Pitfalls of using latest

Pitfalls of using latest

YNKWYGG

You Never Know What You‘re Gonna Get

Outdated image

New containers are started based on existing images

Multiple services using different latest

Same image but rolled out at different times

Reschedule will break at least one of them

Automatic housekeeping

Handling containers required testing

Run containers to test something

Run tools distributed in containers

Many exited containers remain behind

Temporary containers can be removed automatically

docker run --rm ...

Housekeeping

Cleanup before build

Create sane environment to work with

Cleanup after build

Save space

Commands

docker ps -aq | xargs -r docker rm -f
docker images -q | xargs -r docker rmi -f

Custom formats

Default output is very wide

Output of most Docker commands creates line breaks

Define condensed output

Most Docker commands allow custom formats using --format

docker ps --format "table \\t\\t\\t"

Or in ~/.docker/config.json:

{
    "psFormat": "table \\t\\t\\t",
    "imagesFormat": "table \\t\\t\\t",
    "servicesFormat": "table \\t\\t\\t\\t"
}

IP address can only be retrieved using docker inspect

File permissions on volumes

Problem statement

Use containerized tool with bind mount (mapped local directory)

Creating files on volumes get owner from container

Often creates root-owned files and directories

Those cannot be removed by user

Solution

Launch container with different user

FROM openjdk:11-jre
USER groot
ENTRYPOINT ["java"]
CMD ["-version"]

May break container!

Issue caused by volume mounts:

$ docker run --rm --volume $PWD:/src --workdir /src ubuntu touch newfile
$ ls -l
total 648
-rw-r--r--. 1 root root 0 Oct 12  2017 newfile

Fix for above issue:

docker run --rm --volume $PWD:/source --workdir /src ubuntu rm newfile

Solution for mounting volumes:

docker run --rm --user $(id -u):$(id -g) --volume $PWD:/src --workdir /src touch newfile