🐱 Source ☕️ Java SampleGo Sample Angular Sample

Rancher Desktop

Provides Docker, Kubernetes runtime and CLI tools for local development.

NOTE: you need either Docker Desktop (free for personal use) or Rancher Desktop (free). Pick one only.

Rancher Desktop Container Management and Kubernetes on the Desktop. Is the replacement for Docker Desktop. Use either one of them.

Download and install the latest binary for your platform from rancherdesktop.io. Unpack and move Rancher Desktop.app to /Applications e.g., Rancher.Desktop-x.y.z.aarch64.dmg for Mac M1

It includes:

  1. lima

  2. containerD

  3. k3s

  4. traefik

After Rancher Desktop is installed, users will have access to these supporting utilities:

  • Helm

  • kubectl

  • rdctl - this CLI can be used to do all action that you can do at Rancher Desktop UI via command-line

    # example:
rdctl list-settings
rdctl set --container-runtime dockerd --kubernetes-version 1.24.3
rdctl set --kubernetes-enabled=true
rdctl shutdown

Configuration

It is recommended assign:

  • 8 GB or above memory

  • minimum 4 CPU

  • Enable Traefik

Make sure you enabled following settings. ie., dockerd(moby) , PATH manual etc.

Docker Experimental Features

You can turn on experimental Docker CLI features in one of two ways. Either by setting an environment variable temporarily:

export DOCKER_CLI_EXPERIMENTAL=enabled

or by turning the feature on in the config file $HOME/.docker/config.json permanently:

{
  "experimental" : "enabled"
}

docker version should show Client > Experimental : true.

Optionally, You can also turn on docker engine's experimental features: Change the docker engine configuration file /etc/docker/daemon.json or create one if it doesn’t exist already:

To SSH into lima VM managed by Rancher Desktop, run this command:

LIMA_HOME="$HOME/Library/Application Support/rancher-desktop/lima" "/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl" shell 0

ls -la /etc/docker/
# to restart docker daemon inside lima VM
sudo service docker restart

and added /etc/docker/daemon.json with the below settings.

Make sure dns, bip values match to your local network.

{
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "features": {
    "buildkit": true
  },
  "experimental": false,
  "dns": ["your custom dns", "8.8.8.8"],
  "bip": "192.168.254.1/24",
  "insecure-registries" : ["URL for your registry"]
}

DevOps tools

Install optional DevOps tools for SREs

brew install kubectx # to switch kube context, namespace quickly. https://github.com/ahmetb/kubectx
brew install kubens # to switch kube  quickly
brew install kubernetes-helm # package manager for Kubernetes
brew install kustomize # Kubernetes native configuration management
brew install stefanprodan/tap/kustomizer # package manager for distributing Kubernetes configuration as OCI artifacts
brew install derailed/k9s/k9s # Manage Your k8s In Style!
brew install istioctl # Istio configuration command line utility
brew install dive # A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image
brew install crane # A tool for interacting with remote images and registries.
brew tap anchore/syft && brew install syft # SBOM tool
brew install cosign # Container Signing, Verification and Storage in an OCI registry.
brew install skaffold # build and deploy docker images
go install sigs.k8s.io/bom/cmd/bom@latest # Create SPDX-compliant Bill of Materials

Usage

docker info
docker version
docker stats
docker context list
# to use tools like dive, you may need to switch context to rancher-desktop
docker context use rancher-desktop
docker top CONTAINER
docker volume ls
docker network ls
# List builder instances
docker buildx ls
# inspect current builder instance
docker buildx inspect
docker buildx imagetools inspect <MULTI_PLATFORM_IMAGE>
docker buildx imagetools inspect --raw nginx:alpine | jq

Images

docker build .
docker tag
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

docker images

docker login -u aaaa -p bbb
# Log in to your repository, I am using GitHub container registry
export GITHUB_PACKAGES_TOKEN=ghp_YOUR_TOKEN
docker login -u {github_username} -p {[token](https://github.com/settings/tokens)} ghcr.io

# inspect image
docker inspect redislabs/redismod:edge
docker inspect --format "{{.Architecture}}" redislabs/redismod:edge

# Remove one or more images
docker rmi docker.vectorized.io/vectorized/redpanda:v21.11.2

# default from docker.io
docker pull jwsy/jade-shooter:v1.1

docker images | grep jwsy
docker run -d -p 8080:80 jwsy/jade-shooter:v1.1
docker run -d -p 80:80 --name=nginx --restart=always nginx

# `e2a5` is output from above command
docker exec -it e2a5 sh
docker images
# save load
docker save -o local_jwsy_jade-shooter_v1.2.tar
docker load -i local_jwsy_jade-shooter_v1.2.tar

Encrypt image layers with ocicrypt

openssl genrsa -out mykey.pem
openssl rsa -in mykey.pem -pubout -out mypubkey.pem
docker image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted
docker push example.com/foo:encrypted

Sign and Verify Container Image with cosign tool

# Generate a key-pair: cosign.key and cosign.pub
cosign generate-key-pair

# Export your COSIGN_PASSWORD to prevent CLI prompting
export COSIGN_PASSWORD=$COSIGN_PASSWORD

Sign the container image while pushing:

# Sign the image with Keyless mode
docker push --sign=cosign devopps/hello-world

# Sign the image and store the signature in the registry
docker push --sign=cosign --cosign-key cosign.key devopps/hello-world

Verify the container image while pulling:

# Verify the image with Keyless mode
docker pull --verify=cosign devopps/hello-world
# push first
docker push -ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0
# then sigh and verify
COSIGN_EXPERIMENTAL=1 cosign sign ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0
COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0

Generate and upload the SBOM

We will use the syft to generate the SBOM and once its generated we will attach to image using cosign

# Let’s first generate the SBOM
syft packages ghcr.io/junaid18183/sampleapp:0.0.1 -o spdx  > latest.spdx
cosign attach sbom --sbom latest.spdx ghcr.io/xmlking/sampleapp:0.0.1

Dive

To explore docker image layers:

dive spring-service:1.6.5-SNAPSHOT

Compose

docker compose -f infra/redis.yml up redis
docker compose -f infra/redpanda.yml up redpanda
docker compose -f infra/redpanda.yml logs
docker compose -f infra/redis.yml down
docker compose -f infra/redpanda.yml down
# this will stop redpanda and remove all volumes
docker compose -f infra/redpanda.yml down -v

docker compose -f infra/redpanda.yml ps
# name of the container can be found from output of above command
docker exec -it infra_redpanda_1 /bin/bash
docker exec -it infra_redpanda_1 rpk version
docker exec -it infra_redpanda_1 rpk topic list
docker exec -it infra_redpanda_1 rpk cluster info

# verify if docker `compose` getting correctly resolved application config from .env
docker compose config # implicitly set `env-file` to `.env`
docker compose --env-file .env --env-file .secrets config  # explicitly set `env-file` to `.env` and `.secrets`

# ssh to container (if needed to debug)
docker compose exec -it redpanda \
rpk topic consume twitch_chat --brokers=localhost:9092
# Or
docker exec -it redpanda-1 \
rpk topic produce twitch_chat --brokers=localhost:9092
docker exec -it redpanda-1 \
rpk topic consume twitch_chat --brokers=localhost:9092

traefik

How to expose traefik v2 dashboard?

create dashboard.yaml file

cat << 'EOF' > dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
EOF
kubectl -n kube-system apply -f dashboard.yaml

open dashboard in your favorite browser and don't forget the second slash

open http://traefik.localhost/dashboard/#/

Reference

StevenACoffman's Docker Best Practices and Antipatterns

PreviousDocker DesktopNextTraefik

Last updated