At the recent Interop Container Summit, InfoSiftr's Tianon Gravi gave a talk on “ Docker Dos and Don’ts,” covering some common snags in Docker (and how to overcome them). The talk drew on Tianon’s experience as a Debian developer and Docker core maintainer, and addressed problems that come up “again and again,” including issues with signals and zombies and handling permissions inside of containers.
“You would think that, by now – we're three years into the Docker craze – we ought to have these problems tackled,” Tianon said, “but we see them again and again. These aren't new problems. These are age old problems.”
Luckily, Tianon had some workarounds, including reaping zombie children by telling your application to ignore SIGCHLD – a quick fix that's “all fine and dandy if you're in control of your application source code.”
If you aren't in control of your application source code, Tianon recommends a tool called tini, which “sits as process one, handles zombies, [and] forwards signals to your application.”
“The reason zombies are a problem is not just a cosmetic thing,” Tianon said. “There's a finite number of PIDs that a Linux system will allocate, and if you reach that limit bad things happen. Like your application just refusing to accept new requests because it can’t fork off a new process.”
Handling Permissions with Gosu
Tianon also discussed the problem of handling permissions inside a container, using the example of a database:
“All I did was… copy my application into the container and run my application and it fails [because] it doesn't have a directory to do its thing in. So let's set up a Docker volume. That worked but it threw this ugly warning: 'root is not recommended.' Thankfully, docker has this nice feature: USER nobody… That’s great except our nobody user can’t write to that directory. How can we fix that?”
Tianon solved the problem by pre-creating the directory and giving it appropriate permissions, but said if you want to actually control where on disk your data is stored, you have to use a tool like Tianon's own “gosu.”
“Gosu… allows you to as root become a user with less privilege in an easy way that immediately gets out of the way… So the application container will start as root, but we don't stay root.”
Using a tool like gosu, a sys admin may circumvent the limitations of USER nobody to bind mount directories into containers.
Other Docker Best Practices
Apart from signal / zombie and permissions issues, Tianon's talk briefly touched on ways to make Debian images leaner (“if you do not plan to build Debian packages, you don't need [build-essential]”), an under-appreciated Debian resource (manpages.debian.org), and general Docker best practices for security and efficiency.
“I would recommend very strongly: use a Dockerfile,” Tianon said. “Create that declarative manifest [so] handling a security vulnerability is as easy as pulling in that updated base image and rebuilding your image.”
“And I like to stress: do what's comfortable. A lot of people are always asking 'what’s the best way to do this? What’s the best distribution for my containers?' and there’s not one answer that fits everybody,” Tianon said.
You can check out Tianon's complete “ Docker Dos and Don'ts ” talk by following the link below. And feel free to check out the other Container Summit talks while you're at it.