Docker

This activity puts into practice the concepts from the Containerization with Docker lecture. You will investigate how containers actually behave: namespace isolation, ephemeral storage, volumes, image layer caching, port mapping, and multi-service Compose stacks. By the end, you will have run, built, and inspected containers and seen for yourself exactly what isolation they provide and where it ends.

Podman Users

All commands in this activity work identically with podman substituted for docker. If you are on a Linux system with Podman installed, or prefer Podman for its rootless defaults, just replace docker with podman throughout. Where behavior differs meaningfully, a note will call it out.

---

What You Will Need

You need a container runtime installed on your laptop before starting.

macOS

On macOS, Docker Engine runs inside a Linux VM managed transparently by the tool you choose. All of the following expose the same docker CLI and are compatible with this activity.

Docker Desktop: Download from docker.com/products/docker-desktop. After installation, start Docker Desktop from your Applications folder and wait for the whale icon in the menu bar to show “Docker Desktop is running.”

OrbStack (lightweight alternative): Download from orbstack.dev. OrbStack runs a lightweight Linux VM with lower memory overhead and faster startup than Docker Desktop. All docker commands work without modification.

Podman Desktop: Download from podman-desktop.io. Provides a Podman-based environment; most docker commands work with podman substituted.

Rancher Desktop: Download from rancherdesktop.io. Free and open-source; bundles either containerd or dockerd.

Verify your installation:

docker version
docker run --rm hello-world

Linux

On Linux, Docker Engine and Podman run natively against the host kernel with no VM required.

Docker Engine: Follow the official installation guide for your distribution at docs.docker.com/engine/install/. After installing, add your user to the docker group so you can run commands without sudo:

sudo usermod -aG docker $USER
# Log out and back in for the group change to take effect

Podman (rootless alternative): Available in most package managers:

# Ubuntu/Debian
sudo apt install -y podman

# Fedora / AlmaLinux / RHEL
sudo dnf install -y podman

# Arch Linux
sudo pacman -S podman

Podman runs rootless by default: no daemon, no sudo required.

Rancher Desktop: Download from rancherdesktop.io. Provides a GUI and bundles either containerd or dockerd.

Verify:

docker version   # or: podman version
docker run --rm hello-world

Windows

On Windows, Linux containers require a WSL2-backed Linux VM. All of the following use WSL2.

Docker Desktop: Download from docker.com/products/docker-desktop. Docker Desktop will offer to enable WSL2 during installation if it is not already configured. After installation, open a PowerShell terminal and verify:

docker version
docker run --rm hello-world

Docker Engine in WSL2 without Docker Desktop: Install a WSL2 Linux distribution (e.g., Ubuntu from the Microsoft Store), then follow the Docker Engine Linux install guide inside that distro. This gives you a full Docker Engine without the Docker Desktop application.

Podman Desktop: Download from podman-desktop.io. Provides a Podman environment using a WSL2-backed VM. All docker commands work with podman substituted.

Rancher Desktop: Download from rancherdesktop.io. Free and open-source; uses WSL2 and bundles either containerd or dockerd.

Using EC2 Instead of Your Laptop

All commands in this activity also work on a Linux EC2 instance with Docker Engine installed. If you prefer to run the activity in the cloud, launch an Amazon Linux 2023 or Ubuntu instance, install Docker Engine, and SSH in. The steps are identical.

---

Pulling and Inspecting Images

Before running anything, let us look at what an image actually is.

1. Check which cgroup version your container runtime is using:

   docker info | grep -Ei 'Cgroup'

   Most modern Linux distributions and recent Docker Desktop setups report cgroup v2. If you are using Podman, podman info also reports the cgroup version in its host information.

2. Pull two variants of the nginx image:

   docker pull nginx:alpine
   docker pull nginx:latest

3. Compare their sizes:

   docker images nginx

   Record the size of each. The alpine variant should be considerably smaller.

4. Inspect the layers of the alpine image:

   docker history nginx:alpine

   Each row is one layer. The columns show the instruction that created it, when it was built, and how much disk space it added.

   Record:

   • How many layers does nginx:alpine have?
   • Which layer is the largest, and what instruction created it?
   • Why are some layers listed with size 0B?

