# OrbStack **OrbStack** is **Docker Desktop** alternative, is the fast, light, and easy way to run Docker Containers like they’re native on Mac. ## Features * [Zero-config domain names](https://docs.orbstack.dev/docker/domains) for both docker-compose and kubernetes * E.g., `n8n.agentic.orb.local` , `nginx.default.svc.cluster.local` * Get free local [https certs](https://docs.orbstack.dev/features/https) for both docker-compose and kubernetes * E.g., `https://n8n.agentic.orb.local/` * [Command line & CI](https://docs.orbstack.dev/headless) * [Kubernetes](https://docs.orbstack.dev/kubernetes/) * [Debug Shell](https://docs.orbstack.dev/features/debug) * [Menu bar app](https://docs.orbstack.dev/menu-bar) ## Install ```shell brew install --cask orbstack ``` > \[!NOTE] After install, when you open for first time, It will need **admin** access to finish setup. It will also add following lines to `~/.zprofile` ```shell # Added by OrbStack: command-line tools and integration # This won't be added again if you remove it. source ~/.orbstack/shell/init.zsh 2>/dev/null || : ``` ## Usage ```shell orb logs docker orb config show docker context show orb restart docker orb migrate docker # If you're running low on disk space, you can clear the cache manually: docker builder prune -a ``` ### Side-by-side ```shell # Switch to OrbStack docker context use orbstack # Switch to Docker Desktop docker context use desktop-linux ``` (Optional) Add docker registry mirror if needed in Corp env: ```json "features": { "buildkit": true }, { "registry-mirrors": ["https://my-docker-repo-mirror.my.company.com"] } ``` ### Networking How to get all ip addresses on a docker network? ```shell docker network ls docker inspect agentic_default ``` ## Reference * [Multi-platform builds](https://docs.orbstack.dev/docker/images) * [Switching from Docker Desktop to OrbStack on macOS](https://betterstack.com/community/guides/scaling-docker/switching-to-orbstack-on-macos/) * [OrbStack networking](https://docs.orbstack.dev/docker/network) ## DevOps tools Install optional DevOps tools for SREs ```shell brew install kubectx # to switch kube context, namespace quickly. https://github.com/ahmetb/kubectx brew install kubens # to switch kube quickly brew install kubernetes-helm # package manager for Kubernetes brew install kustomize # Kubernetes native configuration management brew install stefanprodan/tap/kustomizer # package manager for distributing Kubernetes configuration as OCI artifacts brew install derailed/k9s/k9s # Manage Your k8s In Style! brew install istioctl # Istio configuration command line utility brew install dive # A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image brew install crane # A tool for interacting with remote images and registries. brew tap anchore/syft && brew install syft # SBOM tool brew install cosign # Container Signing, Verification and Storage in an OCI registry. brew install skaffold # build and deploy docker images go install sigs.k8s.io/bom/cmd/bom@latest # Create SPDX-compliant Bill of Materials ``` ## Usage ```shell docker info docker version docker stats docker context list # to use tools like dive, you may need to switch context to docker-desktop docker context use docker-desktop docker top CONTAINER docker volume ls docker network ls docker system prune -a docker system df ``` ```shell # List builder instances docker buildx ls # inspect current builder instance docker buildx inspect docker buildx imagetools inspect docker buildx imagetools inspect --raw nginx:alpine | jq ``` ### Images ```shell docker build . docker tag docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG] docker images docker login -u aaaa -p bbb # Log in to your repository, I am using GitHub container registry export GITHUB_PACKAGES_TOKEN=ghp_YOUR_TOKEN docker login -u {github_username} -p {[token](https://github.com/settings/tokens)} ghcr.io # inspect image docker inspect redislabs/redismod:edge docker inspect --format "{{.Architecture}}" redislabs/redismod:edge # Remove one or more images docker rmi docker.vectorized.io/vectorized/redpanda:v21.11.2 # default from docker.io docker pull jwsy/jade-shooter:v1.1 docker images | grep jwsy docker run -d -p 8080:80 jwsy/jade-shooter:v1.1 docker run -d -p 80:80 --name=nginx --restart=always nginx # `e2a5` is output from above command docker exec -it e2a5 sh docker images # save load docker save -o local_jwsy_jade-shooter_v1.2.tar docker load -i local_jwsy_jade-shooter_v1.2.tar ``` #### Encrypt image layers with [ocicrypt](https://github.com/containerd/nerdctl/blob/master/docs/ocicrypt.md) ```shell openssl genrsa -out mykey.pem openssl rsa -in mykey.pem -pubout -out mypubkey.pem