Difference between revisions of "Docker.io Howto"

From Cactus Howto
Jump to navigationJump to search
 
(49 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Documentation ==
* https://linuxconfig.org/how-to-install-docker-on-ubuntu-18-04-bionic-beaver
* http://www.herr-norbert.de/2014/10/04/docker-owncloud/
* http://phusion.github.io/baseimage-docker/
* http://aws.amazon.com/de/ec2/ - to test running docker within a cloud

== Basics ==
== Basics ==
A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>.
A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>.

=== Create Docker account ===

This step is optional and only needed if you want to publicly upload images.

sudo docker login

== Setup ==
== Setup ==
sample docker running under Ubuntu 14.04.1:
sample docker running under Ubuntu 14.04.1:
itsecorg@pbuilder:~$ sudo aptitude install docker.io
itsecorg@pbuilder:~$ sudo aptitude install docker.io



Set proxy for docker:
=== Proxy setup ===
itsecorg@pbuilder:~$ grep http_proxy /etc/default/docker.io
* First, create a systemd drop-in directory for the docker service:
export http_proxy="http://proxy.int.cactus.de:8080/"
sudo service docker.io restart
sudo mkdir /etc/systemd/system/docker.service.d
* Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
* If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
* Flush changes:
sudo systemctl daemon-reload
* Verify that the configuration has been loaded:
sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
* Restart Docker:
sudo systemctl restart docker

=== Remove all images and containers ===

<pre>
tim@pbuilder:~/dock1$ cat remove_all.sh
#!/bin/bash
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)
tim@pbuilder:~/dock1$
</pre>

== Image and Container Handling ==
== Image and Container Handling ==
=== Search images ===
=== Search images ===
sudo docker search -s 4 "ubuntu"
sudo docker search --filter=stars=50 "ubuntu"
<pre>
<pre>
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
ubuntu Official Ubuntu base image 934 [OK]
ubuntu Official Ubuntu base image 934 [OK]
dockerfile/ubuntu Trusted automated Ubuntu (http://www.ubunt... 32 [OK]
crashsystems/gitlab-docker A trusted, regularly updated build of GitL... 21 [OK]
ansible/ubuntu14.04-ansible Ubuntu 14.04 LTS with ansible 21 [OK]
clue/ttrss The Tiny Tiny RSS feed reader allows you t... 19 [OK]
mbentley/ubuntu-django-uwsgi-nginx 17 [OK]
sylvainlasnier/memcached Memcached docker images based on Ubuntu 14... 17 [OK]
ubuntu-upstart Upstart is an event-based replacement for ... 16 [OK]
dockerfile/ubuntu-desktop Trusted automated Ubuntu Desktop (LXDE) (h... 14 [OK]
tutum/ubuntu Ubuntu image with SSH access. For the root... 13 [OK]
tinyerp/ubuntu-openerp Run OpenERP on Ubuntu - September 2014 10
itsecorg@pbuilder:~$
itsecorg@pbuilder:~$
</pre>
</pre>


=== Install / list / remove images ===
=== Install / list / remove images ===
sudo docker pull ubuntu


itsecorg@pbuilder:~$ sudo docker pull ubuntu:14.04.1
Display installed images:
itsecorg@pbuilder:~$ sudo docker images
<pre>
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
itsecorg@pbuilder:~$ sudo docker images ubuntu
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB
itsecorg@pbuilder:~$
ubuntu utopic 277eb4304907 3 weeks ago 228.5 MB