5. Examine the image’s metadata:

   docker inspect nginx:alpine

   In the JSON output, find:

   • ExposedPorts: what port does the image declare as its service port?
   • Entrypoint and Cmd: what command runs when a container starts from this image?
   • Env: what environment variables are set by default?

Think About It

nginx:latest is based on Debian and nginx:alpine is based on Alpine Linux. nginx:latest is several times larger. What is the operational reason to choose the smaller image for production deployments? What tradeoff, if any, does Alpine introduce?

---

Inside the Container: Namespace Isolation

A running container is an isolated process with its own view of the system. This section makes that isolation visible.

1. Start an nginx container in the background and then open an interactive shell inside it:

   docker run -d --name sandbox nginx:alpine
   docker exec -it sandbox sh

   You are now inside the container’s namespace.

2. Explore what the container can see:

   # What is this machine's hostname?
   hostname
   
   # Who is the current user?
   whoami
   
   # What processes are running?
   ps aux
   
   # What does the filesystem look like?
   ls /
   
   # What OS is this?
   cat /etc/os-release

   ps aux lists running processes: a includes processes from all users, u shows the user-oriented format with CPU and memory columns, and x includes processes not attached to a terminal. Inside the container you should see only a handful of nginx processes. Record each result.

3. Exit the container and run the same commands on your host machine:

   exit
   hostname
   whoami
   ps aux
   cat /etc/os-release

   The host ps aux output will be considerably longer than what you saw inside the container. Every daemon, shell session, and background service on your machine is visible here; inside the container you saw only the processes that belong to it.

Think About It

Inside the container, whoami returned root. On your host, you are probably running as a regular user. What does “root inside the container” actually mean, and how does it differ from root access on the host? What would need to go wrong for container root to translate into host root?

---

Container Lifecycle and Configuration

Now that you have seen what isolation looks like from inside, look at container management from the outside: checking logs, monitoring resource usage, stopping and restarting without discarding, and passing configuration in at runtime.

1. The sandbox container from the previous section is still running. Generate an HTTP request inside it to produce a log entry, then view the logs from the host:

   docker exec sandbox wget -qO- http://localhost > /dev/null
   docker logs sandbox

   wget downloads a URL from the command line. -q suppresses progress output; -O- writes the response to standard output instead of saving it to a file.

   docker logs shows everything the container has written to stdout and stderr since it started. For nginx, that is the access log. Follow logs in real time with -f; press Ctrl+C to stop:

   docker logs -f sandbox

2. Check resource usage across all running containers:

   docker stats --no-stream

   --no-stream prints one snapshot and exits instead of staying in interactive mode. You will see CPU percentage, memory usage, and network I/O for each container.

3. Stop the container and observe its status:

   docker stop sandbox
   docker ps
   docker ps -a

   docker ps shows only running containers; sandbox is gone from that list. docker ps -a shows all containers including stopped ones; sandbox appears with status Exited. The container is paused, not erased.

4. Restart it:

   docker start sandbox
   docker ps

   The same container is running again. Its writable layer was preserved through the stop and start.

5. Pass configuration into a one-off container at runtime. -e sets an environment variable inside the container; --rm removes the container automatically when it exits:

   docker run --rm -e GREETING="hello from the host" alpine sh -c 'echo $GREETING'

   You should see hello from the host printed. --rm is useful for short-lived commands that produce output and do not need to persist.

6. Clean up:

   docker stop sandbox
   docker rm sandbox

Think About It

You used docker stop then docker start to pause and resume sandbox. You have also used docker rm throughout this activity. What is the difference between a stopped container and a removed one? If you wrote a file into sandbox’s writable layer before stopping it, would that file survive docker stop + docker start? Would it survive docker rm + docker run?

---

Ephemeral Storage: What Containers Don’t Keep

A container’s writable layer disappears when the container is removed. This section makes that concrete.

1. Run a container and write something to its filesystem:

   docker run -d --name ephemeral nginx:alpine
   docker exec ephemeral sh -c 'echo "this will not survive" > /tmp/testfile.txt'
   docker exec ephemeral cat /tmp/testfile.txt

   Confirm the file is there.

