Konteýner: Docker & OCI
Konteýner: Docker & OCI
1) OCI esasy düşünjeleri we standartlary
OCI Image Spec - şekilleriň formaty (manifest, , gatlaklar, multi-arch üçin index).
OCI Runtime Spec - konteýner (bundle, 'config. json`); ýerine ýetiriş: runc, şeýle hem gVisor, Kata Containers.
OCI Distribution Spec - registrler bilen özara gatnaşyk (push/pull, ygtyýarnama).
Docker = UX we OCI töweregindäki ekosistema: Dockerfile/BuildKit/CLI/Compose/Hub. Kubernetes Docker Engine-de kontainerd/CRI-O bilen çalşyryldy, ýöne şekilleriň formaty birmeňzeş.
2) Şekiller: gatlaklar, bellikler, meta-maglumatlar
Образ = слои (layered filesystem) + config (entrypoint/cmd/env/labels) + manifest.
Bellikler: ': latest' -ni nesilde ulanmaň; pinning ': 1. 21. 3 ', git-SHA ýa-da senesi + SHA.
LABEL: eýesi, aragatnaşyk, vcs-url, org. opencontainers. (title, description, revision, source).
Multi-arch: manifest-indeks 'amd64/arm64' üçin dogry warianty berýär.
3) Gurnama: Dockerfile, BuildKit, multi-stage
3. 1 Prinsipler
Gatlaklary azaltmak, wersiýalary düzmek, paket dolandyryjylarynyň keşlerini arassalamak.
Ilki bilen manifest/lock faýllaryny göçürip alyň, soňra 'RUN install deps' - keşi gowulandyrýar.
.dockerignore hökmanydyr ('.git', artefaktlary, syrlary aýyryň).
Distroless/alpine/minimal bazalar has gowudyr.
3. 2 BuildKit çipleri
Paralel bildler, ýygnamadaky syrlar ('--secret'), keş-mauntlar, multi-arch üçin buildx.
Keş-mauntyň mysaly:dockerfile syntax=docker/dockerfile:1. 6
RUN --mount=type=cache,target=/root/.cache/pip pip install -r requirements. txt3. 3 Multi-stage mysallary
Go (statiki linklenen, distroless):dockerfile syntax=docker/dockerfile:1. 6
FROM golang:1. 23 AS build
WORKDIR /src
COPY go. mod go. sum./
RUN go mod download
COPY..
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /app
FROM gcr. io/distroless/static:nonroot
USER 65532:65532
COPY --from=build /app /app
ENTRYPOINT ["/app"]dockerfile syntax=docker/dockerfile:1. 6
FROM node:22-alpine AS deps
WORKDIR /app
COPY package. json./
RUN npm ci --omit=dev
FROM node:22-alpine AS build
WORKDIR /app
COPY --from=deps /app/node_modules./node_modules
COPY..
RUN npm run build
FROM node:22-alpine
WORKDIR /app
ENV NODE_ENV=production
COPY --from=deps /app/node_modules./node_modules
COPY --from=build /app/dist./dist
USER node
CMD ["node","dist/server. js"]dockerfile syntax=docker/dockerfile:1. 6
FROM python:3. 12-slim AS base
ENV PYTHONDONTWRITEBYTECODE=1 PYTHONUNBUFFERED=1
WORKDIR /app
FROM base AS deps
RUN --mount=type=cache,target=/root/.cache/pip pip install --upgrade pip
COPY requirements. txt.
RUN --mount=type=cache,target=/root/.cache/pip pip wheel --wheel-dir=/wheels -r requirements. txt
FROM base
COPY --from=deps /wheels /wheels
RUN pip install --no-index --find-links=/wheels -r /app/requirements. txt && rm -rf /wheels
COPY..
USER 1000:1000
CMD ["python","-m","app"]dockerfile syntax=docker/dockerfile:1. 6
FROM maven:3. 9-eclipse-temurin-21 AS build
WORKDIR /src
COPY pom. xml./
RUN mvn -q -e -DskipTests dependency:go-offline
COPY..
RUN mvn -q -DskipTests package
FROM eclipse-temurin:21-jre
WORKDIR /app
COPY --from=build /src/target/app. jar /app/app. jar
ENTRYPOINT ["java","-XX:+UseContainerSupport","-jar","/app/app. jar"]4) Iň az şekiller, PID 1 we signallar
Distroless - az hüjüm ýüzi, şell/paket dolandyryjysy ýok.
