Basics

Working Directory

First, we can set the working directory when we run a container by using the -w flag:

$ docker  run -w /path/to/dir/ -i -t  ubuntu pwd

This starts a new ubuntu image called pwd with the current working directory (when it starts up) set to /path/to/dir.

Setting Disk Space

We can set the amount of storage for the docker container using --storage-opt flag:

$ docker run -it --storage-opt size=120G fedora /bin/bash

This starts a fedora image with a bash shell, and uses 120 gb for the container.

Mounting Host Folders

Can mount folders on the host machine to drives in the docker machine using the -v flag when calling docker run.

See docker run docs for details: https://docs.docker.com/engine/reference/run/

$ docker  run  \
  -v /host/path:/container/path:options

For example, this will mount the current directory to the same location inside the docker container, and set that location as the working directory for the new image:

$ docker  run  \
  -v `pwd`:`pwd` \
  -w `pwd` \
  -i -t  ubuntu pwd

This starts a docker container with the name "pwd", and mounts the current working directory (say, /home/someone/docker) to the same path in the docker image /home/someone/docker. It then sets the working directory to that directory.

Making Container Filesystem Read-Only

Read only control can be set on volumes as well: --read-only flag. This flag makes the entire contents of the container's root filesystem read-only, except for volumes mounted with the -v flag. To illustrate:

$ # this will not work, because /canttouchthis is part of the container's root filesystem
$ docker run -t --read-only -v /icanwrite busybox touch /canttouchthis
touch: /canttouchthis: Read-only file system

$ # this will work, because /icanwrite is mounted with -v and is not read-only
$ docker run --read-only -v /icanwrite busybox touch /icanwrite/here

$ # no error, no poblem!

Making Host Directories Read-Only

To mount a host directory on the container's filesystem, you can use the -v flag. To mount a host directory as read-only on the container's filesystem, add :ro to the end of the flag:

$ docker run -v <host path>:/<container path>:ro ...

For example:

$ docker run -v /home/someone/scripts:/scripts:ro -it ubuntu
root@a53d902e433b:/#
root@a53d902e433b:/# touch /scripts/file
touch: cannot touch '/scripts/file': Read-only file system

Volumes with Data

There are a few options to getting data in and out of a Docker container.

The first is to use a Data Volume, a volume specifically designed to be persistent and shareaable within containers.

The second is to use the host filesystem, mounting host directories inside the containers.

The first approach scales better; the second is good for one-off Docker container solutions.

Making a New Data Volume

A data volume is a specially-designated directory within one or more containers that bypasses the Union File System to provide several useful features for persistent or shared data:

Data volumes can be shared and reused between containers

Changes to a data volume are made directly

Changes to a data volume will not be included when you update an image

Docker Volumes tutorial

Data volumes provide a way to make data persistent and shuttle data in and out of your docker.

To create a data volume, you use the -v flag and specify the location:

$ docker run -v /mydata --name mydata_demo python hello_files.py

This would spin up a Python docker container that runs hello_files.py with a filesystem at /mydata.

Mounting a Data Volume Container

This is the optimal solution - it applies the concept of the container to data, the nouns of software, instead of just to actions or verbs.

Here is an example: let's say you want to share some data between a whole bunch of ubuntu machines. Start by creating a new ubuntu machine with a persistent data volume at /data, and create some data there (we'll add a flag):

$ docker run -v /data --name ctf -it ubuntu
root@b426841907f7:/# echo $SHELL
/bin/bash
root@b426841907f7:/# echo "The flag is 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed" > /data/flag.txt
root@b426841907f7:/# exit

Now we can create other ubuntu docker containers and mount the /data directory in those containers:

$ docker run --volumes-from ctf --name ctfclone1 -it ubuntu
root@5bc1c9f61aec:/# cat /data/flag.txt
The flag is 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
root@5bc1c9f61aec:/#

$ docker run --volumes-from ctf --name ctfclone2 -it ubuntu
root@e2072bdf7926:/# cat /data/flag.txt
The flag is 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
root@e2072bdf7926:/#

etc...

Using Host Directory for Data

Another method for getting data into and out of your docker container, which does not scale as well, is to mount a host directory inside the docker container. Note that this will give the container FULL read/write access to the ACTUAL directory, it does not create a copy.

Mount a host directory containing data in the host machine (full read/write access):

$ docker run -v /home/someone/data:/data -it ubuntu

Mount a host directory containing data in the host machine as READ ONLY:

$ docker run -v /home/someone/data:/data:ro -it ubuntu

Patterns

This section covers some patterns for organizing files so that you can move things in and out from containers, while also keeping in line with the philosophy behind docker containers, which is that they should be stateless.

Flags

Docker/Volumes

From charlesreid1

Contents