Difference between revisions of "Docker.io Howto"

From Cactus Howto
Jump to navigationJump to search
Line 19: Line 19:
itsecorg@pbuilder:~$ sudo aptitude install docker.io
itsecorg@pbuilder:~$ sudo aptitude install docker.io


Set proxy for docker:
sudo sh -c 'echo export http_proxy="http://proxy.int.cactus.de:8080/" >> /etc/default/docker.io'
sudo sh -c 'echo export https_proxy="http://proxy.int.cactus.de:8080/" >> /etc/default/docker.io'
sudo service docker.io restart


=== Proxy setup ===
Remove all images and containers:

Old (not working)
Set proxy for docker:
sudo sh -c 'echo export http_proxy="http://proxy.int.cactus.de:8080/" >> /etc/default/docker.io'
sudo sh -c 'echo export https_proxy="http://proxy.int.cactus.de:8080/" >> /etc/default/docker.io'
sudo service docker.io restart

New:
# First, create a systemd drop-in directory for the docker service:
mkdir /etc/systemd/system/docker.service.d
# Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
# If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
# Flush changes:
sudo systemctl daemon-reload
# Verify that the configuration has been loaded:
sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
# Restart Docker:
sudo systemctl restart docker
=== Remove all images and containers ===


<pre>
<pre>

Revision as of 10:59, 10 February 2018

Documentation

Basics

A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>.

Create Docker account

This step is optional and only needed if you want to publicly upload images.

sudo docker login

Setup

sample docker running under Ubuntu 14.04.1:

itsecorg@pbuilder:~$ sudo aptitude install docker.io


Proxy setup

Old (not working)

 Set proxy for docker:
  sudo sh -c 'echo export http_proxy="http://proxy.int.cactus.de:8080/" >> /etc/default/docker.io'
  sudo sh -c 'echo export https_proxy="http://proxy.int.cactus.de:8080/" >> /etc/default/docker.io'
  sudo service docker.io restart

New:

  1. First, create a systemd drop-in directory for the docker service:
mkdir /etc/systemd/system/docker.service.d
  1. Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
  1. If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
  1. Flush changes:
sudo systemctl daemon-reload
  1. Verify that the configuration has been loaded:
sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
  1. Restart Docker:
sudo systemctl restart docker

Remove all images and containers

tim@pbuilder:~/dock1$ cat remove_all.sh
#!/bin/bash
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)
tim@pbuilder:~/dock1$

Image and Container Handling

Search images

sudo docker search -s 10 "ubuntu"
NAME                                     DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
ubuntu                                   Official Ubuntu base image                      934       [OK]
dockerfile/ubuntu                        Trusted automated Ubuntu (http://www.ubunt...   32                   [OK]
crashsystems/gitlab-docker               A trusted, regularly updated build of GitL...   21                   [OK]
ansible/ubuntu14.04-ansible              Ubuntu 14.04 LTS with ansible                   21                   [OK]
clue/ttrss                               The Tiny Tiny RSS feed reader allows you t...   19                   [OK]
mbentley/ubuntu-django-uwsgi-nginx                                                       17                   [OK]
sylvainlasnier/memcached                 Memcached docker images based on Ubuntu 14...   17                   [OK]
ubuntu-upstart                           Upstart is an event-based replacement for ...   16        [OK]
dockerfile/ubuntu-desktop                Trusted automated Ubuntu Desktop (LXDE) (h...   14                   [OK]
tutum/ubuntu                             Ubuntu image with SSH access. For the root...   13                   [OK]
tinyerp/ubuntu-openerp                   Run OpenERP on Ubuntu - September 2014          10
itsecorg@pbuilder:~$

Install / list / remove images

itsecorg@pbuilder:~$ sudo docker pull ubuntu:14.04.1
itsecorg@pbuilder:~$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu              14.04.1             5506de2b643b        3 weeks ago         199.3 MB
itsecorg@pbuilder:~$

Remove

Remove Container

itsecorg@pbuilder:~$ sudo docker rm busybox

Remove Image(s)

itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9  463ff6be4238 195eb90b5349 3db9c44f4520

Show containers

itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=true
itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=false
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                           PORTS               NAMES
09a4d97bdc2b        ubuntu:14.04.1      sudo http_proxy=http   About an hour ago   Exited (0) About an hour ago                         loving_hypatia
b4360f35202b        ubuntu:14.04.1      sudo http_proxy=http   About an hour ago   Exited (0) About an hour ago                         cocky_perlman
8d1fbf98c719        ubuntu:14.04.1      sudo http_proxy=http   About an hour ago   Exited (0) About an hour ago                         backstabbing_newton