docker image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted docker push example.com/foo:encrypted ``` #### Sign and Verify Container Image with [cosign](https://github.com/containerd/nerdctl/blob/master/docs/cosign.md) tool ```shell # Generate a key-pair: cosign.key and cosign.pub cosign generate-key-pair # Export your COSIGN_PASSWORD to prevent CLI prompting export COSIGN_PASSWORD=$COSIGN_PASSWORD ``` Sign the container image while pushing: ```shell # Sign the image with Keyless mode docker push --sign=cosign devopps/hello-world # Sign the image and store the signature in the registry docker push --sign=cosign --cosign-key cosign.key devopps/hello-world ``` Verify the container image while pulling: ```shell # Verify the image with Keyless mode docker pull --verify=cosign devopps/hello-world ``` ```shell # push first docker push -ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0 # then sigh and verify COSIGN_EXPERIMENTAL=1 cosign sign ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0 COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0 ``` #### Generate and upload the SBOM We will use the **syft** to generate the SBOM and once its generated we will attach to image using **cosign** ```shell # Let’s first generate the SBOM syft packages ghcr.io/junaid18183/sampleapp:0.0.1 -o spdx > latest.spdx cosign attach sbom --sbom latest.spdx ghcr.io/xmlking/sampleapp:0.0.1 ``` ### Dive To explore docker image layers: ```bash dive spring-service:1.6.5-SNAPSHOT ``` ### Compose ```shell docker compose -f infra/redis.yml up redis docker compose -f infra/redpanda.yml up redpanda docker compose -f infra/redpanda.yml logs docker compose -f infra/redis.yml down docker compose -f infra/redpanda.yml down # this will stop redpanda and remove all volumes docker compose -f infra/redpanda.yml down -v docker compose -f infra/redpanda.yml ps # name of the container can be found from output of above command docker exec -it infra_redpanda_1 /bin/bash docker exec -it infra_redpanda_1 rpk version docker exec -it infra_redpanda_1 rpk topic list docker exec -it infra_redpanda_1 rpk cluster info # verify if docker `compose` getting correctly resolved application config from .env docker compose config # implicitly set `env-file` to `.env` docker compose --env-file .env --env-file .secrets config # explicitly set `env-file` to `.env` and `.secrets` # ssh to container (if needed to debug) docker compose exec -it redpanda \ rpk topic consume twitch_chat --brokers=localhost:9092 # Or docker exec -it redpanda-1 \ rpk topic produce twitch_chat --brokers=localhost:9092 docker exec -it redpanda-1 \ rpk topic consume twitch_chat --brokers=localhost:9092 ``` ### traefik How to expose **traefik** v2 dashboard? create `dashboard.yaml` file ```shell cat << 'EOF' > dashboard.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dashboard spec: entryPoints: - web routes: - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal kind: TraefikService EOF ``` ```shell kubectl -n kube-system apply -f dashboard.yaml ``` open dashboard in your favorite browser and **don't forget the second slash** ```shell open http://traefik.localhost/dashboard/#/ ``` ## Reference StevenACoffman's [Docker Best Practices and Antipatterns](https://gist.github.com/StevenACoffman/41fee08e8782b411a4a26b9700ad7af5) * [Signing images and creating SBOM using cosign](https://www.ijuned.com/Signing-images-and-creating-SBOM-using-cosign/) * A collection of useful things you can do with `crane` is [here](https://github.com/google/go-containerregistry/blob/main/cmd/crane/recipes.md) * [Compendium of Kubernetes Application Deployment Tools](https://medium.com/@KarlKFI/compendium-of-kubernetes-application-deployment-tools-80a828c91e8f) * Make Docker container respond to SIGTERM and SIGINT for gracefully shutdown * [Zombie reaping problem](https://www.back2code.me/2020/02/zombie-processes/) * [Docker and the PID 1 zombie reaping problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/) * [Faster Multi-Platform Builds: Dockerfile Cross-Compilation Guide](https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/) * [Docker Compose: Fragments, Configs top-level element, Secrets top-level element](https://github.com/compose-spec/compose-spec/blob/master/spec.md#configs-top-level-element) * [Kubernetes Ingress Vs Gateway API](https://medium.com/google-cloud/kubernetes-ingress-vs-gateway-api-647ee233693d) * [Kubernetes & Traefik with local Wildcard certificates](https://hugo.md/post/kubernetes-and-traefik/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xmlking.gitbook.io/macos-setup/applications/orbstack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.