Difference between revisions of "Docker.io Howto"
(49 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Documentation == |
|||
* https://linuxconfig.org/how-to-install-docker-on-ubuntu-18-04-bionic-beaver |
|||
* http://www.herr-norbert.de/2014/10/04/docker-owncloud/ |
|||
* http://phusion.github.io/baseimage-docker/ |
|||
* http://aws.amazon.com/de/ec2/ - to test running docker within a cloud |
|||
== Basics == |
== Basics == |
||
A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>. |
A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>. |
||
=== Create Docker account === |
|||
This step is optional and only needed if you want to publicly upload images. |
|||
sudo docker login |
|||
== Setup == |
== Setup == |
||
sample docker running under Ubuntu 14.04.1: |
sample docker running under Ubuntu 14.04.1: |
||
itsecorg@pbuilder:~$ sudo aptitude install docker.io |
itsecorg@pbuilder:~$ sudo aptitude install docker.io |
||
Set proxy for docker: |
|||
=== Proxy setup === |
|||
itsecorg@pbuilder:~$ grep http_proxy /etc/default/docker.io |
|||
* First, create a systemd drop-in directory for the docker service: |
|||
export http_proxy="http://proxy.int.cactus.de:8080/" |
|||
sudo |
sudo mkdir /etc/systemd/system/docker.service.d |
||
* Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable: |
|||
[Service] |
|||
Environment="HTTP_PROXY=http://proxy.example.com:80/" |
|||
* If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable: |
|||
Environment="HTTP_PROXY=http://proxy.example.com:80/" |
|||
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com" |
|||
* Flush changes: |
|||
sudo systemctl daemon-reload |
|||
* Verify that the configuration has been loaded: |
|||
sudo systemctl show --property Environment docker |
|||
Environment=HTTP_PROXY=http://proxy.example.com:80/ |
|||
* Restart Docker: |
|||
sudo systemctl restart docker |
|||
=== Remove all images and containers === |
|||
<pre> |
|||
tim@pbuilder:~/dock1$ cat remove_all.sh |
|||
#!/bin/bash |
|||
# Delete all containers |
|||
docker rm $(docker ps -a -q) |
|||
# Delete all images |
|||
docker rmi $(docker images -q) |
|||
tim@pbuilder:~/dock1$ |
|||
</pre> |
|||
== Image and Container Handling == |
== Image and Container Handling == |
||
=== Search images === |
=== Search images === |
||
sudo docker search - |
sudo docker search --filter=stars=50 "ubuntu" |
||
<pre> |
<pre> |
||
NAME DESCRIPTION STARS OFFICIAL AUTOMATED |
NAME DESCRIPTION STARS OFFICIAL AUTOMATED |
||
ubuntu Official Ubuntu base image 934 [OK] |
ubuntu Official Ubuntu base image 934 [OK] |
||
dockerfile/ubuntu Trusted automated Ubuntu (http://www.ubunt... 32 [OK] |
|||
crashsystems/gitlab-docker A trusted, regularly updated build of GitL... 21 [OK] |
|||
ansible/ubuntu14.04-ansible Ubuntu 14.04 LTS with ansible 21 [OK] |
|||
clue/ttrss The Tiny Tiny RSS feed reader allows you t... 19 [OK] |
|||
mbentley/ubuntu-django-uwsgi-nginx 17 [OK] |
|||
sylvainlasnier/memcached Memcached docker images based on Ubuntu 14... 17 [OK] |
|||
ubuntu-upstart Upstart is an event-based replacement for ... 16 [OK] |
|||
dockerfile/ubuntu-desktop Trusted automated Ubuntu Desktop (LXDE) (h... 14 [OK] |
|||
tutum/ubuntu Ubuntu image with SSH access. For the root... 13 [OK] |
|||
tinyerp/ubuntu-openerp Run OpenERP on Ubuntu - September 2014 10 |
|||
itsecorg@pbuilder:~$ |
itsecorg@pbuilder:~$ |
||
</pre> |
</pre> |
||
=== Install / list / remove images === |
=== Install / list / remove images === |
||
sudo docker pull ubuntu |
|||
itsecorg@pbuilder:~$ sudo docker pull ubuntu:14.04.1 |
|||
Display installed images: |
|||
itsecorg@pbuilder:~$ sudo docker images |
|||
<pre> |
|||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE |
