Konteynerlash: Docker va OCI
Konteynerlash: Docker va OCI
1) Asosiy tushunchalar va OCI standartlari
OCI Image Spec - rasmlar formati (manifest, , qatlamlar, multi-arch uchun index).
OCI Runtime Spec - konteyner (bundle,’config. json`); amalga oshirish: runc, shuningdek gVisor, Kata Containers.
OCI Distribution Spec - reyestrlar bilan o’zaro hamkorlik (push/pull, avtorizatsiya).
Docker = UX va OCI atrofidagi ekotizim: Dockerfile/BuildKit/CLI/Compose/Hub. Kubernetes Docker Engine containerd/CRI-O bilan almashtirildi, lekin rasmlar formati bir xil.
2) Tasvirlar: qatlamlar, teglar, meta-ma’lumotlar
Образ = слои (layered filesystem) + config (entrypoint/cmd/env/labels) + manifest.
Tags:’: latest’dan foydalanmang; pinning: 1. 21. 3’, git-SHA yoki sana + SHA.
LABEL: egasi, aloqasi, vcs-url, org. opencontainers. (title, description, revision, source).
Multi-arch: manifest-indeks’amd64/arm64’uchun to’g’ri variantni beradi.
3) Yig’ish: Dockerfile, BuildKit, multi-stage
3. 1. Prinsiplar
Qatlamlarni minimallashtirish, versiyalarni tuzatish, paket menejerlarining keshlarini tozalash.
Avval manifest/lock fayllarini nusxa oling, keyin’RUN install deps’keshni yaxshilaydi.
.dockerignore majburiy (’.git’, artefaktlar, sirlarni chiqarib tashlang).
Distroless/alpine/minimal baza namunalari afzal.
3. 2 BuildKit fishki
Parallel bildlar, yig’ilishdagi sirlar (’-secret’), kesh-mauntlar, multi-arch uchun buildx.
Kesh-maunt misoli:dockerfile syntax=docker/dockerfile:1. 6
RUN --mount=type=cache,target=/root/.cache/pip pip install -r requirements. txt3. 3 Multi-stage namunalari
Go (statik linklangan, distroless):dockerfile syntax=docker/dockerfile:1. 6
FROM golang:1. 23 AS build
WORKDIR /src
COPY go. mod go. sum./
RUN go mod download
COPY..
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /app
FROM gcr. io/distroless/static:nonroot
USER 65532:65532
COPY --from=build /app /app
ENTRYPOINT ["/app"]dockerfile syntax=docker/dockerfile:1. 6
FROM node:22-alpine AS deps
WORKDIR /app
COPY package. json./
RUN npm ci --omit=dev
FROM node:22-alpine AS build
WORKDIR /app
COPY --from=deps /app/node_modules./node_modules
COPY..
RUN npm run build
FROM node:22-alpine
WORKDIR /app
ENV NODE_ENV=production
COPY --from=deps /app/node_modules./node_modules
COPY --from=build /app/dist./dist
USER node
CMD ["node","dist/server. js"]dockerfile syntax=docker/dockerfile:1. 6
FROM python:3. 12-slim AS base
ENV PYTHONDONTWRITEBYTECODE=1 PYTHONUNBUFFERED=1
WORKDIR /app
FROM base AS deps
RUN --mount=type=cache,target=/root/.cache/pip pip install --upgrade pip
COPY requirements. txt.
RUN --mount=type=cache,target=/root/.cache/pip pip wheel --wheel-dir=/wheels -r requirements. txt
FROM base
COPY --from=deps /wheels /wheels
RUN pip install --no-index --find-links=/wheels -r /app/requirements. txt && rm -rf /wheels
COPY..
USER 1000:1000
CMD ["python","-m","app"]dockerfile syntax=docker/dockerfile:1. 6
FROM maven:3. 9-eclipse-temurin-21 AS build
WORKDIR /src
COPY pom. xml./
RUN mvn -q -e -DskipTests dependency:go-offline
COPY..
RUN mvn -q -DskipTests package
FROM eclipse-temurin:21-jre
WORKDIR /app
COPY --from=build /src/target/app. jar /app/app. jar
ENTRYPOINT ["java","-XX:+UseContainerSupport","-jar","/app/app. jar"]4) Minimal tasvirlar, PID 1 va signallar
Distroless - kichik hujum yuzasi, shell/paket menejeri yoʻq.