2. Inspect what changed in the container’s writable layer:

   docker diff ephemeral

   docker diff prefixes each path with a status: A means added, C means changed, and D means deleted. In this example you should see A /tmp/testfile.txt; you may also see C entries for files nginx touched while running. D is not used in this step, but you would see it if a file or directory from the container filesystem had been removed.

3. Stop and remove the container completely:

   docker stop ephemeral
   docker rm ephemeral

4. Start a fresh container from the same image:

   docker run -d --name ephemeral2 nginx:alpine
   docker exec ephemeral2 cat /tmp/testfile.txt

   The file is gone.

5. Clean up the second container:

   docker stop ephemeral2
   docker rm ephemeral2

Think About It

An engineer proposes writing application logs to /var/log/app/ inside the container and reading them with docker exec ... cat. Another engineer suggests this is a reliability problem. Explain specifically what happens to those logs when the container is stopped and replaced during a deployment.

---

Persistent Storage with Volumes

Volumes live outside the container’s writable layer and survive container replacement.

1. Create a named volume:

   docker volume create mydata
   docker volume ls

2. Run a container with the volume attached and write to it:

   docker run -d --name writer -v mydata:/data nginx:alpine
   docker exec writer sh -c 'echo "persisted across containers" > /data/record.txt'
   docker exec writer cat /data/record.txt

3. Remove the container and start a completely new one with the same volume:

   docker stop writer
   docker rm writer
   docker run -d --name reader -v mydata:/data nginx:alpine
   docker exec reader cat /data/record.txt

   The data is still there, even though the original container no longer exists.

4. Find where Docker stores the volume on your host:

   docker volume inspect mydata

   Look for the Mountpoint field. On Linux, you can read the files directly at that path (as root). On macOS and Windows, this path is inside the Linux VM that Docker Desktop manages.

5. Clean up:

   docker stop reader
   docker rm reader
   docker volume rm mydata

Think About It

Compare named volumes to bind mounts (-v /host/path:/container/path). Describe a scenario where a bind mount is the right choice and a scenario where a named volume is the right choice. What is the key operational difference between the two?

---

Building an Image and Observing Layer Caching

This section shows how Docker’s layer cache behaves in practice: both when it helps and when it gets invalidated.

1. Create a working directory and add two files:

   mkdir mysite && cd mysite

   Create index.html:

   <h1>Hello from my container</h1>

   Create Dockerfile:

   FROM nginx:alpine
   RUN echo "server_tokens off;" > /etc/nginx/conf.d/security.conf
   COPY index.html /usr/share/nginx/html/index.html

   server_tokens off is a real nginx security setting: it removes the server version number from response headers.

2. Build the image:

   docker build -t mysite:v1 .

   This is the first build, so nothing is cached. You will see each step execute from scratch. Note the layer IDs in the output.

3. Build again without changing anything:

   docker build -t mysite:v1 .

   Every step should now say CACHED. Docker reused all layers from the first build.

4. Change only index.html (edit the file to say something different), then rebuild:

   docker build -t mysite:v2 .

   The RUN step says CACHED. Only the COPY step re-runs, because that is the first step whose inputs changed.

5. Now change the FROM line in the Dockerfile to FROM nginx:latest and rebuild:

   docker build -t mysite:v3 .

   FROM now resolves to a different base image. Both the RUN step and the COPY step must re-run: every cached layer was built on top of the previous base image, so none of them can be reused.

6. Run the resulting image and verify it serves your content:

   docker run -d -p 8080:80 --name mysite mysite:v3
   curl http://localhost:8080
   docker stop mysite && docker rm mysite

   Clean up your working directory when done: cd .. && rm -rf mysite

Think About It

In step 5, changing the FROM line caused both the RUN and COPY steps to re-run, even though neither instruction had changed. Explain why switching the base image invalidated every cached layer above it. What does this mean for how you should manage base image versions in a production Dockerfile?

Think About It

Consider two Dockerfile patterns for a Python application:

• Pattern A: COPY . . then RUN pip install -r requirements.txt
• Pattern B: COPY requirements.txt . then RUN pip install -r requirements.txt then COPY . .

