Practical Exercises for Docker Compose: Part 2

stop_grace_period

By default, Docker waits 10 seconds for the container to exit before sending SIGKILL.

Specify how long to wait when attempting to stop a container if it doesn’t handle SIGTERM (or whatever stop signal has been specified with stop_signal), before sending SIGKILL.

docker-compose up -d -t 0
nano docker-compose.ymlversion: "3.7"
services:
alpine:
image: alpine:3.8 command: sleep 600 stop_grace_period: 0s
docker-compose up -d
docker-compose up -d
docker-compose up -d
docker-compose up -d
docker-compose up -d
docker-compose up -d
2018-11-05T14:46:34.968709389+02:00 container kill  .... lots of information ...  signal=15
2018-11-05T14:46:34.984262101+02:00 container kill .... lots of information ... signal=9
2018-11-05T14:47:49.486907072+02:00 container kill .... lots of information ... signal=15
2018-11-05T14:47:59.510613956+02:00 container kill .... lots of information ... signal=9

sysctls

docker-compose up -d -t 0
docker exec -it compose-tuts_alpine_1 /bin/sh
cat /proc/sys/net/core/somaxconn
cat /proc/sys/kernel/msgmax
cat /proc/sys/kernel/shmmax
/ # cat /proc/sys/net/core/somaxconn
128
/ # cat /proc/sys/kernel/msgmax
8192
/ # cat /proc/sys/kernel/shmmax
18446744073692774399
/ # exit
nano docker-compose.yml
version: "3.7"
services:
alpine:
image: alpine:3.8 command: sleep 600 sysctls: net.core.somaxconn: 512
kernel.shmmax: 18102030100020003000
kernel.msgmax: 4000
docker-compose up -d -t 0 
docker exec -it compose-tuts_alpine_1 /bin/sh
cat /proc/sys/net/core/somaxconn
cat /proc/sys/kernel/msgmax
cat /proc/sys/kernel/shmmax
/ # cat /proc/sys/net/core/somaxconn
512
/ # cat /proc/sys/kernel/msgmax
4000
/ # cat /proc/sys/kernel/shmmax
18102030100020003000
/ # exit

This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

namespaced sysctls

Not all sysctls are namespaced. Docker does not support changing
sysctls inside of a container that also modify the host system

CURRENTLY SUPPORTED SYSCTLS

kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem,
kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced

Sysctls beginning with fs.mqueue.*

Sysctls beginning with net.*

ERROR: for compose-tuts_alpine_1  Cannot start service alpine: OCI runtime create failed: sysctl "fs.file-max" is not in a separate kernel namespace: unknown

ulimits

nano docker-compose.yml
# add this content
version: "3.7"
services:
alpine:
image: alpine:3.8 command: sleep 60171 stop_grace_period: 0s ulimits:
nproc: 2
nofile:
soft: 2
hard: 4
docker-compose up -d -t 0
Recreating compose-tuts_alpine_1 ... errorERROR: for compose-tuts_alpine_1  Cannot start service alpine: OCI runtime create failed: container_linux.go:348: starting container process caused "open /proc/self/fd: too many open files": unknown
docker-compose up -d -t 0
nano docker-compose.ymlversion: "3.7"
services:
alpine:
image: alpine:3.8 command: sleep 60171 stop_grace_period: 0s ulimits:
fsize: 10
docker-compose up -d -t 0docker exec -it compose-tuts_alpine_1 /bin/sh
/ # dd if=/dev/zero of=/tmp/output.dat  bs=1M  count=10
dd if=/dev/zero of=/tmp/output.dat  bs=1M  count=10
File size limit exceeded (core dumped)