PID 1 signallarni, aks holda «zombi-jarayonlar» ni to’g’ri proks qilishi kerak. ’ENTRYPOINT’ dan exec-shakl va tini/oʻrnatilgan initda foydalaning:dockerfile
ENTRYPOINT ["tini","--","/app"]’HEALTHCHECK’ ni oqilona bering (chastota/taymaut, ortiqcha yuklamasiz).
5) Konteynerlarning sekyurligi
5. 1 Siyosat va hardening
Non-root (USER), rootless Docker/containers.
Capabilities: ortiqcha (’-cap-drop = ALL --cap-add = NET _ BIND _ SERVICE’va h.k.).
seccomp/AppArmor/SELinux: andoza yoki qatʼiy profillarni kiriting.
Read-only FS + `tmpfs` для `/tmp`, no-new-privileges.
Secrets: tasvirlarda emas; maxfiy menejerdan (K8s/vault/docker secrets) tahrirlang.
5. 2 Supply chain
SBOM (CycloneDX/SPDX) va skanerlash (Trivy/Grype).
Imzo (cosign, sigstore) va pull (verify) dagi siyosat.
Yangilanishlar repetitsiyalari: CVE patchli asosiy tasvirlar muntazam ravishda qayta tiklanadi.
6) Saqlash va fayl drayverlari
Andoza overlay2 (tez va barqaror). Rootless muhitlarda koʻpincha fuse-overlayfs.
maʼlumotlar va keshlar uchun volumes, ishlab chiqish uchun bind-mount.
’/’ ga yozmang - maʼlumot yoʻlini ishlating (’/data’), state’ni rasmdan ajrating.
7) Tarmoq va DNS
Docker tarmoqlari: bridge (andoza), host (minimal overxed, port mojarolari), none, macvlan/ipvlan (L2/L3 integratsiya).
DNS rezolver Docker/daemon xostidan oladi. json; prod uchun mahalliy kesh rezolverlarini sozlang.
K8s tarmoq CNI (Calico/Cilium/Flannel) tomonidan boshqariladi. sidecar/mesh uchun - tutqichlar (iptables).
8) Resurslar va QoS (cgroups v2)
Cheklovlar:’--cpus’,’-memory’,’--pids-limit’,’--cpuset-cpus’.
requests/limits (K8s) → rejalashtirish va QoSga taʼsir qiladi.
GC/IO tufayli OOMKilled, throttling, latency spikes.
bash docker run --cpus=1. 5 --memory=512m --pids-limit=256 --read-only --tmpfs /tmp:rw,size=64m...9) Logi va kuzatish
Log drayverlari:’json-file’(rotatsiya bilan),’journald’,’gelf’,’awslogs’,’syslog’.
Rotatsiyani moslash:json
{ "log-driver":"json-file","log-opts":{"max-size":"10m","max-file":"5"} }Metriklar: Docker Engine API, cAdvisor, node-eksport qiluvchilar; konteynerda agent yoki sidecar orqali izlash.
10) Registrlar va autentifikatsiya
Xususiy reyestrlar: ECR/GCR/ACR/Harbor/GitHub Container Registry.
Rate-limits Docker Hub; oyna/keshi (registry-cache) dan foydalaning.
Retention/immutable tags siyosati, mintaqalar o’rtasida replikatsiya.
’docker login’ ni skriptlarda saqlamang; CI-sirlari va OIDC-federatsiyasidan foydalaning.
11) docker-compose vs orkestratorlar
Compose - mahalliy ishlab chiqish/integratsiya stendlari.
Прод: Kubernetes (Deployment/StatefulSet/DaemonSet, Ingress, Secrets, PVC) с containerd/CRI-O; xavfsizlik siyosati va rollout-strategiyalar.
Swarm katta mahsulotlar uchun eskirgan, oddiy klasterlar uchun mos keladi.
yaml version: "3. 9"
services:
api:
build:.
ports: ["8080:8080"]
environment: ["DB_URL=postgres://pg/DB"]
depends_on: ["pg"]
pg:
image: postgres:16-alpine volumes: ["pgdata:/var/lib/postgresql/data"]
volumes: { pgdata: {} }12) Healthcheck, start/stop, graceful shutdown
’HEALTHCHECK’ dan’retries’taymautlari va cheklovlari bilan foydalaning.