Pattern B is recommended. Based on what you observed about layer caching, explain why Pattern B produces faster rebuilds when you change only application code.

---

Port Mapping and Container Networking

Containers have their own network namespace. Port mapping is how services inside that namespace become reachable from outside.

1. Start a container with port mapping and verify you can reach it from your host:

   docker run -d -p 8080:80 --name webserver nginx:alpine
   curl http://localhost:8080

   curl makes an HTTP request from the command line and prints the response body. You made a request to your host on port 8080; Docker forwarded it to the container on port 80.

2. Inspect the container’s network configuration:

   docker inspect webserver

   In the NetworkSettings section, find:

   • IPAddress: the container’s private IP on the Docker bridge network
   • Ports: the port mapping Docker configured

3. Try to reach the container’s private IP directly from your host:

   # Substitute the IP address you found in step 2
   curl http://<container-ip>:80

   On Linux with Docker Engine this will work. On macOS and Windows with Docker Desktop it likely will not, because the bridge network is inside a Linux VM.

4. List the Docker networks on your system and inspect the default bridge:

   docker network ls
   docker network inspect bridge

   Find the webserver container listed under Containers. Note the bridge network’s subnet.

5. Create a user-defined network and run two containers on it:

   docker network create mynet
   docker run -d --network mynet --name server1 nginx:alpine
   docker run -d --network mynet --name server2 nginx:alpine
   
   # From server2, reach server1 by container name
   docker exec server2 wget -qO- http://server1

   Container DNS resolves server1 to its IP within mynet.

6. Confirm that containers on different networks cannot reach each other:

   # webserver is on the default bridge, server1 is on mynet
   docker exec server2 wget -qO- http://webserver 2>&1

   This should fail or time out: webserver is not on mynet.

7. Clean up:

   docker stop webserver server1 server2
   docker rm webserver server1 server2
   docker network rm mynet

Think About It

The container listens on port 80. The host uses port 8080. Describe what Docker configures at the network level to make this forwarding work. Why does this mean two different containers can both “listen on port 80” without conflicting?

Think About It

In step 6, server2 could not reach webserver by name even though both are running on the same physical host. What is the reason, and what would you need to do to allow them to communicate?

---

A Multi-Service Stack with Compose

Compose wires multiple containers together with automatic networking and a single declarative file. This section uses nginx as a web frontend and Redis as an internal cache, a common real-world pairing. Redis is a fast in-memory data store that should never be exposed directly to the network; only the application that uses it should be able to reach it.

1. Create a working directory and write a compose.yml:

   mkdir mystack && cd mystack
   mkdir html
   echo "<h1>Compose stack</h1>" > html/index.html

   compose.yml:

   services:
     web:
       image: nginx:alpine
       ports:
         - "8080:80"
       volumes:
         - ./html:/usr/share/nginx/html:ro
       depends_on:
         - cache
   
     cache:
       image: redis:alpine

   Two things to notice: the :ro suffix on the bind mount makes it read-only inside the container, so nginx can read your files but cannot modify them. The depends_on entry tells Compose to start cache before web.

2. Start the stack:

   docker compose up -d

   Watch the output: Compose starts cache first, then web, respecting the depends_on order. Confirm this in the startup logs:

   docker compose logs

3. Inspect what is running:

   docker compose ps

   Look at the PORTS column. web shows 0.0.0.0:8080->80/tcp; cache shows nothing. That absence tells you cache is not reachable from outside the Compose network.

4. Reach the web service from your host:

   curl http://localhost:8080

5. Verify the cache service is running. redis-cli is the Redis command-line client, included in the redis:alpine image:

   docker compose exec cache redis-cli ping

   Redis responds with PONG. Now store and retrieve a value to confirm it is working:

   docker compose exec cache redis-cli set greeting "hello from cache"
   docker compose exec cache redis-cli get greeting

6. Confirm that the web container can resolve the cache hostname via Compose’s embedded DNS:

   docker compose exec web nslookup cache

   You should see the IP address assigned to the cache container within the Compose network. Containers on the same Compose network reach each other by service name; the host cannot.