ubuntu 14.10 277eb4304907 3 weeks ago 228.5 MB
ubuntu 14.04 5506de2b643b 3 weeks ago 199.3 MB
ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB
ubuntu latest 5506de2b643b 3 weeks ago 199.3 MB
ubuntu trusty 5506de2b643b 3 weeks ago 199.3 MB
ubuntu 12.04 0b310e6bf058 3 weeks ago 126.7 MB
ubuntu 12.04.5 0b310e6bf058 3 weeks ago 126.7 MB
ubuntu precise 0b310e6bf058 3 weeks ago 126.7 MB
ubuntu 12.10 c5881f11ded9 4 months ago 172.2 MB
ubuntu quantal c5881f11ded9 4 months ago 172.2 MB
ubuntu 13.04 463ff6be4238 4 months ago 169.4 MB
ubuntu raring 463ff6be4238 4 months ago 169.4 MB
ubuntu 13.10 195eb90b5349 4 months ago 184.7 MB
ubuntu saucy 195eb90b5349 4 months ago 184.7 MB
ubuntu 10.04 3db9c44f4520 6 months ago 183 MB
ubuntu lucid 3db9c44f4520 6 months ago 183 MB
itsecorg@pbuilder:~$
</pre>
=== Remove ===
=== Remove ===
Remove Container
Remove Container
Line 59: Line 70:
Remove Image(s)
Remove Image(s)
itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9 463ff6be4238 195eb90b5349 3db9c44f4520
itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9 463ff6be4238 195eb90b5349 3db9c44f4520


Better:
sudo docker pull ubuntu:14.04.1

itsecorg@pbuilder:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB
itsecorg@pbuilder:~$


=== Show containers ===
=== Show containers ===
Line 83: Line 85:
Example:
Example:
sudo docker commit b4360f35202b ubuntu-new
sudo docker commit b4360f35202b ubuntu-new

== Example vanilla postgres ==

=== Image for testing ===
... contains http and postgres client (ubuntu client):

tim@ubuntu:~/docker$ cat ubu_client/Dockerfile

FROM ubuntu:14.04.1
MAINTAINER itsecorg@cactus.de
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
apt-get install -y sharutils wget curl postgresql-client && \
apt-get clean && rm -rf /var/lib/apt/lists/*

tim@ubuntu:~/docker$

=== Building image ===
tim@ubuntu:~/docker/isodb$ cat [[Dockerfile.isodb.vanilla]] (apache Dockerfile: [[Dockerfile.isoweb]])

tim@ubuntu:~/docker/isodb$ sudo docker build -t isodb:0.1 .
Sending build context to Docker daemon 513.5 kB
Sending build context to Docker daemon
Step 0 : FROM ubuntu:14.04.1
---> 04c5d3b7b065
Step 1 : MAINTAINER itsecorg@cactus.de
<snip>

=== Running image in container ===

==== Running in foreground ====
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -P --name isodb_test isodb:0.1
2014-12-20 13:00:21 UTC LOG: database system was interrupted; last known up at 2014-12-20 12:58:24 UTC
2014-12-20 13:00:21 UTC LOG: database system was not properly shut down; automatic recovery in progress
2014-12-20 13:00:21 UTC LOG: redo starts at 0/1782F70
2014-12-20 13:00:21 UTC LOG: record with zero length at 0/1782FB0
2014-12-20 13:00:21 UTC LOG: redo done at 0/1782F70
2014-12-20 13:00:21 UTC LOG: last completed transaction was at log time 2014-12-20 12:58:24.396264+00
2014-12-20 13:00:21 UTC LOG: database system is ready to accept connections
2014-12-20 13:00:21 UTC LOG: autovacuum launcher started

==== Running in background ====
tim@ubuntu:~/docker/isodb$ sudo docker run -d -P --name isodb0.9 --hostname=psql_server isodb:0.9
293fc3635360376d010072455b5b2bad6e5232b1e7aed1ff45a2857155ad4fbd
tim@ubuntu:~/docker/isodb$

=== Connecting to container ===

==== Connecting from host system ====
in new window, find out listening port:
tim@ubuntu:~/docker/isodb$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1858243dede0 isodb:0.3 /usr/lib/postgresql/ 27 seconds ago Up 26 seconds 0.0.0.0:49153->5432/tcp isodb0.9
tim@ubuntu:~/docker/isodb$ psql -h localhost -p 49153 -d isodb -U itsecorg --password
==== Connecting from other container via link ====