|||
itsecorg@pbuilder:~$ sudo docker images ubuntu |
|||
ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB |
|||
itsecorg@pbuilder:~$ |
|||
ubuntu utopic 277eb4304907 3 weeks ago 228.5 MB |
|||
ubuntu 14.10 277eb4304907 3 weeks ago 228.5 MB |
|||
ubuntu 14.04 5506de2b643b 3 weeks ago 199.3 MB |
|||
ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB |
|||
ubuntu latest 5506de2b643b 3 weeks ago 199.3 MB |
|||
ubuntu trusty 5506de2b643b 3 weeks ago 199.3 MB |
|||
ubuntu 12.04 0b310e6bf058 3 weeks ago 126.7 MB |
|||
ubuntu 12.04.5 0b310e6bf058 3 weeks ago 126.7 MB |
|||
ubuntu precise 0b310e6bf058 3 weeks ago 126.7 MB |
|||
ubuntu 12.10 c5881f11ded9 4 months ago 172.2 MB |
|||
ubuntu quantal c5881f11ded9 4 months ago 172.2 MB |
|||
ubuntu 13.04 463ff6be4238 4 months ago 169.4 MB |
|||
ubuntu raring 463ff6be4238 4 months ago 169.4 MB |
|||
ubuntu 13.10 195eb90b5349 4 months ago 184.7 MB |
|||
ubuntu saucy 195eb90b5349 4 months ago 184.7 MB |
|||
ubuntu 10.04 3db9c44f4520 6 months ago 183 MB |
|||
ubuntu lucid 3db9c44f4520 6 months ago 183 MB |
|||
itsecorg@pbuilder:~$ |
|||
</pre> |
|||
=== Remove === |
=== Remove === |
||
Remove Container |
Remove Container |
||
Line 59: | Line 70: | ||
Remove Image(s) |
Remove Image(s) |
||
itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9 463ff6be4238 195eb90b5349 3db9c44f4520 |
itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9 463ff6be4238 195eb90b5349 3db9c44f4520 |
||
Better: |
|||
sudo docker pull ubuntu:14.04.1 |
|||
itsecorg@pbuilder:~$ sudo docker images |
|||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE |
|||
ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB |
|||
itsecorg@pbuilder:~$ |
|||
=== Show containers === |
=== Show containers === |
||
Line 83: | Line 85: | ||
Example: |
Example: |
||
sudo docker commit b4360f35202b ubuntu-new |
sudo docker commit b4360f35202b ubuntu-new |
||
== Example vanilla postgres == |
|||
=== Image for testing === |
|||
... contains http and postgres client (ubuntu client): |
|||
tim@ubuntu:~/docker$ cat ubu_client/Dockerfile |
|||
FROM ubuntu:14.04.1 |
|||
MAINTAINER itsecorg@cactus.de |
|||
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ |
|||
apt-get install -y sharutils wget curl postgresql-client && \ |
|||
apt-get clean && rm -rf /var/lib/apt/lists/* |
|||
tim@ubuntu:~/docker$ |
|||
=== Building image === |
|||
tim@ubuntu:~/docker/isodb$ cat [[Dockerfile.isodb.vanilla]] (apache Dockerfile: [[Dockerfile.isoweb]]) |
|||
tim@ubuntu:~/docker/isodb$ sudo docker build -t isodb:0.1 . |
|||
Sending build context to Docker daemon 513.5 kB |
|||
Sending build context to Docker daemon |
|||
Step 0 : FROM ubuntu:14.04.1 |
|||
---> 04c5d3b7b065 |
|||
Step 1 : MAINTAINER itsecorg@cactus.de |
|||
<snip> |
|||
=== Running image in container === |
|||
==== Running in foreground ==== |
|||
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -P --name isodb_test isodb:0.1 |
|||
2014-12-20 13:00:21 UTC LOG: database system was interrupted; last known up at 2014-12-20 12:58:24 UTC |
|||
2014-12-20 13:00:21 UTC LOG: database system was not properly shut down; automatic recovery in progress |
|||
2014-12-20 13:00:21 UTC LOG: redo starts at 0/1782F70 |
|||
2014-12-20 13:00:21 UTC LOG: record with zero length at 0/1782FB0 |
|||
2014-12-20 13:00:21 UTC LOG: redo done at 0/1782F70 |
|||
2014-12-20 13:00:21 UTC LOG: last completed transaction was at log time 2014-12-20 12:58:24.396264+00 |
|||
2014-12-20 13:00:21 UTC LOG: database system is ready to accept connections |
|||
2014-12-20 13:00:21 UTC LOG: autovacuum launcher started |
|||
==== Running in background ==== |
|||