To’g’ri graceful: SIGTERMni ushlang, kirishni to’ldiring, ulanishlarni yoping, so’ngra chiqish.
В K8s: `preStop` hook + `terminationGracePeriodSeconds`, readiness перед liveness.
13) Best practices tillar/steklar bo’yicha (ma’lumot)
Node:’npm ci’,’NODE _ ENV = production’, runtime’da dev-depsni oʻchirish,’--heapsnapshot’off,’uWS/GZip’L7-proxy uchun.
Python: wheels,’gunicorn --graceful-timeout’,’GTHREADS ’/’ UVICorn’CPU bo’yicha, venvni umumiy qatlam ichida ehtiyojsiz saqlamang.
Go: CGO off (agar mumkin bo’lsa),’-ldflags =» -s -w «’, distroless/static,’GOMAXPROCS’cgroups bo’yicha.
Java: JAR,’-XX: MaxRAMPercentage’, CDS/Layered JAR.
14) Supply chain va tasvirlar siyosati
SBOM ni CI uchun yarating, artefaktning yonida saqlang.
Har bir pufdagi tasvirlarni skanerlang; tanqidiy CVElarga gate.
Rasmlarni imzolang (cosign), policy controller (K8s - Kyverno/Conftest/Gatekeeper) ni yoqing.
Build va run hisoblarini/tarmoqlarini ajrating; Shaxsiy reyestrdagi bogʻliqliklarni keshlab tashlang.
15) Anti-patternlar
’: latest’ prodda; immunutable teglarning yo’qligi.
Izolyatsiyasiz «prod-xost ichida» yig’ish; Dockerfile’da sirlarni saqlash.
root,’-privileged’, keng capabilities ostida ishga tushirish.
Qalin tasvirlar (> 1-2 GB), yo’q. dockerignore.
Shell shakli orqali ENTRYPOINTdagi init mantig’i → signallar bilan bog’liq muammolar.
Doimiy maʼlumotlarni volume oʻrniga konteyner qatlamiga yozish.
Healthcheck, prod-DBga qimmatbaho so’rovlar qiladi.
16) Joriy etish chek-varaqasi (0-45 kun)
0-10 kun
Dockerfile (multi-stage, .dockerignore, LABEL, pinned base) ni standartlashtirish.
Paket menejerlari uchun BuildKit/buildx, kesh-mauntlarni yoqish.
Non-root va’seccomp ’/AppArmor/SELinux profillariga oʻtish.
11-25 kun
Runtime-tasvirlarni minimallashtirish (alpine/distroless), log bilan tartib oʻrnatish (rotatsiya).
Resurs chegaralarini, healthchecks, toʻgʻri PID 1/tini ni moslash.
Shaxsiy reyestrni/keshni yuklash, CVE skanerini va SBOM generatsiyasini ulash.
26-45 kun
Tasvir imzosi va klasterga kirish siyosatini kiritish.
Zarur servislar uchun multi-arch (amd64/arm64) tashkil etish.
Yig’ish/chiqarish runbook’ini hujjatlashtirish, yig’ish vaqtining o’lchamlari/zaifliklari bo’yicha hisobot.
17) Etuklik metrikasi
95% xizmat ko’≥ uchun immutable teglar va takrorlanadigan yig’ilishlar.
Runtime-tasvirning oʻrtacha oʻlchami <200-300 MB (oyna boʻyicha).
100% prod-konteynerlar - non-root, cheklangan capabilities va read-only FS.
SBOM va har bir push uchun CVE skanerlash; tanqidiy CVE → bloklanadi.
Atrof-muhitdagi rasmlar va policy-enforcement imzosi.
Konteynerni sovuq ishga tushirish vaqti ≤ maqsadli SLO (masalan, 2-5 sek), toʻgʻri graceful shutdown.
18) Xulosa
Konteynerlashtirish - bu OCI standartlari + yig’ish tartibi + xavfsizlik + kuzatuv va etkazib berish siyosati. Multi-stage va BuildKit’dan foydalaning, runtime tasvirlarini minimallashtiring, noto’g’ri profillarni ishga tushiring, teglarni aniqlang, skanerlang va imzo qo’ying, loglar/resurslar/tarmoqni nazorat ostida saqlang. Shunday qilib, konteynerlar sizning platformaning asosi bo’ladi - rivojlanishdan tortib ishlab chiqarishgacha.