Containers can be linked to another container's ports directly using -link remote_name:local_alias in the client's docker run. This will set a number of environment variables that can then be used to connect:

tim@ubuntu:~/docker/isodb$ sudo docker run --rm -t -i --hostname=psql_client --link isodb0.9:ubu1 isodb:0.9 bash
postgres@psql_client:/$ psql -h $UBU1_PORT_5432_TCP_ADDR -p $UBU1_PORT_5432_TCP_PORT -d isodb -U itsecorg --password
Password for user itsecorg:
psql (9.3.5)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
isodb=> select * from error limit 3;
error_id | error_lvl | error_txt_ger | error_txt_eng
-----------------------------+-----------+-----------------------------------+------------------------------------
MSG_NUMBER_CHANGES_RULE_CHG | 4 | Anzahl geaenderte Regeln | number of rules changed
MSG_NUMBER_CHANGES_SVC_CHG | 4 | Anzahl geaenderte Dienste | number of network services changed
MSG_NUMBER_CHANGES_OBJ_CHG | 4 | Anzahl geaenderte Netzwerkobjekte | number of network objects changed
(3 rows)
isodb=>

=== Running and linking second container ===

Building webserver:
tim@ubuntu:~/docker/isoweb$ sudo docker build -t isoweb:0.1 .
Running webserver in container:
tim@ubuntu:~/docker/isoweb$ sudo docker run --rm -P --name isoweb_test isoweb:0.1
[Sun Dec 21 12:49:43.697580 2014] [core:warn] [pid 1] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.127. Set the 'ServerName' directive globally to suppress this message

Starting up ubuntu client container and linking to webserver:
tim@ubuntu:~/docker/ubu_client$ sudo docker run --rm -t -i --hostname=ubuclient1 --link isoweb_test:ubu1 ubu_client bash
root@ubuclient1:/# wget --no-check-certificate https://$UBU1_PORT_443_TCP_ADDR:$UBU1_PORT_443_PORT
--2014-12-21 12:45:32-- https://172.17.0.119/
Connecting to 172.17.0.119:443... connected.
WARNING: cannot verify 172.17.0.119's certificate, issued by '/C=DE/O=Cactus eSecurity/L=Frankfurt/CN=09a2b0b24e0e /emailAddress=itsecorg@cactus.de':
Self-signed certificate encountered.
WARNING: certificate common name '09a2b0b24e0e' doesn't match requested host name '172.17.0.119'.
HTTP request sent, awaiting response... 500 Internal Server Error
2014-12-21 12:45:32 ERROR 500: Internal Server Error.
root@ubuclient1:/#

== Using phusion/baseimage ==
<pre>
tim@pbuilder:~/phusion$ sudo docker search -s 100 "phusion"
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
phusion/baseimage A special image that is configured for cor... 451

tim@ubuntu:~$ sudo docker pull phusion/baseimage:0.9.15
tim@ubuntu:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
ubuntu 14.04.1 04c5d3b7b065 4 days ago 192.7 MB
phusion/baseimage 0.9.15 cf39b476aeec 11 weeks ago 289.4 MB
tim@ubuntu:~$

...
# run container with ssh listening on port 2222/tcp and a shell in parallel
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 192.168.100.96:2222:22 -i phusion/baseimage:0.9.15


...
*** Runit started as PID 95
*** Running bash -l...
root@b2a9f8dfff35:/#

# run container with ssh listening on port 2222/tcp
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 2222:22 -i phusion/baseimage:0.9.15
...
*** Runit started as PID 95



tim@pbuilder:~/phusion$ sudo docker run --name="isodb" -h iso-db phusion/baseimage:0.9.15
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
No SSH host key available. Generating one...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
Creating SSH2 ED25519 key; this may take some time ...
invoke-rc.d: policy-rc.d denied execution of restart.
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 95

tim@pbuilder:~$ pwd
/home/tim
tim@pbuilder:~$ cat phusion/Dockerfile
# Use phusion/baseimage as base image. To make your builds
# reproducible, make sure you lock down to a specific version, not
# to `latest`! See
# https://github.com/phusion/baseimage-docker/blob/master/Changelog.md
# for a list of version numbers.
FROM phusion/baseimage:0.9.15