tim@ubuntu:~/docker/isodb$ sudo docker run -d -P --name isodb0.9 --hostname=psql_server isodb:0.9 |
|||
293fc3635360376d010072455b5b2bad6e5232b1e7aed1ff45a2857155ad4fbd |
|||
tim@ubuntu:~/docker/isodb$ |
|||
=== Connecting to container === |
|||
==== Connecting from host system ==== |
|||
in new window, find out listening port: |
|||
tim@ubuntu:~/docker/isodb$ sudo docker ps |
|||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES |
|||
1858243dede0 isodb:0.3 /usr/lib/postgresql/ 27 seconds ago Up 26 seconds 0.0.0.0:49153->5432/tcp isodb0.9 |
|||
tim@ubuntu:~/docker/isodb$ psql -h localhost -p 49153 -d isodb -U itsecorg --password |
|||
==== Connecting from other container via link ==== |
|||
Containers can be linked to another container's ports directly using -link remote_name:local_alias in the client's docker run. This will set a number of environment variables that can then be used to connect: |
|||
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -t -i --hostname=psql_client --link isodb0.9:ubu1 isodb:0.9 bash |
|||
postgres@psql_client:/$ psql -h $UBU1_PORT_5432_TCP_ADDR -p $UBU1_PORT_5432_TCP_PORT -d isodb -U itsecorg --password |
|||
Password for user itsecorg: |
|||
psql (9.3.5) |
|||
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256) |
|||
Type "help" for help. |
|||
isodb=> select * from error limit 3; |
|||
error_id | error_lvl | error_txt_ger | error_txt_eng |
|||
-----------------------------+-----------+-----------------------------------+------------------------------------ |
|||
MSG_NUMBER_CHANGES_RULE_CHG | 4 | Anzahl geaenderte Regeln | number of rules changed |
|||
MSG_NUMBER_CHANGES_SVC_CHG | 4 | Anzahl geaenderte Dienste | number of network services changed |
|||
MSG_NUMBER_CHANGES_OBJ_CHG | 4 | Anzahl geaenderte Netzwerkobjekte | number of network objects changed |
|||
(3 rows) |
|||
isodb=> |
|||
=== Running and linking second container === |
|||
Building webserver: |
|||
tim@ubuntu:~/docker/isoweb$ sudo docker build -t isoweb:0.1 . |
|||
Running webserver in container: |
|||
tim@ubuntu:~/docker/isoweb$ sudo docker run --rm -P --name isoweb_test isoweb:0.1 |
|||
[Sun Dec 21 12:49:43.697580 2014] [core:warn] [pid 1] AH00111: Config variable ${APACHE_RUN_DIR} is not defined |
|||
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.127. Set the 'ServerName' directive globally to suppress this message |
|||
Starting up ubuntu client container and linking to webserver: |
|||
tim@ubuntu:~/docker/ubu_client$ sudo docker run --rm -t -i --hostname=ubuclient1 --link isoweb_test:ubu1 ubu_client bash |
|||
root@ubuclient1:/# wget --no-check-certificate https://$UBU1_PORT_443_TCP_ADDR:$UBU1_PORT_443_PORT |
|||
--2014-12-21 12:45:32-- https://172.17.0.119/ |
|||
Connecting to 172.17.0.119:443... connected. |
|||
WARNING: cannot verify 172.17.0.119's certificate, issued by '/C=DE/O=Cactus eSecurity/L=Frankfurt/CN=09a2b0b24e0e /emailAddress=itsecorg@cactus.de': |
|||
Self-signed certificate encountered. |
|||
WARNING: certificate common name '09a2b0b24e0e' doesn't match requested host name '172.17.0.119'. |
|||
HTTP request sent, awaiting response... 500 Internal Server Error |
|||
2014-12-21 12:45:32 ERROR 500: Internal Server Error. |
|||
root@ubuclient1:/# |
|||
== Using phusion/baseimage == |
|||
<pre> |
|||
tim@pbuilder:~/phusion$ sudo docker search -s 100 "phusion" |
|||
NAME DESCRIPTION STARS OFFICIAL AUTOMATED |
|||
phusion/baseimage A special image that is configured for cor... 451 |
|||
tim@ubuntu:~$ sudo docker pull phusion/baseimage:0.9.15 |
|||
tim@ubuntu:~$ sudo docker images |
|||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE |
|||
ubuntu 14.04.1 04c5d3b7b065 4 days ago 192.7 MB |
|||
phusion/baseimage 0.9.15 cf39b476aeec 11 weeks ago 289.4 MB |
