From de3ed1f1c89f2026b8fea42ab01492ec0a1febd7 Mon Sep 17 00:00:00 2001
From: Yuuta Liang <yuuta@yuuta.moe>
Date: Mon, 6 Nov 2023 07:00:00 +0800
Subject: sysadmin/container

---
 docs/sysadmin/container/docker.md | 51 +++++++++++++++++++++++++++++++++++++++
 docs/sysadmin/container/index.md  | 42 ++++++++++++++++++++++++++++++++
 mkdocs.yml                        |  1 +
 3 files changed, 94 insertions(+)
 create mode 100644 docs/sysadmin/container/index.md

diff --git a/docs/sysadmin/container/docker.md b/docs/sysadmin/container/docker.md
index c597eaa..774bcd1 100644
--- a/docs/sysadmin/container/docker.md
+++ b/docs/sysadmin/container/docker.md
@@ -1 +1,52 @@
 # Docker
+
+A lot of the operations below also apply to Podman.
+
+## Multi-stage builds
+
+Please make sure to use
+[multi-stage builds](https://docs.docker.com/build/building/multi-stage/) to
+reduce the final image size by eliminating build toolchains from the production
+image.
+
+```Dockerfile
+FROM xxx-building-image AS builder
+
+ADD ...
+
+RUN make
+
+FROM xxx-runtime-image
+
+COPY --from=builder ...
+```
+
+## Docker messying up the netfilter NAT table
+
+Sucks. Use Podman.
+
+## Do not use Alpine
+
+Alpine uses musl as libc. This is pretty troublesome in some cases, especially
+when it comes to `gai.conf(5)` and `nsswitch.conf(5)`. Although these examples
+are not really sound in a container environment, musl still behaves somehow
+different from glibc.
+
+Moreover, Alpine is too minimal. It is usual that the administrator need to
+run an interactive shell somehow in a running production container to diagnose
+problems, and Alpine doesn't ship with any of them.
+
+Use a Debian or Ubuntu image instead. Debian Slim images are still pretty tiny,
+especially in terms of today's hard drives. However, they contain much more
+tools that are more realistic in a production environment.
+
+Moreover, because Docker uses overlayfs, these images won't get saved twice on
+the disk.
+
+## The confusing `latest` version
+
+If I remembered correctly (I hadn't been using Docker for four years,
+unfortunately), the `latest` version is just a placeholder for the current
+latest version of that image. It has nothing to do with auto updates or
+whatever. It can even break things because the lates version may change from
+time to time.
diff --git a/docs/sysadmin/container/index.md b/docs/sysadmin/container/index.md
new file mode 100644
index 0000000..c5c486f
--- /dev/null
+++ b/docs/sysadmin/container/index.md
@@ -0,0 +1,42 @@
+# Container
+
+Modern Docker containers are chroot jails with added sugar. They are:
+
+1. Layered - Each running container is the combination of one or more container
+images.
+2. Immutable - Container images, once built, are immutable. Any changes to image
+files in running containers will be discarded upon container removal. The only
+way to persistent files are via bind mounts or volumes.
+3. Easily Built - Container images are built using a recipe file called
+`Dockerfile`. They contain instructions like specifying the base image, import
+files from the host filesystem to the container, running commands in the
+container, and setting properties (like what script to run when the container
+starts).
+4. Portable - Running containers are chroot environments that are completely
+isolated from the outside environment, except for mounted volumes or port
+forwarding.
+
+Docker is the inventor and original implementation of this idea. DockerHub is
+the cloud container registry (and building service) ran by Docker, Inc. Podman
+is RedHat's competiting and compatible implementation of Docker.
+
+TODO: What is OCI?
+
+This architectures opens a lot more opportunities for a scalable environment.
+Because running containers are portable, they can be easily scaled or moved to
+other machines with minimal changes to the things inside that container. Also,
+due to that property, Docker containers can be used to replicate development
+environments.
+
+Clustering solutions exist: Docker Swarm is the simple cluster implementation
+built-in to Docker; Kubernetes is the super-fancy-complicated Google thing;
+Nomad is the HashiCorp implementation.
+
+A Docker container is not a virtual machine. It uses the host's kernel, network
+stack, file system, and basically everything else.
+
+A Docker container is not only a chroot jail. It is incorrect to compare it to
+systemd-nspawn containers or FreeBSD jails. Docker container is built upon
+`chroot(2)` that has all the fancy features as described above to speed-up
+environment setup and scaling, where plain chroot jails are not based on OCI
+images.
diff --git a/mkdocs.yml b/mkdocs.yml
index 7c9a9a0..7e5098d 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -108,6 +108,7 @@ nav:
         - sysadmin/virtualization/hyper-v/index.md
         - sysadmin/virtualization/hyper-v/failover.md
     - Container:
+      - sysadmin/container/index.md
       - sysadmin/container/docker.md
     - Operating Systems:
       - Unix:
-- 
cgit v1.2.3