# Set correct environment variables.
ENV HOME /root

# Regenerate SSH host keys. baseimage-docker does not contain any, so you
# have to do that yourself. You may also comment out this instruction; the
# init system will auto-generate one during boot.
RUN /etc/my_init.d/00_regen_ssh_host_keys.sh

# Use baseimage-docker's init system.
CMD ["/sbin/my_init"]

# ...put your own build instructions here...
RUN mkdir -p $HOME/.ssh
COPY id_rsa.pub $HOME/.ssh/
RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub
RUN chmod 600 $HOME/.ssh/authorized_keys

# Clean up APT when done.
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

tim@pbuilder:~$


tim@pbuilder:~$ sudo docker build -t itsecorg/base phusion/
Sending build context to Docker daemon 4.608 kB
Sending build context to Docker daemon
Step 0 : FROM phusion/baseimage:0.9.15
---> cf39b476aeec
Step 1 : ENV HOME /root
---> Using cache
---> a6321e755610
Step 2 : RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
---> Using cache
---> 37d8605f992d
Step 3 : CMD ["/sbin/my_init"]
---> Using cache
---> e6f97e12568c
Step 4 : RUN mkdir -p $HOME/.ssh
---> Using cache
---> dce7809f4362
Step 5 : COPY id_rsa.pub $HOME/.ssh/
---> Using cache
---> 3dfba0cc70c0
Step 6 : RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub
---> Using cache
---> e235cefc1126
Step 7 : RUN chmod 600 $HOME/.ssh/authorized_keys
---> Using cache
---> 15c305685afe
Step 8 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
---> Using cache
---> 1fc643e36a1d
Successfully built 1fc643e36a1d
tim@pbuilder:~$

tim@pbuilder:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
itsecorg/base latest 1fc643e36a1d 28 minutes ago 292.2 MB


tim@pbuilder:~$ sudo docker run itsecorg/base -p 2222:22
2014/11/21 12:45:32 exec: "-p": executable file not found in $PATH
tim@pbuilder:~$ sudo docker run -p 2222:22 itsecorg/base
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 12


tim@pbuilder:~$ sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 9228 819/sshd
tcp6 0 0 :::2222 :::* LISTEN 0 1513329 11865/docker.io
tcp6 0 0 :::22 :::* LISTEN 0 9230 819/sshd
tim@pbuilder:~$

tim@pbuilder:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d8ae08a0c160 3dfba0cc70c0 /bin/sh -c 'cat $HOM About a minute ago Exited (1) About a minute ago desperate_almeida
e1aefedbc11c phusion/baseimage:0.9.15 /sbin/my_init About an hour ago Up About an hour isodb
tim@pbuilder:~$ sudo docker rm e1aefedbc11c
Error response from daemon: Impossible to remove a running container, please stop it first or use -f
2014/11/21 13:22:36 Error: failed to remove one or more containers
tim@pbuilder:~$ sudo docker stop e1aefedbc11c
e1aefedbc11c
tim@pbuilder:~$ sudo docker rm e1aefedbc11c
e1aefedbc11c
tim@pbuilder:~$