|||
tim@ubuntu:~$ |
|||
... |
|||
# run container with ssh listening on port 2222/tcp and a shell in parallel |
|||
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 192.168.100.96:2222:22 -i phusion/baseimage:0.9.15 |
|||
... |
|||
*** Runit started as PID 95 |
|||
*** Running bash -l... |
|||
root@b2a9f8dfff35:/# |
|||
# run container with ssh listening on port 2222/tcp |
|||
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 2222:22 -i phusion/baseimage:0.9.15 |
|||
... |
|||
*** Runit started as PID 95 |
|||
tim@pbuilder:~/phusion$ sudo docker run --name="isodb" -h iso-db phusion/baseimage:0.9.15 |
|||
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... |
|||
No SSH host key available. Generating one... |
|||
Creating SSH2 RSA key; this may take some time ... |
|||
Creating SSH2 DSA key; this may take some time ... |
|||
Creating SSH2 ECDSA key; this may take some time ... |
|||
Creating SSH2 ED25519 key; this may take some time ... |
|||
invoke-rc.d: policy-rc.d denied execution of restart. |
|||
*** Running /etc/rc.local... |
|||
*** Booting runit daemon... |
|||
*** Runit started as PID 95 |
|||
tim@pbuilder:~$ pwd |
|||
/home/tim |
|||
tim@pbuilder:~$ cat phusion/Dockerfile |
|||
# Use phusion/baseimage as base image. To make your builds |
|||
# reproducible, make sure you lock down to a specific version, not |
|||
# to `latest`! See |
|||
# https://github.com/phusion/baseimage-docker/blob/master/Changelog.md |
|||
# for a list of version numbers. |
|||
FROM phusion/baseimage:0.9.15 |
|||
# Set correct environment variables. |
|||
ENV HOME /root |
|||
# Regenerate SSH host keys. baseimage-docker does not contain any, so you |
|||
# have to do that yourself. You may also comment out this instruction; the |
|||
# init system will auto-generate one during boot. |
|||
RUN /etc/my_init.d/00_regen_ssh_host_keys.sh |
|||
# Use baseimage-docker's init system. |
|||
CMD ["/sbin/my_init"] |
|||
# ...put your own build instructions here... |
|||
RUN mkdir -p $HOME/.ssh |
|||
COPY id_rsa.pub $HOME/.ssh/ |
|||
RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub |
|||
RUN chmod 600 $HOME/.ssh/authorized_keys |
|||
# Clean up APT when done. |
|||
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* |
|||
tim@pbuilder:~$ |
|||
tim@pbuilder:~$ sudo docker build -t itsecorg/base phusion/ |
|||
Sending build context to Docker daemon 4.608 kB |
|||
Sending build context to Docker daemon |
|||
Step 0 : FROM phusion/baseimage:0.9.15 |
|||
---> cf39b476aeec |
|||
Step 1 : ENV HOME /root |
|||
---> Using cache |
|||
---> a6321e755610 |
|||
Step 2 : RUN /etc/my_init.d/00_regen_ssh_host_keys.sh |
|||
---> Using cache |
|||
---> 37d8605f992d |
|||
Step 3 : CMD ["/sbin/my_init"] |
|||
---> Using cache |
|||
---> e6f97e12568c |
|||
Step 4 : RUN mkdir -p $HOME/.ssh |
|||
---> Using cache |
|||
---> dce7809f4362 |
|||
Step 5 : COPY id_rsa.pub $HOME/.ssh/ |
|||
---> Using cache |
|||
---> 3dfba0cc70c0 |
|||
Step 6 : RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub |
|||
---> Using cache |
|||
---> e235cefc1126 |
|||
Step 7 : RUN chmod 600 $HOME/.ssh/authorized_keys |
|||
---> Using cache |
|||
---> 15c305685afe |
|||
Step 8 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* |
|||
---> Using cache |
|||
---> 1fc643e36a1d |
|||
Successfully built 1fc643e36a1d |
|||
tim@pbuilder:~$ |
|||
tim@pbuilder:~$ sudo docker images |
|||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE |
|||
itsecorg/base latest 1fc643e36a1d 28 minutes ago 292.2 MB |
|||
tim@pbuilder:~$ sudo docker run itsecorg/base -p 2222:22 |
|||
2014/11/21 12:45:32 exec: "-p": executable file not found in $PATH |
|||
