docker

watch -n2 'docker ps --format=json --no-trunc | jq "select(.Image|startswith(\"dast.\")) | .ID,.Mounts"'
docker images --format json | jq -scr '.[] | select (.Repository=="python") | .Repository+":"+.Tag'

some refs:

tuning

Allocate IP pools

  • /etc/docker/daemon.json
    ...
    "bip": "10.216.0.1/17",
    "fixed-cidr": "10.216.0.1/17",
    "default-address-pools": [
      {"base": "10.216.128.0/17", "size": 24}
    ],
    ...

Enable userns-remap:

  • /etc/docker/daemon.json
    "userns-remap": "default"  
  • /etc/subuid, /etc/subgid
    dockremap:231072:65536  

When the process in the container should control other containers:

  • ls -l /var/run/docker*.sock

    srw-rw---- 1 231072 231072   0 ...  /var/run/docker_alt.sock
    srw-rw---- 1 root   docker   0 ...  /var/run/docker.sock
  • "hosts": ["unix:///var/run/docker.sock", "unix:///var/run/docker_alt.sock"]
    в /etc/docker/daemon.json

  • ExecStartPost=chown 231072:231072 /var/run/docker_alt.sock в /etc/systemd/system/docker.service.d/override.conf