</pre>


== Changing config files ==
== Changing config files ==


Replacing settings:
RUN sed -i.itsecorg.orig \
<pre>
-e "s/^memory_limit\s*=.*/memory_limit = 200M/" \
RUN sed -i.orig \
-e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \
-e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \
-e "s/^memory_limit\s*=.*/memory_limit = 200M/" \
-e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \
-e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \
-e "s|^doc_root\s*=\s*|doc_root = /usr/share/itsecorg/web|" \
-e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \
-e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \
-e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \
-e "s/^expose_php\s*=.*/expose_php = Off/" \
-e "s|^doc_root\s*=.*|doc_root = /usr/share/itsecorg/web|" \
-e "s/^display_errors\s*=.*/display_errors = Off/" \
-e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \
-e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \
-e "s/^expose_php\s*=.*/expose_php = Off/" \
-e "s/^error_log\s*=.*/error_log = syslog/" \
-e "s/^display_errors\s*=.*/display_errors = Off/" \
-e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \
-e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \
-e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \
-e "s/^error_log\s*=.*/error_log = syslog/" \
-e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \
-e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \
-e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \
-e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \
-e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \
/etc/php5/apache2/php.ini
-e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \
/etc/php5/apache2/php.ini /etc/php5/cli/php.ini

RUN sed -i.orig \
-e "s|^host\s*all\s*all\s*127.0.0.1/32\s*md5|# &|" \
-e "s|^host\s*all\s*all\s*::1/128\s*md5|# &|" \
/etc/postgresql/main/9.3/pg_hba.conf

</pre>

Adding settings:
<pre>
RUN cat <<EOT >> /etc/postgresql/main/9.3/pg_hba.conf
host all dbadmin 127.0.0.1/32 md5
host all itsecorg 127.0.0.1/32 md5
host all +dbbackupusers 127.0.0.1/32 trust
host all +configimporters 127.0.0.1/32 trust
host all confexporter 127.0.0.1/32 trust
host all +secuadmins 127.0.0.1/32 md5
host all +reporters 127.0.0.1/32 md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
EOT
</pre>

Latest revision as of 18:05, 20 May 2018

Documentation

Basics

A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>.

Create Docker account

This step is optional and only needed if you want to publicly upload images.

sudo docker login

Setup

sample docker running under Ubuntu 14.04.1:

itsecorg@pbuilder:~$ sudo aptitude install docker.io


Proxy setup

  • First, create a systemd drop-in directory for the docker service:
sudo mkdir /etc/systemd/system/docker.service.d
  • Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
  • If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
  • Flush changes:
sudo systemctl daemon-reload
  • Verify that the configuration has been loaded:
sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
  • Restart Docker:
sudo systemctl restart docker

Remove all images and containers

tim@pbuilder:~/dock1$ cat remove_all.sh
#!/bin/bash
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)
tim@pbuilder:~/dock1$

Image and Container Handling

Search images

sudo docker search --filter=stars=50 "ubuntu"
NAME                                     DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
ubuntu                                   Official Ubuntu base image                      934       [OK]
itsecorg@pbuilder:~$

Install / list / remove images

itsecorg@pbuilder:~$ sudo docker pull ubuntu:14.04.1
itsecorg@pbuilder:~$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu              14.04.1             5506de2b643b        3 weeks ago         199.3 MB
itsecorg@pbuilder:~$

Remove

Remove Container

itsecorg@pbuilder:~$ sudo docker rm busybox

Remove Image(s)

itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9  463ff6be4238 195eb90b5349 3db9c44f4520

Show containers

itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=true
itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=false
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                           PORTS               NAMES
09a4d97bdc2b        ubuntu:14.04.1      sudo http_proxy=http   About an hour ago   Exited (0) About an hour ago                         loving_hypatia
b4360f35202b        ubuntu:14.04.1      sudo http_proxy=http   About an hour ago   Exited (0) About an hour ago                         cocky_perlman
8d1fbf98c719        ubuntu:14.04.1      sudo http_proxy=http   About an hour ago   Exited (0) About an hour ago                         backstabbing_newton