PID 1 signallary dogry, ýogsam "zombi-prosesleri" geçirmeli. 'ENTRYPOINT' -i exec-form we tini/gurlan init görnüşinde ulanyň:dockerfile
ENTRYPOINT ["tini","--","/app"]'HEALTHCHECK' akylly soraň (ýygylyk/wagt, artykmaç ýüksüz).
5) Konteýnerleriň gizlinligi
5. 1 Syýasatlar we hardening
Non-root (USER), rootless Docker/containers.
Capabilities: artykmaç aýyryň ('-cap-drop = ALL --cap-add = NET _ BIND _ SERVICE' we ş.m.).
seccomp/AppArmor/SELinux: profilleriňizi standart ýa-da berk görnüşde açyň.
Read-only FS + `tmpfs` для `/tmp`, no-new-privileges.
Secrets: şekillerde däl; Gizlin dolandyryjydan (K8s/vault/docker secrets) redaktirläň.
5. 2 Supply chain
SBOM (CycloneDX/SPDX) we skaner (Trivy/Grype).
Goly (cosign, sigstore) we pull (verify) boýunça syýasat.
Täzelenmeleriň repetisiýalary: CVE patçly esasy şekiller yzygiderli ýygnalýar.
6) Saklamak we faýl sürüjileri
Operlay2 (çalt we durnukly). Rootless gurşawlarda köplenç fuse-overlayfs.
Maglumatlar we keşler üçin volumes, ösüş üçin bind-mount.
'/' -a ýazmaň - maglumat ýoluny ('/data ') ulanyň, state-i şekilden aýyryň.
7) Tor we DNS
Docker torlary: bridge, host, none, macvlan/ipvlan (L2/L3 integrasiýa).
Docker DNS rezolweri/daemon hostdan alýar. json; prod üçin ýerli kesh rezolwerlerini sazlaň.
K8s ulgamy CNI (Calico/Cilium/Flannel) tarapyndan dolandyrylýar. Sidecar/mesh üçin - tutma (iptables).
8) Çeşmeler we QoS (cgroups v2)
Çäklendirmeler: '--cpus', '-memory', '--pids-limit', '--cpuset-cpus'.
Requests/limits (K8s) guruň → meýilnamalaşdyrmaga we QoS-e täsir edýär.
GC/IO sebäpli OOMKilled, throttling, latency spikes.
bash docker run --cpus=1. 5 --memory=512m --pids-limit=256 --read-only --tmpfs /tmp:rw,size=64m...9) Loglar we syn ediliş
Log sürüjileri: 'json-file' (aýlawly), 'journald', 'gelf', 'awslogs', 'syslog'.
Aýlanyşy sazlaň:json
{ "log-driver":"json-file","log-opts":{"max-size":"10m","max-file":"5"} }Metrikler: Docker Engine API, cAdvisor, node eksport edijiler; konteýnerdäki agent ýa-da sidecar arkaly yzarlamak.
10) Registrler we tassyklama
Hususy sanawlar: ECR/GCR/ACR/Harbor/GitHub Container Registry.
Rate-limits Docker Hub; aýnalary/keshleri (registry-cache) ulanyň.
Retention/immutable tags syýasaty, sebitleriň arasynda köpeltmek.
'docker login' -ni skriptlerde saklamaň; CI-syrlaryny we OIDC-federasiýasyny ulanyň.
11) docker-compose vs orkestratorlar
Compose - ýerli ösüş/integrasiýa stendleri.
Прод: Kubernetes (Deployment/StatefulSet/DaemonSet, Ingress, Secrets, PVC) с containerd/CRI-O; howpsuzlyk syýasaty we rollout-strategiýalary.
Swarm uly önümler üçin köne, ýönekeý toparlar üçin amatly.
yaml version: "3. 9"
services:
api:
build:.
ports: ["8080:8080"]
environment: ["DB_URL=postgres://pg/DB"]
depends_on: ["pg"]
pg:
image: postgres:16-alpine volumes: ["pgdata:/var/lib/postgresql/data"]
volumes: { pgdata: {} }12) Healthcheck, başlamak/durmak, graceful shutdown
"HEALTHCHECK" -ni "retries" -iň wagtlary we çäklendirmeleri bilen ulanyň.
