redhat logo

Intro: Docker and Kubernetes training - Day 1

Christian Posta



Principal Middleware Architect


Twitter: @christianposta


  • Committer on Apache ActiveMQ, Apache Camel, Fabric8

  • Technology evangelist, recovering consultant

  • Spent a lot of time working with one of the largest Microservices, web-scale, unicorn companies

  • Frequent blogger and speaker about open-source, cloud, microservices


  • Intro / Prep Environments

  • Day 1: Docker Deep Dive

  • Day 2: Kubernetes Deep Dive

  • Day 3: Advanced Kubernetes: Concepts, Management, Middleware

  • Day 4: Advanced Kubernetes: CI/CD, open discussions


redhat logo

Docker Deep Dive

What is this Docker thing?

  • A company?

  • A format?

  • An API?


Linux containers? That’s not new…

  • Linux-native functionality

  • Has been around ~ 10 years?

  • cgroups

  • kernel namespaces

  • chroot

  • Linux capabilities

  • Security (SELinux)



  • Built into Kernel (RHEL7/Debian/etc)

  • Generically isolates resource usage (CPU, memory, disk, network)

  • Guarantee resources to app/set of apps

  • Can be adjusted on the fly

  • Can monitor the cgroup itself to see utilization


Kernel namespaces

  • Isolating views of the system

  • Can make a process think it’s the only process

  • Built-in way to "virtualize" a process


Kernel namespaces

  • mnt (mount points, filesystem)

  • pid (processes)

  • net (network stack)

  • ipc (inter-process comms)

  • uts (hostname)

  • user (UIDs)

Linux capabilities

  • "root" has all capabilities

  • a fine-grained division of "root"'s permissions for a process

  • CAP_NET_ADMIN - modify routing tables, firewalling, NAT, etc

  • CAP_KILL - bypass any checks for sending the kill signals

  • CAP_SYS_ADMIN - mount, set hostname, etc

Docker brings together


Why is this important?

  • Image format vs golden image

  • API

  • Packaging

  • Separation of concerns (Devs/Ops)

  • Density, infrastructure utilization

Docker format


Process virtualization


Immutable infrastructure

  • "We’ll put it back in Ansible"

  • Cattle vs Pets

  • Don’t change it; replace it

  • System created fully from automation; avoid drift

  • Manual intervention is error prone

  • How does Docker help?


Basic Docker components

  • Docker client

  • Docker daemon

  • Images

  • Registry

  • Containers

Basic Docker components


Docker images

  • Templates from which containers are created

  • Layered using union filesystems

  • Each change to the system is a layer

  • Typically created with Dockerfiles/instructions

  • Stored in a docker registry (public/private)

Docker containers

  • Runtime instances of a Docker Image

  • Copy on write file system; changes localized

  • "virtualized" with namespaces, cgroups, selinux, etc

  • Has own IP address/networking/volumes

  • Intended to run single process (process virtualization)

Developer workflow

  • work from vagrant image

  • can trash and reboot it any time

  • locally running docker client

  • Source code in developer IDE

  • When ready, use tooling to generate docker image (or hand craft)

  • Run image locally (possibly with others)

  • Push code (or image?)

  • CI process kicks in

Developer works locally


Developer pushes code