Create new image from container

Syntax:

sudo docker commit <container-id> <image-name>

Example:

sudo docker commit b4360f35202b ubuntu-new

Example vanilla postgres

Image for testing

... contains http and postgres client (ubuntu client):

tim@ubuntu:~/docker$ cat ubu_client/Dockerfile
FROM ubuntu:14.04.1
MAINTAINER itsecorg@cactus.de
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
  apt-get install -y sharutils wget curl postgresql-client && \
  apt-get clean && rm -rf /var/lib/apt/lists/*
tim@ubuntu:~/docker$

Building image

tim@ubuntu:~/docker/isodb$ cat Dockerfile.isodb.vanilla (apache Dockerfile: Dockerfile.isoweb)

tim@ubuntu:~/docker/isodb$ sudo docker build -t isodb:0.1 .
Sending build context to Docker daemon 513.5 kB
Sending build context to Docker daemon 
Step 0 : FROM ubuntu:14.04.1
 ---> 04c5d3b7b065
Step 1 : MAINTAINER itsecorg@cactus.de

<snip>

Running image in container

Running in foreground

tim@ubuntu:~/docker/isodb$ sudo docker run --rm -P --name isodb_test isodb:0.1
2014-12-20 13:00:21 UTC LOG:  database system was interrupted; last known up at 2014-12-20 12:58:24 UTC
2014-12-20 13:00:21 UTC LOG:  database system was not properly shut down; automatic recovery in progress
2014-12-20 13:00:21 UTC LOG:  redo starts at 0/1782F70
2014-12-20 13:00:21 UTC LOG:  record with zero length at 0/1782FB0
2014-12-20 13:00:21 UTC LOG:  redo done at 0/1782F70
2014-12-20 13:00:21 UTC LOG:  last completed transaction was at log time 2014-12-20 12:58:24.396264+00
2014-12-20 13:00:21 UTC LOG:  database system is ready to accept connections
2014-12-20 13:00:21 UTC LOG:  autovacuum launcher started

Running in background

tim@ubuntu:~/docker/isodb$ sudo docker run -d -P --name isodb0.9 --hostname=psql_server isodb:0.9
293fc3635360376d010072455b5b2bad6e5232b1e7aed1ff45a2857155ad4fbd
tim@ubuntu:~/docker/isodb$

Connecting to container

Connecting from host system

in new window, find out listening port:

tim@ubuntu:~/docker/isodb$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS              PORTS                     NAMES
1858243dede0        isodb:0.3           /usr/lib/postgresql/   27 seconds ago      Up 26 seconds       0.0.0.0:49153->5432/tcp   isodb0.9            
tim@ubuntu:~/docker/isodb$ psql -h localhost -p 49153 -d isodb -U itsecorg --password

Connecting from other container via link

Containers can be linked to another container's ports directly using -link remote_name:local_alias in the client's docker run. This will set a number of environment variables that can then be used to connect:

tim@ubuntu:~/docker/isodb$ sudo docker run --rm -t -i --hostname=psql_client --link isodb0.9:ubu1 isodb:0.9 bash
postgres@psql_client:/$ psql -h $UBU1_PORT_5432_TCP_ADDR -p $UBU1_PORT_5432_TCP_PORT -d isodb -U itsecorg --password
Password for user itsecorg: 
psql (9.3.5)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.

isodb=> select * from error limit 3;
          error_id           | error_lvl |           error_txt_ger           |           error_txt_eng            
-----------------------------+-----------+-----------------------------------+------------------------------------
 MSG_NUMBER_CHANGES_RULE_CHG |         4 | Anzahl geaenderte Regeln          | number of rules changed
 MSG_NUMBER_CHANGES_SVC_CHG  |         4 | Anzahl geaenderte Dienste         | number of network services changed
 MSG_NUMBER_CHANGES_OBJ_CHG  |         4 | Anzahl geaenderte Netzwerkobjekte | number of network objects changed
(3 rows)

isodb=>

Running and linking second container

Building webserver:

tim@ubuntu:~/docker/isoweb$ sudo docker build -t isoweb:0.1 .