tim@pbuilder:~$ sudo docker run -p 2222:22 itsecorg/base |
|||
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... |
|||
*** Running /etc/rc.local... |
|||
*** Booting runit daemon... |
|||
*** Runit started as PID 12 |
|||
tim@pbuilder:~$ sudo netstat -tulpen |
|||
Active Internet connections (only servers) |
|||
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name |
|||
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 9228 819/sshd |
|||
tcp6 0 0 :::2222 :::* LISTEN 0 1513329 11865/docker.io |
|||
tcp6 0 0 :::22 :::* LISTEN 0 9230 819/sshd |
|||
tim@pbuilder:~$ |
|||
tim@pbuilder:~$ sudo docker ps -a |
|||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES |
|||
d8ae08a0c160 3dfba0cc70c0 /bin/sh -c 'cat $HOM About a minute ago Exited (1) About a minute ago desperate_almeida |
|||
e1aefedbc11c phusion/baseimage:0.9.15 /sbin/my_init About an hour ago Up About an hour isodb |
|||
tim@pbuilder:~$ sudo docker rm e1aefedbc11c |
|||
Error response from daemon: Impossible to remove a running container, please stop it first or use -f |
|||
2014/11/21 13:22:36 Error: failed to remove one or more containers |
|||
tim@pbuilder:~$ sudo docker stop e1aefedbc11c |
|||
e1aefedbc11c |
|||
tim@pbuilder:~$ sudo docker rm e1aefedbc11c |
|||
e1aefedbc11c |
|||
tim@pbuilder:~$ |
|||
</pre> |
|||
== Changing config files == |
== Changing config files == |
||
Replacing settings: |
|||
RUN sed -i.itsecorg.orig \ |
|||
<pre> |
|||
-e "s/^memory_limit\s*=.*/memory_limit = 200M/" \ |
|||
RUN sed -i.orig \ |
|||
-e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \ |
|||
-e "s/^memory_limit\s*=.*/memory_limit = 200M/" \ |
|||
-e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \ |
|||
-e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \ |
|||
-e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \ |
|||
-e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \ |
|||
-e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \ |
|||
-e "s|^doc_root\s*=.*|doc_root = /usr/share/itsecorg/web|" \ |
|||
-e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \ |
|||
-e "s/^expose_php\s*=.*/expose_php = Off/" \ |
|||
-e "s/^display_errors\s*=.*/display_errors = Off/" \ |
|||
-e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \ |
|||
-e "s/^error_log\s*=.*/error_log = syslog/" \ |
|||
-e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \ |
|||
-e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \ |
|||
-e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \ |
|||
/etc/php5/apache2/php.ini |
|||
-e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \ |
|||
/etc/php5/apache2/php.ini /etc/php5/cli/php.ini |
|||
RUN sed -i.orig \ |
|||
-e "s|^host\s*all\s*all\s*127.0.0.1/32\s*md5|# &|" \ |
|||
-e "s|^host\s*all\s*all\s*::1/128\s*md5|# &|" \ |
|||
/etc/postgresql/main/9.3/pg_hba.conf |
|||
</pre> |
|||
Adding settings: |
|||
<pre> |
|||
RUN cat <<EOT >> /etc/postgresql/main/9.3/pg_hba.conf |
|||
host all dbadmin 127.0.0.1/32 md5 |
|||
host all itsecorg 127.0.0.1/32 md5 |
|||
host all +dbbackupusers 127.0.0.1/32 trust |
|||
host all +configimporters 127.0.0.1/32 trust |
|||
host all confexporter 127.0.0.1/32 trust |
|||
host all +secuadmins 127.0.0.1/32 md5 |
|||
host all +reporters 127.0.0.1/32 md5 |
|||
host all all 127.0.0.1/32 md5 |
|||
host all all ::1/128 md5 |
|||
EOT |
|||
</pre> |
Latest revision as of 18:05, 20 May 2018
Documentation
- https://linuxconfig.org/how-to-install-docker-on-ubuntu-18-04-bionic-beaver
- http://www.herr-norbert.de/2014/10/04/docker-owncloud/
- http://phusion.github.io/baseimage-docker/
- http://aws.amazon.com/de/ec2/ - to test running docker within a cloud
Basics
A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>.
