moby / moby

Best Practices - moby/moby

Best Practices for Using Moby and Containerization

Moby project is an open-source project that advances the software containerization movement and helps the ecosystem take containers mainstream. It provides a library of components, a framework for assembling them into custom container-based systems and a place for all container enthusiasts to experiment and exchange ideas.

Design Philosophy

Moby is designed for system builders, who want to build their own container-based systems, not for application developers. Participants in the Moby project can choose from the library of components derived from Docker or they can elect to “bring your own components” (BYOC) packaged as containers with the option to mix and match among all of the components to create a customized container system. (source)

Programming Languages

Moby is built using the Go programming language and uses Git for version control. The documentation is written in Markdown.

Docker

Docker is a platform and runtime for building, distributing, and running containers. Moby uses Docker as a reference assembly, called Moby Origin, which is the open base for the Docker container platform. (source)

Apache License, Version 2.0

Moby is licensed under the Apache License, Version 2.0. This license allows users to use the software for any purpose, to distribute it, to modify it, and to distribute modified versions of the software under the terms of the license, without concern for royalties. (source)

Go Programming Language

Go is an open-source programming language developed by Google. It is a statically typed, compiled language that is designed to be simple and efficient. Moby uses Go for its containerd, libcontainer, and runC components.

Git

Git is a distributed version control system that allows multiple people to work on a project at the same time without overwriting each other’s changes. Moby uses Git for version control.

Markdown

Markdown is a lightweight markup language that allows users to format text easily. Moby uses Markdown for its documentation.

Dockerfile

A Dockerfile is a script that contains instructions for building a Docker image. It specifies the base image, the environment, and the commands that should be run when the container is started.

Containerd

Containerd is a daemon that manages the complete container lifecycle of its host system, including container execution, network and storage attachments, and container image management.

libcontainer

libcontainer is a library that provides a common API for container runtimes. It is used by Docker and other container runtimes to manage containers.

runC

runC is a CLI tool for spawning and running containers according to the OCI specification. It is the reference implementation of the OCI runtime specification and is used by Docker and other container runtimes to manage containers.

Networking

Moby supports multiple networking options, including bridge, overlay, and macvlan networks. These networks allow containers to communicate with each other and with the host system.

Best Practices

  • Use the latest version of Moby and its components to ensure that you have the latest security updates and features.
  • Use the Moby library of components to build your own container-based systems.
  • Use the Moby framework to assemble the components into custom container-based systems.
  • Use the Moby project as a place to experiment and exchange ideas with other container enthusiasts.
  • Use Docker as a reference assembly for your container-based systems.
  • Use the Go programming language, Git, and Markdown for your container-based systems.
  • Use Dockerfiles to build your Docker images.
  • Use containerd, libcontainer, and runC to manage your containers.
  • Use the networking options provided by Moby to allow your containers to communicate with each other and with the host system.

Examples

Here are some examples of how to use Moby and its components:

  • Use the docker run command to start a container:
docker run -it ubuntu bash
  • Use a Dockerfile to build a Docker image:
FROM ubuntu
RUN apt-get update && apt-get install -y nginx
EXPOSE 80
CMD ["nginx"]
  • Use containerd to manage containers:
containerd create --name my-container --image ubuntu
containerd start my-container
  • Use libcontainer to manage containers:
package main

import (
"github.com/docker/libcontainer/cgroups"
"github.com/docker/libcontainer/configs"
"github.com/docker/libcontainer/runtime"
)

func main() {
config := &configs.Config{
Cgroups: &cgroups.Config{
Path: "/my-cgroup",
},
Image: "ubuntu",
Name:  "my-container",
}

runtime.Create(config)
runtime.Start(config)
runtime.Remove(config)
}
  • Use runC to manage containers:
runc run --name my-container --bundle /var/run/my-container
  • Use the docker network command to manage networks:
docker network create --driver bridge my-network
docker network connect my-network my-container

Rootless Container Image Builds

Rootless container image builds (as distinct from rootless runtimes) have crept ever closer with orca-build, BuildKit, and img proving the concept. Rootless tooling like buildah, Kaniko, and Makisu are emerging, and they are desperately needed to secure build pipelines with an exposed Docker socket, which can be used by an attacker to escalate privilege. (source)

Conclusion

Moby is a powerful tool for building, distributing, and running containers. By following the best practices outlined in this document, you can ensure that you are using Moby and its components effectively and securely.