Running webserver in container:

tim@ubuntu:~/docker/isoweb$ sudo docker run --rm -P --name isoweb_test isoweb:0.1
[Sun Dec 21 12:49:43.697580 2014] [core:warn] [pid 1] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.127. Set the 'ServerName' directive  globally to suppress this message

Starting up ubuntu client container and linking to webserver:

tim@ubuntu:~/docker/ubu_client$ sudo docker run --rm -t -i --hostname=ubuclient1 --link isoweb_test:ubu1 ubu_client bash
root@ubuclient1:/# wget --no-check-certificate  https://$UBU1_PORT_443_TCP_ADDR:$UBU1_PORT_443_PORT
--2014-12-21 12:45:32--  https://172.17.0.119/
Connecting to 172.17.0.119:443... connected.
WARNING: cannot verify 172.17.0.119's certificate, issued by '/C=DE/O=Cactus eSecurity/L=Frankfurt/CN=09a2b0b24e0e /emailAddress=itsecorg@cactus.de':
 Self-signed certificate encountered.
   WARNING: certificate common name '09a2b0b24e0e' doesn't match requested host name '172.17.0.119'.
HTTP request sent, awaiting response... 500 Internal Server Error
2014-12-21 12:45:32 ERROR 500: Internal Server Error.

root@ubuclient1:/#

Using phusion/baseimage

tim@pbuilder:~/phusion$ sudo docker search -s 100 "phusion"
NAME                DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
phusion/baseimage   A special image that is configured for cor...   451

tim@ubuntu:~$ sudo docker pull phusion/baseimage:0.9.15
tim@ubuntu:~$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu              14.04.1             04c5d3b7b065        4 days ago          192.7 MB
phusion/baseimage   0.9.15              cf39b476aeec        11 weeks ago        289.4 MB
tim@ubuntu:~$ 

...
# run container with ssh listening on port 2222/tcp and a shell in parallel
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 192.168.100.96:2222:22 -i phusion/baseimage:0.9.15


...
*** Runit started as PID 95
*** Running bash -l...
root@b2a9f8dfff35:/# 

# run container with ssh listening on port 2222/tcp
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 2222:22 -i phusion/baseimage:0.9.15
...
*** Runit started as PID 95



tim@pbuilder:~/phusion$ sudo docker run --name="isodb" -h iso-db phusion/baseimage:0.9.15
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
No SSH host key available. Generating one...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
Creating SSH2 ED25519 key; this may take some time ...
invoke-rc.d: policy-rc.d denied execution of restart.
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 95

tim@pbuilder:~$ pwd
/home/tim
tim@pbuilder:~$ cat phusion/Dockerfile
# Use phusion/baseimage as base image. To make your builds
# reproducible, make sure you lock down to a specific version, not
# to `latest`! See
# https://github.com/phusion/baseimage-docker/blob/master/Changelog.md
# for a list of version numbers.
FROM phusion/baseimage:0.9.15

# Set correct environment variables.
ENV HOME /root

# Regenerate SSH host keys. baseimage-docker does not contain any, so you
# have to do that yourself. You may also comment out this instruction; the
# init system will auto-generate one during boot.
RUN /etc/my_init.d/00_regen_ssh_host_keys.sh

# Use baseimage-docker's init system.
CMD ["/sbin/my_init"]

# ...put your own build instructions here...
RUN mkdir -p $HOME/.ssh
COPY id_rsa.pub $HOME/.ssh/
RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub
RUN chmod 600 $HOME/.ssh/authorized_keys

