Container Runtime Basics.txt

Container Runtime Basics


CRI - Container Runtime Interface
--------------------------------------------
- the foundation upon which container technologies are built
- an abstraction for any kind of container runtime you might want to use
- makes it easier for Kubernetes to use different container runtimes
- instead of the Kubernetes project manually adding support for each runtime, the CRI API describes how Kubernetes interacts with each runtime. So then, it’s down to the runtime to actually manage containers. As long as it obeys the CRI API, it can do whatever it likes.

Docker
Podman 
Containerd - maintained by Docker
CRI-O - maintained by RedHat; built for Kubernetes
Runc
[ CRI ] 

**Container technoliges build on-top-of or from the CRI


OCI - Open Container Initiative
-----------------------------------------
- group of companies who maintain a specification for the container image format, and how containers should be run



Docker
---------

[ Networking Modes ]

Bridge
	default docker network; provides inter container connectivity for all containers running on the same node

Host
	containers interact directly with the host network stack like any other locally hosted application or process 

None
	no outside connectivity outside of themselves


[ Networking Scopes ] 

Local
	network is constrained to the machine where the network exists

Global
	network should be created on every node in the cluster but no routing between them

Swarm
	network spans all of the hosts in a Docker Swarm (cluster-wide)


[ Basic Commands ] 

docker <subcommand> --help
docker commit      Create a new image from a container's changes
docker exec <id> /bin/sh | bash Run a command in a running container
docker images -a   List all images/repositories
docker logs -f     Fetch the logs of a container
docker ps          List running containers
docker ps -a       List all containers
docker pull        Pull an image or a repository from a registry
docker rm <ID>   Remove one or more containers
docker rmi  <ID>    Remove one or more images
docker create      Creates a container in the "stopped" state
docker run         Creates a container in the "running" state
docker search      Search the Docker Hub for images
docker start|stop <ID>  Start/Stop one or more stopped containers
docker stats       Display a live stream of container(s) resource usage statistics
docker inspect     displays metadata that docker maintains about for a container
docker save <IMAGE> | gzip > IMAGE_NAME.tar.gz Exports an image into .tar.gz format for transport
docker load < busybox.tar.gz imports a tar,gz based image into the docker process to be used/run

[ Management Commands ] 

docker network ls 
docker network inspect [bridge|host|local]

docker network create --driver bridge --attachable --scope local --subnet 192.168.1.0/24  --ip-range 192.168.1.128/25 lows-network

docker volume ls

[ Swarm/Service Commands ] 

docker swarm init // enables service abstraction

docker service create -p 8080:80 --name hello-world busybox 
docker service ls
docker service ps <service_name>
docker service logs <service_name>
docker service inspect --pretty <service_name> // prints in human readable
docker service scale <service_name>=3 // increases replica set to 3


[ Examples ] 

docker create nginx
docker run hello-world
docker run --name hi hello-world 

docker run -d --name WebA nginx // runs the nginx container in "detached" mode (in the background)

docker run --name busy -it busybox /bin/sh // interactively starts a busy box container and gives me a terminal running a shell 

docker exec ef875hdhsd /bin/sh // opens up a shell on the container ID

docker logs -f webA // continuously displays logs on container with name "WebA" 

docker run -it --name example --link <container_to_link_to>:<link alias> busybox

docker run -it --name example --link web:insideweb busybox // creates a container using the busybox image and links it a container named "web" so they can communicate with one another 

docker run -it --name example --link web busybox // does not set a link alias name

docker inspect --format "{{.State.Running}}" busybox // displays the value of the enclosed property

docker inspect -f "{{.HostConfig.Links}}" busybox // displays the links in place for busybox container

docker run -it --network lows-network --name network-explorer alpine:3.8 sh // creates an alpine linux based container, attaches it to my user defined network, and opens a shell prompt

docker commit nginx_base // creates a image of a running container called nginx_base
  
docker images // check image list for new image

docker tag <new_image_id> <image_name>


Podman
-----------

[ Commands ]

podman info

podman ps --all

podman images
podman pull <image>

podman run -it <image>
podman run -d --name test_container <image>

podman exec -it test_container /bin/bash

podman start test_container
podman stop test_container

podmam rm -a 
podman rmi <image>

skopeo inspect <image>


[ Setup Container to Run as Systemd Service (Rootless Mode) ]

Create config directory in home to store systemd files
	mkdir ~/.config/systemd/user

Launch the container
	podman run -d --name test_container -p 80:8080 <image>
	
Generate systemd unit files
	podman generate systemd --name test_container --files --new
	
Inspect new systemd unit file
	less ~/.config/systemd/user/test_container.service

Enable linger to allow for persistent non-root systemd containers to run
	loginctl enable-linger
	loginctl show-user cloud_user | grep linger
	"Linger=yes"
	
Reload daemon files (at the user level)
	systemctl --user daemon-reload
	
Enable new container service (at the user level)
	systemctl --user enable  --now test_container.service
	

Containerd
---------------
// TODO


CRI-O
--------

[ Commands ]

**crioctl can be installed from cri-tools package as client facing tool to interact with CRI-O daemon.

crictl info
crictl images
crictl pull busybox