configs

nano config_data'# config data
nano my_second_config.config'# my_second_config.config contents
docker config create my_second_config my_second_config.config
nano docker-compose.ymlversion: "3.7"
services:
alpine:
image: alpine:3.8
command: sleep 600
configs:
- my_first_config
- my_second_config
configs: my_first_config:
file: ./config_data
my_second_config:
external: true
docker swarm initdocker stack deploy -c docker-compose.yml  mystackdocker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
ab50c7daf979 alpine:3.8 "sleep 600" 14 seconds ago Up 13 seconds mystack_alpine.1.jq3buvzkf2a3hpn7mwb0e43om
docker exec -it mystack_alpine.1.jq3buvzkf2a3hpn7mwb0e43om /bin/sh
/ # ls
bin lib my_second_config sbin usr
dev media proc srv var
etc mnt root sys
home my_first_config run tmp
/ # cat my_first_config
'# config data
/ # cat my_second_config
'# my_second_config.config contents
/ # exit
nano docker-compose.ymlversion: "3.7"
services:
alpine:
image: alpine:3.8
command: sleep 600
configs:
- source: my_first_config
target: /etc/my_first_config
- source: my_second_config
target: /opt/my_second_config
configs: my_first_config:
file: ./config_data
my_second_config:
external: true
docker stack rm  mystack
docker stack deploy -c docker-compose.yml  mystack
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
01156eb13576 alpine:3.8 "sleep 600" 4 seconds ago Up 2 seconds mystack_alpine.1.vg2m0ge161anuoz31c2mdgf1k
docker exec -it mystack_alpine.1.vg2m0ge161anuoz31c2mdgf1k /bin/sh
/ # ls
bin etc lib mnt proc run srv tmp var
dev home media opt root sbin sys usr
/ # cat /etc/my_first_config
'# config data
/ # cat /opt/my_second_config
'# my_second_config.config contents
/ # exit

secrets

nano docker-compose.ymlversion: "3.7"
services:
alpine:
image: alpine:3.8
command: sleep 600
secrets:
- my_secret
secrets: my_secret:
external: true
docker-compose down -t 0
docker stack rm mystack
docker container prune -f
echo a secret password | docker secret create my_secret -
docker stack deploy -c docker-compose.yml  mystack
docker ps -a
docker exec -it mystack_alpine.1.xrgtrrfnwn2qet5pevj5n9wne /bin/sh
- df to show /run/secrets/my_secret exist - in tmpfs - in ram.
- cat /run/secrets/my_secret ... to see the secret.
/ # df -h
Filesystem Size Used Available Use% Mounted on
/dev/mapper/docker-253:1-388628-c16342a3e1f1bfcdcebb82872fa626a5f35a2bea4e535aa9a889069b85c63332
10.0G 37.3M 10.0G 0% /
tmpfs 64.0M 0 64.0M 0% /dev
tmpfs 492.6M 0 492.6M 0% /sys/fs/cgroup
/dev/mapper/centos00-root
12.6G 5.5G 7.1G 43% /etc/resolv.conf
/dev/mapper/centos00-root
12.6G 5.5G 7.1G 43% /etc/hostname
/dev/mapper/centos00-root
12.6G 5.5G 7.1G 43% /etc/hosts
shm 64.0M 0 64.0M 0% /dev/shm
tmpfs 492.6M 4.0K 492.6M 0% /run/secrets/my_secret
tmpfs 492.6M 0 492.6M 0% /proc/acpi
tmpfs 64.0M 0 64.0M 0% /proc/kcore
tmpfs 64.0M 0 64.0M 0% /proc/keys
tmpfs 64.0M 0 64.0M 0% /proc/timer_list
tmpfs 64.0M 0 64.0M 0% /proc/timer_stats
tmpfs 64.0M 0 64.0M 0% /proc/sched_debug
tmpfs 492.6M 0 492.6M 0% /proc/scsi
tmpfs 492.6M 0 492.6M 0% /sys/firmware
/ # cat /run/secrets/my_secret
a secret password
/ # exit
docker inspect my_secret[
{
"ID": "vjvqnag6nu0p87xc0o94p315g",
"Version": {
"Index": 386
},
"CreatedAt": "2018-11-06T12:05:40.984748215Z",
"UpdatedAt": "2018-11-06T12:05:40.984748215Z",
"Spec": {
"Name": "my_secret",
"Labels": {}
}
}
]
docker secret ls

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store