Dogry graceful: SIGTERM tutuň, girişi tamamlaň, baglanyşyklary ýapyň, soň bolsa çykyň.
В K8s: `preStop` hook + `terminationGracePeriodSeconds`, readiness перед liveness.
13) Diller/akymlar boýunça iň oňat amallar (gysgaça maglumat)
Node: 'npm ci', 'NODE _ ENV = production', runtime-de dev-deps öçürmek, '--heapsnapshot' off, 'uWS/GZip' L7-proxy üçin.
Python: wheels, 'gunicorn --graceful-timeout', 'GTHREADS '/' UVICorn' CPU boýunça, wenv-ni umumy gatlagyň içinde zerur bolmasa saklamaň.
Go: CGO off (mümkin bolsa),' -ldflags =" -s -w "', distroless/static, 'GOMAXPROCS' cgroups.
Java: gatlak JAR, '-XX: MaxRAMPercentage', CDS/Layered JAR.
14) Supply chain we şekiller syýasaty
CI-de SBOM dörediň, artefaktyň ýanynda saklaň.
Her topdaky şekilleri gözden geçiriň; kritiki CVE üçin gapy.
Şekillere (cosign) gol çekiň, syýasata gözegçilik edijini goşuň (K8s - Kyverno/Conftest/Gatekeeper).
Build we run hasaplaryny/torlaryny bölüň; Şahsy sanawda garaşlylygy kesiň.
15) Anti-patternler
': latest' prodda; imutable bellikleriň ýoklugy.
Izolýasiýa bolmazdan "prod-hostyň içinde" ýygnamak; Dockerfile-de syrlary saklamak.
root, '-privileged', giň capabilities.
Galyň şekiller (> 1-2 GB), ýok. dockerignore.
Init logikasy ENTRYPOINT-de shell-form arkaly → signal problemalary.
Volume ýerine konteýner gatlagyna hemişelik maglumatlary ýazyň.
Healthcheck, prod-DB-e gymmat bahaly soraglar berýär.
16) Giriş çek-sanawy (0-45 gün)
0-10 gün
Dockerfile (multi-stage, .dockerignore, LABEL, pinned base) standartlaşdyryň.
Paket dolandyryjylary üçin BuildKit/buildx, keş-mauntlary goşuň.
Nädogry we 'seccomp '/AppArmor/SELinux profillerine geçiň.
11-25 gün
Runtime-şekilleri (alpine/distroless) minimallaşdyrmak, log bilen tertibi düzmek (aýlanmak).
Resurs çäklerini, healthchecks, dogry PID 1/tini.
Hususy reýestri/keşi ýokary galdyryň, CVE skanerini we SBOM neslini birikdiriň.
26-45 gün
Şekilleriň goluny we klaster syýasatyny giriziň.
Zerur hyzmatlar üçin multi-arch (amd64/arm64) gurnamak.
Ýygnamak/goýbermek üçin runbook resminamalaryny düzmek, ýygnamak wagtynyň ululygy/gowşaklygy boýunça hasabat.
17) Kämillik ölçegleri
Hyzmatlaryň 95% -ini ≥ üçin immutable bellikler we köpeldilýän gurnamalar.
Runtime-şekiliň ortaça ululygy <200-300 MB (aýna boýunça).
100% prod-konteýner - root däl, çäkli capabilities we read-only FS.
Her push üçin SBOM we CVE skaneri; möhüm CVE → petiklenýär.
Gurşawda şekilleriň we policy-enforcement goly.
Konteýneriň sowuk başlanýan wagty ≤ maksatly SLO (mysal üçin, 2-5 sek), dogry graceful shutdown.
18) Netijenama
Ulular üçin konteýnerizasiýa OCI standartlary + ýygnamak tertibi + adaty howpsuzlyk + gözegçilik we üpjün etmek syýasaty. Multi-stage we BuildKit ulanyň, iş wagtyňyzy azaltyň, berk profilleriň aşagynda kök däl işe giriziň, bellikleri belläň, skanirläň we gol çekiň, girelgeleri/çeşmeleri/tory gözegçilik astynda saklaň. Şeýlelik bilen, konteýnerler ösüşden önümçilige çenli platformanyzyň öňünden aýdyp boljak we dolandyryp boljak esasyna öwrüler.