Create Docker account
This step is optional and only needed if you want to publicly upload images.
sudo docker login
Setup
sample docker running under Ubuntu 14.04.1:
itsecorg@pbuilder:~$ sudo aptitude install docker.io
Proxy setup
- First, create a systemd drop-in directory for the docker service:
sudo mkdir /etc/systemd/system/docker.service.d
- Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service] Environment="HTTP_PROXY=http://proxy.example.com:80/"
- If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/" Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
- Flush changes:
sudo systemctl daemon-reload
- Verify that the configuration has been loaded:
sudo systemctl show --property Environment docker Environment=HTTP_PROXY=http://proxy.example.com:80/
- Restart Docker:
sudo systemctl restart docker
Remove all images and containers
tim@pbuilder:~/dock1$ cat remove_all.sh #!/bin/bash # Delete all containers docker rm $(docker ps -a -q) # Delete all images docker rmi $(docker images -q) tim@pbuilder:~/dock1$
Image and Container Handling
Search images
sudo docker search --filter=stars=50 "ubuntu"
NAME DESCRIPTION STARS OFFICIAL AUTOMATED ubuntu Official Ubuntu base image 934 [OK] itsecorg@pbuilder:~$
Install / list / remove images
itsecorg@pbuilder:~$ sudo docker pull ubuntu:14.04.1 itsecorg@pbuilder:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB itsecorg@pbuilder:~$
Remove
Remove Container
itsecorg@pbuilder:~$ sudo docker rm busybox
Remove Image(s)
itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9 463ff6be4238 195eb90b5349 3db9c44f4520
Show containers
itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=true itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=false CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 09a4d97bdc2b ubuntu:14.04.1 sudo http_proxy=http About an hour ago Exited (0) About an hour ago loving_hypatia b4360f35202b ubuntu:14.04.1 sudo http_proxy=http About an hour ago Exited (0) About an hour ago cocky_perlman 8d1fbf98c719 ubuntu:14.04.1 sudo http_proxy=http About an hour ago Exited (0) About an hour ago backstabbing_newton
Create new image from container
Syntax:
sudo docker commit <container-id> <image-name>
Example:
sudo docker commit b4360f35202b ubuntu-new
Example vanilla postgres
Image for testing
... contains http and postgres client (ubuntu client):
tim@ubuntu:~/docker$ cat ubu_client/Dockerfile
FROM ubuntu:14.04.1 MAINTAINER itsecorg@cactus.de RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ apt-get install -y sharutils wget curl postgresql-client && \ apt-get clean && rm -rf /var/lib/apt/lists/*
tim@ubuntu:~/docker$
Building image
tim@ubuntu:~/docker/isodb$ cat Dockerfile.isodb.vanilla (apache Dockerfile: Dockerfile.isoweb)
tim@ubuntu:~/docker/isodb$ sudo docker build -t isodb:0.1 . Sending build context to Docker daemon 513.5 kB Sending build context to Docker daemon Step 0 : FROM ubuntu:14.04.1 ---> 04c5d3b7b065 Step 1 : MAINTAINER itsecorg@cactus.de
<snip>
Running image in container
Running in foreground
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -P --name isodb_test isodb:0.1 2014-12-20 13:00:21 UTC LOG: database system was interrupted; last known up at 2014-12-20 12:58:24 UTC 2014-12-20 13:00:21 UTC LOG: database system was not properly shut down; automatic recovery in progress 2014-12-20 13:00:21 UTC LOG: redo starts at 0/1782F70 2014-12-20 13:00:21 UTC LOG: record with zero length at 0/1782FB0 2014-12-20 13:00:21 UTC LOG: redo done at 0/1782F70 2014-12-20 13:00:21 UTC LOG: last completed transaction was at log time 2014-12-20 12:58:24.396264+00 2014-12-20 13:00:21 UTC LOG: database system is ready to accept connections 2014-12-20 13:00:21 UTC LOG: autovacuum launcher started
Running in background
tim@ubuntu:~/docker/isodb$ sudo docker run -d -P --name isodb0.9 --hostname=psql_server isodb:0.9 293fc3635360376d010072455b5b2bad6e5232b1e7aed1ff45a2857155ad4fbd tim@ubuntu:~/docker/isodb$
Connecting to container
Connecting from host system
in new window, find out listening port:
