OrbStack

OrbStack is Docker Desktop alternative, is the fast, light, and easy way to run Docker Containers like they’re native on Mac.

Features

• Zero-config domain names for both docker-compose and kubernetes

  • E.g., n8n.agentic.orb.local , nginx.default.svc.cluster.local

• Get free local https certs for both docker-compose and kubernetes

  • E.g., https://n8n.agentic.orb.local/

• Command line & CI

• Kubernetes

• Debug Shell

• Menu bar app

Install

brew install --cask orbstack

[!NOTE] After install, when you open for first time, It will need admin access to finish setup.

It will also add following lines to ~/.zprofile

# Added by OrbStack: command-line tools and integration
# This won't be added again if you remove it.
source ~/.orbstack/shell/init.zsh 2>/dev/null || :

Usage

orb logs docker
orb config show
docker context show
orb restart docker
orb migrate docker
# If you're running low on disk space, you can clear the cache manually:
docker builder prune -a

Side-by-side

# Switch to OrbStack
docker context use orbstack
# Switch to Docker Desktop
docker context use desktop-linux

(Optional) Add docker registry mirror if needed in Corp env:

  "features": {
    "buildkit": true
  },
  {
    "registry-mirrors": ["https://my-docker-repo-mirror.my.company.com"]
  }

Networking

How to get all ip addresses on a docker network?

docker network ls
docker inspect agentic_default

Reference

• Multi-platform builds

• Switching from Docker Desktop to OrbStack on macOS

• OrbStack networking

DevOps tools

Install optional DevOps tools for SREs

brew install kubectx # to switch kube context, namespace quickly. https://github.com/ahmetb/kubectx
brew install kubens # to switch kube  quickly
brew install kubernetes-helm # package manager for Kubernetes
brew install kustomize # Kubernetes native configuration management
brew install stefanprodan/tap/kustomizer # package manager for distributing Kubernetes configuration as OCI artifacts
brew install derailed/k9s/k9s # Manage Your k8s In Style!
brew install istioctl # Istio configuration command line utility
brew install dive # A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image
brew install crane # A tool for interacting with remote images and registries.
brew tap anchore/syft && brew install syft # SBOM tool
brew install cosign # Container Signing, Verification and Storage in an OCI registry.
brew install skaffold # build and deploy docker images
go install sigs.k8s.io/bom/cmd/bom@latest # Create SPDX-compliant Bill of Materials

Usage

docker info
docker version
docker stats
docker context list
# to use tools like dive, you may need to switch context to docker-desktop
docker context use docker-desktop
docker top CONTAINER
docker volume ls
docker network ls
docker system prune -a
docker system df

# List builder instances
docker buildx ls
# inspect current builder instance
docker buildx inspect
docker buildx imagetools inspect <MULTI_PLATFORM_IMAGE>
docker buildx imagetools inspect --raw nginx:alpine | jq

Images

docker build .
docker tag
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

docker images

docker login -u aaaa -p bbb
# Log in to your repository, I am using GitHub container registry
export GITHUB_PACKAGES_TOKEN=ghp_YOUR_TOKEN
docker login -u {github_username} -p {[token](https://github.com/settings/tokens)} ghcr.io

# inspect image
docker inspect redislabs/redismod:edge
docker inspect --format "{{.Architecture}}" redislabs/redismod:edge

# Remove one or more images
docker rmi docker.vectorized.io/vectorized/redpanda:v21.11.2

# default from docker.io
docker pull jwsy/jade-shooter:v1.1

docker images | grep jwsy
docker run -d -p 8080:80 jwsy/jade-shooter:v1.1
docker run -d -p 80:80 --name=nginx --restart=always nginx

# `e2a5` is output from above command
docker exec -it e2a5 sh
docker images
# save load
docker save -o local_jwsy_jade-shooter_v1.2.tar
docker load -i local_jwsy_jade-shooter_v1.2.tar

Encrypt image layers with ocicrypt

openssl genrsa -out mykey.pem
openssl rsa -in mykey.pem -pubout -out mypubkey.pem
docker image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted
docker push example.com/foo:encrypted

Sign and Verify Container Image with cosign tool

# Generate a key-pair: cosign.key and cosign.pub
cosign generate-key-pair

# Export your COSIGN_PASSWORD to prevent CLI prompting
export COSIGN_PASSWORD=$COSIGN_PASSWORD

Sign the container image while pushing:

# Sign the image with Keyless mode
docker push --sign=cosign devopps/hello-world

# Sign the image and store the signature in the registry
docker push --sign=cosign --cosign-key cosign.key devopps/hello-world

Verify the container image while pulling:

# Verify the image with Keyless mode
docker pull --verify=cosign devopps/hello-world

# push first
docker push -ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0
# then sigh and verify
COSIGN_EXPERIMENTAL=1 cosign sign ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0
COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0

Generate and upload the SBOM

We will use the syft to generate the SBOM and once its generated we will attach to image using cosign

# Let’s first generate the SBOM
syft packages ghcr.io/junaid18183/sampleapp:0.0.1 -o spdx  > latest.spdx
cosign attach sbom --sbom latest.spdx ghcr.io/xmlking/sampleapp:0.0.1

Dive

To explore docker image layers:

dive spring-service:1.6.5-SNAPSHOT

Compose

docker compose -f infra/redis.yml up redis
docker compose -f infra/redpanda.yml up redpanda
docker compose -f infra/redpanda.yml logs
docker compose -f infra/redis.yml down
docker compose -f infra/redpanda.yml down
# this will stop redpanda and remove all volumes
docker compose -f infra/redpanda.yml down -v

docker compose -f infra/redpanda.yml ps
# name of the container can be found from output of above command
docker exec -it infra_redpanda_1 /bin/bash
docker exec -it infra_redpanda_1 rpk version
docker exec -it infra_redpanda_1 rpk topic list
docker exec -it infra_redpanda_1 rpk cluster info

# verify if docker `compose` getting correctly resolved application config from .env
docker compose config # implicitly set `env-file` to `.env`
docker compose --env-file .env --env-file .secrets config  # explicitly set `env-file` to `.env` and `.secrets`

# ssh to container (if needed to debug)
docker compose exec -it redpanda \
rpk topic consume twitch_chat --brokers=localhost:9092
# Or
docker exec -it redpanda-1 \
rpk topic produce twitch_chat --brokers=localhost:9092
docker exec -it redpanda-1 \
rpk topic consume twitch_chat --brokers=localhost:9092

traefik

How to expose traefik v2 dashboard?

create dashboard.yaml file

cat << 'EOF' > dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
EOF

kubectl -n kube-system apply -f dashboard.yaml

open dashboard in your favorite browser and don't forget the second slash

open http://traefik.localhost/dashboard/#/

Reference

StevenACoffman's Docker Best Practices and Antipatterns

• Signing images and creating SBOM using cosign

• A collection of useful things you can do with crane is here

• Compendium of Kubernetes Application Deployment Tools

• Make Docker container respond to SIGTERM and SIGINT for gracefully shutdown

  • Zombie reaping problem

  • Docker and the PID 1 zombie reaping problem

• Faster Multi-Platform Builds: Dockerfile Cross-Compilation Guide

• Docker Compose: Fragments, Configs top-level element, Secrets top-level element

• Kubernetes Ingress Vs Gateway API

• Kubernetes & Traefik with local Wildcard certificates