7. Upgrade the web service. Open compose.yml and change the web image from nginx:alpine to nginx:latest, then pull and recreate:

   docker compose pull
   docker compose up -d

   Read the output carefully. You will see something like:

   ✔ Container mystack-cache-1  Running
   ✔ Container mystack-web-1    Started

   Running means the container was already up and was left alone. Started means it was stopped, replaced with a new container from the updated image, and started again. Compose determines which containers to recreate by comparing the running container’s image digest against what was just pulled.

8. Verify the web content is still served:

   curl http://localhost:8080

   The HTML is unchanged. It lives in html/ on your host; replacing the web container had no effect on it.

9. Stop the stack and confirm what persists:

   docker compose down
   docker compose ps   # containers are gone
   ls html/            # bind-mounted host directory is unchanged

10. Clean up:

    cd .. && rm -rf mystack

Think About It

Compose created a network automatically and attached both services to it. Compare this to what you did manually in the Port Mapping and Container Networking section (creating a network and running containers with --network). What exactly did Compose handle that you would have had to do by hand?

Think About It

After the upgrade, Compose replaced the web container but left cache running. The HTML in html/ was unaffected. Trace where each piece lives: the nginx binary and its configuration are in the image layer; the HTML is in a bind mount on the host; the Redis data is in the cache container’s own writable filesystem. What happens to the Redis data if the cache container is removed and recreated? How would you fix that?

---

Your Image

You have explored existing images, observed isolation, built a layered image, and run a Compose stack. Now build an image that carries your identity and applies the best practices from the lecture: a non-root user and a realistic server process.

1. Create a working directory and an HTML file with your ONID:

   mkdir myapp && cd myapp
   echo "<h1>Built by: ONID@oregonstate.edu</h1>" > index.html

2. Create a Dockerfile:

   FROM python:3.12-slim
   RUN useradd --create-home appuser
   WORKDIR /home/appuser/app
   COPY index.html .
   USER appuser
   EXPOSE 8080
   CMD ["python3", "-m", "http.server", "8080"]

   python3 -m http.server 8080 is Python’s built-in static file server. It serves any files in the working directory over HTTP on port 8080. Because it does not need to bind a privileged port, it can run as a non-root user.

3. Build and run the image:

   docker build -t myapp:v1 .
   docker run -d -p 9090:8080 --name myapp myapp:v1

4. Confirm your content is served:

   curl http://localhost:9090

   You should see your ONID in the response.

5. Verify the container process is running as a non-root user:

   docker exec myapp whoami

   You should see appuser, not root.

6. Tag the image in the format a registry expects. Replace YOURONID with your actual ONID:

   docker tag myapp:v1 YOURONID/myapp:v1
   docker images myapp

   Both tags point to the same image ID. The username/repository:tag format is what Docker Hub expects; a private registry would use registry.example.com/repository:tag. No account or login is needed to tag locally.

7. Inspect the image layers:

   docker history myapp:v1

   You will see several base layers from python:3.12-slim, then your own layers on top: the RUN useradd, WORKDIR, COPY, USER, and CMD entries.

8. Clean up:

   docker stop myapp
   docker rm myapp
   cd .. && rm -rf myapp

Going Further

You have worked through the core mechanics of containers from scratch. The natural next step is to build something real.

The Docker documentation’s Workshop guide is the most direct continuation of this activity. It walks you through containerizing a complete application, adding a database with Compose, and pushing the finished image to Docker Hub. Plan about an hour for it.

If you would rather start from your own code, pick a project in a language you already know and write a Dockerfile for it from scratch. Start with a single-stage build that runs correctly, then improve it step by step: add a multi-stage build to strip the build toolchain from the final image, shrink the base image, add a non-root USER, and add a HEALTHCHECK. Run docker images after each change and watch what happens to the size. The gap between a first-draft image and an optimized one is often an order of magnitude.

Two tools worth knowing once you are writing real Dockerfiles:

• hadolint is a Dockerfile linter that catches common mistakes and anti-patterns, from wrong COPY ordering to unintentional package cache bloat. Run it against any Dockerfile you write.
• dive lets you explore an image layer by layer in the terminal and shows exactly which files each instruction added, removed, or changed. It is the fastest way to understand why an image is larger than you expect.