# Clean up APT when done.
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

tim@pbuilder:~$


tim@pbuilder:~$ sudo docker build -t itsecorg/base phusion/
Sending build context to Docker daemon 4.608 kB
Sending build context to Docker daemon
Step 0 : FROM phusion/baseimage:0.9.15
 ---> cf39b476aeec
Step 1 : ENV HOME /root
 ---> Using cache
 ---> a6321e755610
Step 2 : RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
 ---> Using cache
 ---> 37d8605f992d
Step 3 : CMD ["/sbin/my_init"]
 ---> Using cache
 ---> e6f97e12568c
Step 4 : RUN mkdir -p $HOME/.ssh
 ---> Using cache
 ---> dce7809f4362
Step 5 : COPY id_rsa.pub $HOME/.ssh/
 ---> Using cache
 ---> 3dfba0cc70c0
Step 6 : RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub
 ---> Using cache
 ---> e235cefc1126
Step 7 : RUN chmod 600 $HOME/.ssh/authorized_keys
 ---> Using cache
 ---> 15c305685afe
Step 8 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 ---> Using cache
 ---> 1fc643e36a1d
Successfully built 1fc643e36a1d
tim@pbuilder:~$

tim@pbuilder:~$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
itsecorg/base       latest              1fc643e36a1d        28 minutes ago      292.2 MB


tim@pbuilder:~$ sudo docker run itsecorg/base -p 2222:22
2014/11/21 12:45:32 exec: "-p": executable file not found in $PATH
tim@pbuilder:~$ sudo docker run  -p 2222:22 itsecorg/base
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 12


tim@pbuilder:~$ sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          9228        819/sshd
tcp6       0      0 :::2222                 :::*                    LISTEN      0          1513329     11865/docker.io
tcp6       0      0 :::22                   :::*                    LISTEN      0          9230        819/sshd
tim@pbuilder:~$

tim@pbuilder:~$ sudo docker ps -a
CONTAINER ID        IMAGE                      COMMAND                CREATED              STATUS                          PORTS               NAMES
d8ae08a0c160        3dfba0cc70c0               /bin/sh -c 'cat $HOM   About a minute ago   Exited (1) About a minute ago                       desperate_almeida
e1aefedbc11c        phusion/baseimage:0.9.15   /sbin/my_init          About an hour ago    Up About an hour                                    isodb
tim@pbuilder:~$ sudo docker rm e1aefedbc11c
Error response from daemon: Impossible to remove a running container, please stop it first or use -f
2014/11/21 13:22:36 Error: failed to remove one or more containers
tim@pbuilder:~$ sudo docker stop e1aefedbc11c
e1aefedbc11c
tim@pbuilder:~$ sudo docker rm e1aefedbc11c
e1aefedbc11c
tim@pbuilder:~$

Changing config files

Replacing settings:

RUN sed -i.orig \
-e "s/^memory_limit\s*=.*/memory_limit = 200M/" \
-e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \
-e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \
-e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \
-e "s|^doc_root\s*=.*|doc_root = /usr/share/itsecorg/web|" \
-e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \
-e "s/^expose_php\s*=.*/expose_php = Off/" \
-e "s/^display_errors\s*=.*/display_errors = Off/" \
-e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \
-e "s/^error_log\s*=.*/error_log = syslog/" \
-e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \
-e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \
-e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \
-e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \
/etc/php5/apache2/php.ini /etc/php5/cli/php.ini

RUN sed -i.orig \
-e "s|^host\s*all\s*all\s*127.0.0.1/32\s*md5|# &|" \
-e "s|^host\s*all\s*all\s*::1/128\s*md5|# &|" \
/etc/postgresql/main/9.3/pg_hba.conf

Adding settings:

RUN cat <<EOT >> /etc/postgresql/main/9.3/pg_hba.conf
host    all         dbadmin             127.0.0.1/32          md5
host    all         itsecorg            127.0.0.1/32          md5
host    all         +dbbackupusers      127.0.0.1/32          trust
host    all         +configimporters    127.0.0.1/32          trust
host    all         confexporter        127.0.0.1/32          trust
host    all         +secuadmins         127.0.0.1/32          md5
host    all         +reporters          127.0.0.1/32          md5
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
EOT