklar)

noroot@kvm-ovs-server2:~$ sudo iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 18 packets, 1240 bytes)

pkts bytes target     prot opt in     out     source               destination

4   280 DOCKER     all  —  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 4 packets, 280 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 74 packets, 4915 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 DOCKER     all  —  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 74 packets, 4915 bytes)

pkts bytes target     prot opt in     out     source               destination

14   960 MASQUERADE  all  —  *      !docker0  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)

pkts bytes target     prot opt in     out     source               destination

 

Evet simdilik bu kadar yeterli , bir sonrakine biraz daha ilerleriz

VM

 

Guzel Linkler

http://www.rationallyparanoid.com/articles/tcpdump.html

http://www.cyberciti.biz/tips/linux-iptables-examples.html

Posted on 14/12/2015, in Docker and tagged , , , , . Bookmark the permalink. 3 Comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: