# Portability: UNIVERSAL
# Last validated: 2026-03-08 (Claude/BACH wiki-author)
# Next review: 2027-03-08
# Sources: docs.docker.com, The Docker Book (Turnbull), Docker Deep Dive (Poulton)

DOCKER - SOFTWARE CONTAINERIZATION
====================================

Date: 2026-03-08
Language: EN


WHAT IS DOCKER?
----------------
Docker is a platform for containerizing software. A container is a
lightweight, isolated runtime environment -- like a mini-VM but without
its own operating system. The container shares the host system's kernel
and starts in seconds instead of minutes.

Docker solves the "works on my machine" problem -- everyone gets the
exact same environment, regardless of operating system.


CORE CONCEPTS
--------------

  Image
  -----
    Immutable template (read-only). Contains OS base, dependencies and
    application code. Built from a Dockerfile. Images are layer-based --
    identical base layers are shared across images.

  Container
  ---------
    Running instance of an image. Isolated via Linux namespaces and
    cgroups. Ephemeral and disposable -- data is lost when the container
    is deleted (unless using volumes).

  Dockerfile
  ----------
    Text file with build instructions for an image. Each instruction
    creates a new layer. Order matters for cache efficiency.

  Registry
  --------
    Storage for images. Docker Hub is the default public registry.
    Private registries: GitHub Container Registry (ghcr.io), Amazon ECR,
    Google GCR, Azure ACR.

  Volume
  ------
    Persistent storage that survives container restarts and deletions.
    Mounted from the host filesystem.

  Docker Compose
  --------------
    Tool for declaratively defining multi-container setups. A single
    YAML file describes all services, networks, and volumes.

  Network
  -------
    Containers communicate via virtual networks. Default types:
    bridge (default, isolated), host (shares host network), none (no
    network). In Compose, services can address each other by name.


CONTAINERS VS. VIRTUAL MACHINES
---------------------------------

  Property          Container           VM
  ----------------------------------------------------------------
  Isolation         Process-level       Hardware-level
  Kernel            Shared with host    Own kernel
  Startup time      Seconds             Minutes
  Size              MBs                 GBs
  Overhead          Minimal             Significant (hypervisor)
  Portability       Very high           Medium
  Security          Less isolated       More isolated


DOCKERFILE -- BEST PRACTICES
------------------------------

  Example (Python application):

    FROM python:3.12-slim
    WORKDIR /app

    # Copy dependencies first (cache optimization)
    COPY requirements.txt .
    RUN pip install --no-cache-dir -r requirements.txt

    # Then the application code
    COPY src/ ./src/

    # Non-root user for security
    RUN useradd -m appuser
    USER appuser

    EXPOSE 8000
    CMD ["python", "-m", "uvicorn", "src.main:app", "--host", "0.0.0.0"]

  Tips:
    - Use small base images (slim, alpine)
    - Maintain .dockerignore (like .gitignore)
    - Place rarely changed layers first (cache!)
    - Use multi-stage builds for smaller production images
    - Never run as root in production
    - Use COPY instead of ADD (more explicit)
    - One process per container


ESSENTIAL COMMANDS
-------------------

  Images:
    docker build -t myapp:1.0 .           Build
    docker images                          List
    docker rmi myapp:1.0                   Remove
    docker pull nginx:latest               Download
    docker push myrepo/myapp:1.0           Upload

  Containers:
    docker run -d -p 8080:80 nginx         Start (detached, port mapping)
    docker run -it ubuntu bash             Start interactively
    docker ps                              Show running
    docker ps -a                           Show all (incl. stopped)
    docker stop <container>                Stop
    docker rm <container>                  Remove
    docker logs <container>                View logs
    docker exec -it <container> bash       Shell into container

  Volumes:
    docker volume create mydata            Create
    docker run -v mydata:/app/data ...     Mount
    docker volume ls                       List

  System:
    docker system prune                    Clean up (unused resources)
    docker stats                           Live resource usage


DOCKER COMPOSE
---------------

  Example (web app + database):

    # docker-compose.yml
    services:
      web:
        build: .
        ports:
          - "8000:8000"
        environment:
          - DATABASE_URL=postgresql://db:5432/app
        depends_on:
          - db
        restart: unless-stopped

      db:
        image: postgres:16
        volumes:
          - pgdata:/var/lib/postgresql/data
        environment:
          - POSTGRES_DB=app
          - POSTGRES_PASSWORD=${DB_PASSWORD}

    volumes:
      pgdata:

  Commands:
    docker compose up -d                   Start all services
    docker compose down                    Stop + remove all services
    docker compose logs -f web             Follow logs of a service
    docker compose ps                      Show status
    docker compose build                   Rebuild all images


PRACTICAL EXAMPLES
-------------------

  1. n8n (workflow automation):
     docker run -d --name n8n -p 5678:5678 n8nio/n8n

  2. PostgreSQL (database):
     docker run -d --name pg -p 5432:5432 -e POSTGRES_PASSWORD=secret postgres:16

  3. Nginx (web server):
     docker run -d -p 80:80 -v ./html:/usr/share/nginx/html nginx

  4. Development environment:
     docker run -it --rm -v $(pwd):/app -w /app python:3.12 bash


SECURITY
---------
  - Never run as root inside containers
  - Use official base images
  - Update images regularly (security patches)
  - Never hardcode secrets in images (use env vars, Docker Secrets)
  - Use container image scanning (Trivy, Snyk)
  - Use read-only filesystems where possible (--read-only)
  - Set resource limits (--memory, --cpus)


SEE ALSO
---------
  wiki/informatik/devops/README.txt              DevOps overview
  wiki/informatik/devops/docker.txt              Docker (Deutsch)
  wiki/n8n.txt                                   n8n workflow automation
  wiki/informatik/cloud_computing/               Cloud platforms
