my coin miner flatlined when I ran the docker service create --name rng --network dockercoins --mode global \ --detach=false $REGISTRY/rng:$TAG but everyting appears to be running
[ip-172-31-27-200] (local) docker@52.53.244.51 ~ $ docker service ls ID NAME MODE REPLICAS IMAGE PORTS 7kk6e1ccwk3l redis replicated 1/1 redis:latest of4lyei1dx34 hasher replicated 1/1 127.0.0.1:5000/hasher:v1 phivtrd2ye2h registry replicated 1/1 registry:2 :5000->5000/tcp qhn22vbhk461 webui replicated 1/1 127.0.0.1:5000/webui:v1 :8000->80/tcp wsekrt658omu rng global 5/5 127.0.0.1:5000/rng:v1 zxeku7ip9h1z worker replicated 10/10 127.0.0.1:5000/worker:v1
Rubén López
@rubenclopez
So what is the difference between docker run vs docker service ?
Nicolas Degory
@ndegory
docker run creates and starts a container on your local docker engine
Rubén López
@rubenclopez
oh docker service is swarm?
Nicolas Degory
@ndegory
docker service creates a service on the swarm, and the orchestration will take care of scheduling tasks on the swarm
right
Rubén López
@rubenclopez
Got it. Thanks.
Karl Girthofer
@Kgirthofer
does docker service have built in self-healing?
Tony Pujals
@subfuzion
@rubenclopez Yes, to be clear you can use docker service create to create individual services and you can use docker stack deploy to deploy a whole stack of services, but this all relies on Docker swarm mode and that idea of services -> tasks/replicas -> containers
@Kgirthofer Yes, in swarm mode, the scheduler attempts to maintain your desired state
Laura Frank
@rheinwein
@Kgirthofer the docker service API is declarative, so swarm is constantly evaluating whether or not the actual state matches your desired state
Karl Girthofer
@Kgirthofer
sweet
Karl Girthofer
@Kgirthofer
all of that is configurable I presume?
quantities of b/g
i.e. 1000 containers, not going to b/g one at a time?
Nicolas Degory
@ndegory
yes, deploy options in the compose file
Karl Girthofer
@Kgirthofer
ah - as touched just now
Don Ebben
@debben
When we built, pushed, and deployed again, how did swarm know that there was a change despite the image tag staying the same? Is there a "always pull" behaviour by default?
unlike docker run, when creating tasks swarm will try to pull if there's a new version of the image
it checks the digest
Tony Pujals
@subfuzion
@debben Docker actually always pulls
in swarm mode each node will always pull the node image, the digest is used instead of the tag (which isn't necessarily the "latest" version with the same tag)
Laura Frank
@rheinwein
ProTip: see image digests with docker images --digests
Tony Pujals
@subfuzion
(and remember, there is only a digest once it is pushed to a registry)
Laura Frank
@rheinwein
pull an image at a digest with docker pull image@$digest
Jean Evans Pierre
@nucklehead
You mentioned the health-cmd is also supported in run/compose. What is the behavior when the health check fails?
Laura Frank
@rheinwein
in compose, if there is some dependency order where the dependency has a healthcheck (i.e. a database), the application that depends on that database will not start until the healthcheck for the dependency comes back OK
Jean Evans Pierre
@nucklehead
Ah ok great thanks
chankris2311
@chankris2311
This might be a stupid question for I am new to Containers. While updating, could you limit the update to less than 5 for a regressed image per se to avoid increased request on the healthy ones?
Didip Kerabat
@didip
If users prefer flexibility, is it better to hit /services HTTP API or use stack YAML?
Tony Pujals
@subfuzion
@nucklehead In v3 compose it's a bit different ... there is no formal mechanism for service startup dependency order ... there are a number of strategies to handle this. One of the simplest is if B depends on A, then B should just exit with an error if A is not available. Docker will continue to retry starting B (subject to any specific options). At some point if A is healthy (ie, ready), then B will also succeed.
benzvan
@benzvan
Why are secrets stored world readable rather than more restricted?
Tony Pujals
@subfuzion
Another way is to divide your stackfile so that dependents start after the services they depend on. The stack files can still start services that will be part of the same named stack. But you can run separate checks to ensure the required services are ready from stackfile A and then start stackfile B (and again, to drive this point home, these can start services that are assigned to the same logical stack)
Nicolas Degory
@ndegory
@benzvan there's no assumption on which user will have to read it in the container
benzvan
@benzvan
Interesting. Makes sense.
Laura Frank
@rheinwein
@benzvan it's also recommended to 'lock' your swarm
Could the config feature just discussed be used to run custom postgresql sql scripts that setup an application's tables, users, roles etc.. and avoid the need to create custom images with those scripts?
Tony Pujals
@subfuzion
And to augment @ndegory's statement, if you follow the general "one process per container model", then it is assumed the process you're running is authorized, regardless of the user you run it under. Obviously if you run other services in your container (not as root and not as your "main" process), then you need to be aware of the security ramifications.
Jean Evans Pierre
@nucklehead
@subfuzion Ok I see.
Tony Pujals
@subfuzion
@chgray54 I think the answer for you is yes -- but to be clear, only in the sense that you can use it to provide a script if your service already expects to run it at the mounted location
i'd like to build java/scala apps using swarm/docker. is there an online reference i can be pointed to to look at for best practice? (what image to use, example dockerfile, etc)