Docker and Container Technology: Enterprise Deployment Strategy
Docker Architecture and Image Layers
Docker containers: isolated Linux processes with own filesystem, network, process tree. Dockerfile: declarative recipe to build image. FROM node:18 (base layer, ~500MB), RUN npm install (app layer, ~100MB), COPY . /app (code layer, varies). Docker commits write layer on each RUN/COPY/ADD command. Multi-stage builds optimize final image: build stage compiles code (1GB dependencies), production stage copies only binary (50MB final image). Example: Stage 1 builds Go binary, Stage 2 uses scratch (empty base, 2KB), copies binary only. Layer caching: unchanged layers reuse cache (rebuild <1 second if Dockerfile lines before COPY unchanged). BUILD_KIT: experimental backend, parallel layer building (50% faster builds). Image registry: Docker Hub (public), AWS ECR (private), runs pull/push operations (~100MB/s on gigabit network).
Security Scanning and Best Practices
Image scanning: docker scan image-name detects vulnerabilities (CVE database). Trivy: comprehensive vulnerability scanner (10M+ CVE records). Example: scan finds OpenSSL CVE-2022-1234 in base image, fix: upgrade FROM node:18-alpine (smaller, 150MB vs 500MB, fewer vulnerabilities). Security best practices: (1) non-root user (RUN useradd app, USER app prevents privilege escalation), (2) read-only filesystem (docker run --read-only), (3) capability dropping (docker run --cap-drop=ALL), (4) secrets management (docker secret for password injection, not ENV variable in image). Network isolation: --network none (isolated container, useful for batch jobs), --network host (shares host network, low-latency but less isolated). Health checks: HEALTHCHECK CMD curl localhost:8000 (every 30s, fail after 3 retries, stops container if unhealthy).
Container Runtime and Resource Limits
Docker daemon: background service managing containers (Linux kernel cgroups/namespaces). Container vs VM: container (<100ms startup, 50MB overhead) vs VM (5-10s startup, 2GB overhead, full OS). Cgroups limit resources: docker run --memory=512m --cpus=0.5 restricts container to 512MB RAM, 0.5 CPU cores. CPU shares: --cpus=1 on 4-core machine = 25% resources. Memory swapping: --memory-swap=1g (500MB RAM + 500MB swap when limit exceeded, causes slowdown). OOM killer: --oom-kill-disable prevents container termination if memory limit exceeded (instead swaps). Volume mounting: docker run -v /host/path:/container/path shares host directory (container writes persist). Tmpfs: docker run --tmpfs /tmp:size=1g creates temporary filesystem (cleared on container stop). Storage driver: overlay2 (common, copy-on-write, sparse allocation). Union filesystem: changes stored in delta layer (original image unchanged, allows sharing across containers).
Docker Compose and Multi-Container Orchestration
docker-compose.yml: declarative file defining services, networks, volumes. Example: services: { web: { image: node:18, ports: [3000:3000], volumes: [./app:/app] }, db: { image: postgres:14, environment: { POSTGRES_PASSWORD: secret } }, redis: { image: redis:7 } }. docker-compose up starts all services (automatically networked, web service can access postgres://db:5432). Service discovery: containers communicate via service name (DNS resolution automatic). Environment variables: .env file provides POSTGRES_PASSWORD (not hardcoded). Restart policy: restart: always restarts container if crashes. Networks: compose creates network bridge (all services connected). Logging: docker logs container-name shows stdout/stderr. Healthchecks: healthcheck: { test: ["CMD", "curl", "localhost:3000"], interval: 30s } monitors service health.
Registry Management and Image Distribution
Docker registries store images (Docker Hub, ECR, GCR, Harbor self-hosted). Push/Pull: docker tag myapp:1.0 registry.example.com/myapp:1.0, docker push sends image to registry (parallel layer uploads, typical <1 minute for 500MB image). Tagging strategy: image:latest (floating tag), image:1.0.0 (specific version), image:sha-commit-hash (immutable reference). Image scanning in registry: ECR/GCR auto-scan on push, flag high-severity vulnerabilities. Rate limiting: Docker Hub free tier (100 pulls/6 hours), paid tier unlimited. Private registries: Harbor (self-hosted, LDAP auth, quota management), requires HTTPS certificates (Let's Encrypt). Garbage collection: remove untagged images (dangling images), reclaim disk space (typical: 50GB reduction per 100 containers). Content addressability: image digest (sha256:abc123...) immutable reference (guarantees reproducible pulls).
Monitoring and Logging
Container stats: docker stats shows CPU%, memory%, network I/O per container (real-time monitoring). Prometheus integration: exporters collect metrics (cpu, memory, network, disk), scrape every 15s. Structured logging: docker logs with json-file driver (journald, splunk, awslogs options). Log rotation: docker run --log-opt max-size=10m --log-opt max-file=3 prevents disk overflow. ELK Stack: Elasticsearch (storage), Logstash (parsing), Kibana (visualization). Example: all container logs sent to centralized ELK, search queries find errors across fleet. Tracing: Jaeger captures request flows across containers (microservices debugging). APM: New Relic/DataDog integrate with Docker (observe performance anomalies). Alerting: Prometheus alert rules trigger when CPU >80% sustained (5 minute window). Runbook automation: CloudFormation/Terraform auto-remediate (restart stuck container).
Production Deployment and CI/CD Integration
Container registry in CI/CD: GitHub Actions workflow builds Docker image on push, pushes to ECR (automated). Example: on: [push], jobs: build, steps: checkout, build image (docker build -t app:sha-$(git rev-parse --short HEAD)), login ECR, push to registry. Kubernetes deployment: kubectl apply -f deployment.yaml deploys image (pull from registry, create replicas). Blue-green deployment: maintain two identical production environments (blue=current, green=new). Switch traffic: update load balancer to point to green (instant rollback if issues). Canary deployment: 5% traffic → new version, 95% → old version, monitor metrics (error rate, latency), gradually shift to 100% or rollback. Docker in Docker: CI pipeline runs docker build inside container (nested Docker, requires /var/run/docker.sock mount). Registry cleanup: remove images older than 30 days (cost optimization).