tim@ubuntu:~/docker/isodb$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1858243dede0 isodb:0.3 /usr/lib/postgresql/ 27 seconds ago Up 26 seconds 0.0.0.0:49153->5432/tcp isodb0.9 tim@ubuntu:~/docker/isodb$ psql -h localhost -p 49153 -d isodb -U itsecorg --password
Connecting from other container via link
Containers can be linked to another container's ports directly using -link remote_name:local_alias in the client's docker run. This will set a number of environment variables that can then be used to connect:
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -t -i --hostname=psql_client --link isodb0.9:ubu1 isodb:0.9 bash postgres@psql_client:/$ psql -h $UBU1_PORT_5432_TCP_ADDR -p $UBU1_PORT_5432_TCP_PORT -d isodb -U itsecorg --password Password for user itsecorg: psql (9.3.5) SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256) Type "help" for help. isodb=> select * from error limit 3; error_id | error_lvl | error_txt_ger | error_txt_eng -----------------------------+-----------+-----------------------------------+------------------------------------ MSG_NUMBER_CHANGES_RULE_CHG | 4 | Anzahl geaenderte Regeln | number of rules changed MSG_NUMBER_CHANGES_SVC_CHG | 4 | Anzahl geaenderte Dienste | number of network services changed MSG_NUMBER_CHANGES_OBJ_CHG | 4 | Anzahl geaenderte Netzwerkobjekte | number of network objects changed (3 rows) isodb=>
Running and linking second container
Building webserver:
tim@ubuntu:~/docker/isoweb$ sudo docker build -t isoweb:0.1 .
Running webserver in container:
tim@ubuntu:~/docker/isoweb$ sudo docker run --rm -P --name isoweb_test isoweb:0.1 [Sun Dec 21 12:49:43.697580 2014] [core:warn] [pid 1] AH00111: Config variable ${APACHE_RUN_DIR} is not defined AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.127. Set the 'ServerName' directive globally to suppress this message
Starting up ubuntu client container and linking to webserver:
tim@ubuntu:~/docker/ubu_client$ sudo docker run --rm -t -i --hostname=ubuclient1 --link isoweb_test:ubu1 ubu_client bash root@ubuclient1:/# wget --no-check-certificate https://$UBU1_PORT_443_TCP_ADDR:$UBU1_PORT_443_PORT --2014-12-21 12:45:32-- https://172.17.0.119/ Connecting to 172.17.0.119:443... connected. WARNING: cannot verify 172.17.0.119's certificate, issued by '/C=DE/O=Cactus eSecurity/L=Frankfurt/CN=09a2b0b24e0e /emailAddress=itsecorg@cactus.de': Self-signed certificate encountered. WARNING: certificate common name '09a2b0b24e0e' doesn't match requested host name '172.17.0.119'. HTTP request sent, awaiting response... 500 Internal Server Error 2014-12-21 12:45:32 ERROR 500: Internal Server Error. root@ubuclient1:/#
Using phusion/baseimage
tim@pbuilder:~/phusion$ sudo docker search -s 100 "phusion" NAME DESCRIPTION STARS OFFICIAL AUTOMATED phusion/baseimage A special image that is configured for cor... 451 tim@ubuntu:~$ sudo docker pull phusion/baseimage:0.9.15 tim@ubuntu:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu 14.04.1 04c5d3b7b065 4 days ago 192.7 MB phusion/baseimage 0.9.15 cf39b476aeec 11 weeks ago 289.4 MB tim@ubuntu:~$ ... # run container with ssh listening on port 2222/tcp and a shell in parallel tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 192.168.100.96:2222:22 -i phusion/baseimage:0.9.15 ... *** Runit started as PID 95 *** Running bash -l... root@b2a9f8dfff35:/# # run container with ssh listening on port 2222/tcp tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 2222:22 -i phusion/baseimage:0.9.15 ... *** Runit started as PID 95 tim@pbuilder:~/phusion$ sudo docker run --name="isodb" -h iso-db phusion/baseimage:0.9.15 *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... No SSH host key available. Generating one... Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... Creating SSH2 ED25519 key; this may take some time ... invoke-rc.d: policy-rc.d denied execution of restart. *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 95 tim@pbuilder:~$ pwd /home/tim tim@pbuilder:~$ cat phusion/Dockerfile # Use phusion/baseimage as base image. To make your builds # reproducible, make sure you lock down to a specific version, not # to `latest`! See # https://github.com/phusion/baseimage-docker/blob/master/Changelog.md # for a list of version numbers. FROM phusion/baseimage:0.9.15 # Set correct environment variables. ENV HOME /root # Regenerate SSH host keys. baseimage-docker does not contain any, so you # have to do that yourself. You may also comment out this instruction; the # init system will auto-generate one during boot. RUN /etc/my_init.d/00_regen_ssh_host_keys.sh # Use baseimage-docker's init system. CMD ["/sbin/my_init"] # ...put your own build instructions here... RUN mkdir -p $HOME/.ssh COPY id_rsa.pub $HOME/.ssh/ RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub RUN chmod 600 $HOME/.ssh/authorized_keys # Clean up APT when done. RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* tim@pbuilder:~$ tim@pbuilder:~$ sudo docker build -t itsecorg/base phusion/ Sending build context to Docker daemon 4.608 kB Sending build context to Docker daemon Step 0 : FROM phusion/baseimage:0.9.15 ---> cf39b476aeec Step 1 : ENV HOME /root ---> Using cache ---> a6321e755610 Step 2 : RUN /etc/my_init.d/00_regen_ssh_host_keys.sh ---> Using cache ---> 37d8605f992d Step 3 : CMD ["/sbin/my_init"] ---> Using cache ---> e6f97e12568c Step 4 : RUN mkdir -p $HOME/.ssh ---> Using cache ---> dce7809f4362 Step 5 : COPY id_rsa.pub $HOME/.ssh/ ---> Using cache ---> 3dfba0cc70c0 Step 6 : RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub ---> Using cache ---> e235cefc1126 Step 7 : RUN chmod 600 $HOME/.ssh/authorized_keys ---> Using cache ---> 15c305685afe Step 8 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ---> Using cache ---> 1fc643e36a1d Successfully built 1fc643e36a1d tim@pbuilder:~$ tim@pbuilder:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE itsecorg/base latest 1fc643e36a1d 28 minutes ago 292.2 MB tim@pbuilder:~$ sudo docker run itsecorg/base -p 2222:22 2014/11/21 12:45:32 exec: "-p": executable file not found in $PATH tim@pbuilder:~$ sudo docker run -p 2222:22 itsecorg/base *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 12 tim@pbuilder:~$ sudo netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 9228 819/sshd tcp6 0 0 :::2222 :::* LISTEN 0 1513329 11865/docker.io tcp6 0 0 :::22 :::* LISTEN 0 9230 819/sshd tim@pbuilder:~$ tim@pbuilder:~$ sudo docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d8ae08a0c160 3dfba0cc70c0 /bin/sh -c 'cat $HOM About a minute ago Exited (1) About a minute ago desperate_almeida e1aefedbc11c phusion/baseimage:0.9.15 /sbin/my_init About an hour ago Up About an hour isodb tim@pbuilder:~$ sudo docker rm e1aefedbc11c Error response from daemon: Impossible to remove a running container, please stop it first or use -f 2014/11/21 13:22:36 Error: failed to remove one or more containers tim@pbuilder:~$ sudo docker stop e1aefedbc11c e1aefedbc11c tim@pbuilder:~$ sudo docker rm e1aefedbc11c e1aefedbc11c tim@pbuilder:~$
Changing config files
Replacing settings:
RUN sed -i.orig \ -e "s/^memory_limit\s*=.*/memory_limit = 200M/" \ -e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \ -e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \ -e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \ -e "s|^doc_root\s*=.*|doc_root = /usr/share/itsecorg/web|" \ -e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \ -e "s/^expose_php\s*=.*/expose_php = Off/" \ -e "s/^display_errors\s*=.*/display_errors = Off/" \ -e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \ -e "s/^error_log\s*=.*/error_log = syslog/" \ -e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \ -e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \ -e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \ -e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \ /etc/php5/apache2/php.ini /etc/php5/cli/php.ini RUN sed -i.orig \ -e "s|^host\s*all\s*all\s*127.0.0.1/32\s*md5|# &|" \ -e "s|^host\s*all\s*all\s*::1/128\s*md5|# &|" \ /etc/postgresql/main/9.3/pg_hba.conf
Adding settings:
RUN cat <<EOT >> /etc/postgresql/main/9.3/pg_hba.conf host all dbadmin 127.0.0.1/32 md5 host all itsecorg 127.0.0.1/32 md5 host all +dbbackupusers 127.0.0.1/32 trust host all +configimporters 127.0.0.1/32 trust host all confexporter 127.0.0.1/32 trust host all +secuadmins 127.0.0.1/32 md5 host all +reporters 127.0.0.1/32 md5 host all all 127.0.0.1/32 md5 host all all ::1/128 md5 EOT