Create new image from container

Syntax:

sudo docker commit <container-id> <image-name>

Example:

sudo docker commit b4360f35202b ubuntu-new

Example vanilla postgres

Image for testing

... contains http and postgres client (ubuntu client):

tim@ubuntu:~/docker$ cat ubu_client/Dockerfile
FROM ubuntu:14.04.1
MAINTAINER itsecorg@cactus.de
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
  apt-get install -y sharutils wget curl postgresql-client && \
  apt-get clean && rm -rf /var/lib/apt/lists/*
tim@ubuntu:~/docker$

Building image

tim@ubuntu:~/docker/isodb$ cat Dockerfile.isodb.vanilla (apache Dockerfile: Dockerfile.isoweb)

tim@ubuntu:~/docker/isodb$ sudo docker build -t isodb:0.1 .
Sending build context to Docker daemon 513.5 kB
Sending build context to Docker daemon 
Step 0 : FROM ubuntu:14.04.1
 ---> 04c5d3b7b065
Step 1 : MAINTAINER itsecorg@cactus.de

<snip>

Running image in container

Running in foreground

tim@ubuntu:~/docker/isodb$ sudo docker run --rm -P --name isodb_test isodb:0.1
2014-12-20 13:00:21 UTC LOG:  database system was interrupted; last known up at 2014-12-20 12:58:24 UTC
2014-12-20 13:00:21 UTC LOG:  database system was not properly shut down; automatic recovery in progress
2014-12-20 13:00:21 UTC LOG:  redo starts at 0/1782F70
2014-12-20 13:00:21 UTC LOG:  record with zero length at 0/1782FB0
2014-12-20 13:00:21 UTC LOG:  redo done at 0/1782F70
2014-12-20 13:00:21 UTC LOG:  last completed transaction was at log time 2014-12-20 12:58:24.396264+00
2014-12-20 13:00:21 UTC LOG:  database system is ready to accept connections
2014-12-20 13:00:21 UTC LOG:  autovacuum launcher started

Running in background

tim@ubuntu:~/docker/isodb$ sudo docker run -d -P --name isodb0.9 --hostname=psql_server isodb:0.9
293fc3635360376d010072455b5b2bad6e5232b1e7aed1ff45a2857155ad4fbd
tim@ubuntu:~/docker/isodb$

Connecting to container

Connecting from host system

in new window, find out listening port:

tim@ubuntu:~/docker/isodb$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS              PORTS                     NAMES
1858243dede0        isodb:0.3           /usr/lib/postgresql/   27 seconds ago      Up 26 seconds       0.0.0.0:49153->5432/tcp   isodb0.9            
tim@ubuntu:~/docker/isodb$ psql -h localhost -p 49153 -d isodb -U itsecorg --password

Connecting from other container via link

Containers can be linked to another container's ports directly using -link remote_name:local_alias in the client's docker run. This will set a number of environment variables that can then be used to connect:

tim@ubuntu:~/docker/isodb$ sudo docker run --rm -t -i --hostname=psql_client --link isodb0.9:ubu1 isodb:0.9 bash
postgres@psql_client:/$ psql -h $UBU1_PORT_5432_TCP_ADDR -p $UBU1_PORT_5432_TCP_PORT -d isodb -U itsecorg --password
Password for user itsecorg: 
psql (9.3.5)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.

isodb=> select * from error limit 3;
          error_id           | error_lvl |           error_txt_ger           |           error_txt_eng            
-----------------------------+-----------+-----------------------------------+------------------------------------
 MSG_NUMBER_CHANGES_RULE_CHG |         4 | Anzahl geaenderte Regeln          | number of rules changed
 MSG_NUMBER_CHANGES_SVC_CHG  |         4 | Anzahl geaenderte Dienste         | number of network services changed
 MSG_NUMBER_CHANGES_OBJ_CHG  |         4 | Anzahl geaenderte Netzwerkobjekte | number of network objects changed
(3 rows)

isodb=>

Running and linking second container

Building webserver:

tim@ubuntu:~/docker/isoweb$ sudo docker build -t isoweb:0.1 .

Running webserver in container:

tim@ubuntu:~/docker/isoweb$ sudo docker run --rm -P --name isoweb_test isoweb:0.1
[Sun Dec 21 12:49:43.697580 2014] [core:warn] [pid 1] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.127. Set the 'ServerName' directive  globally to suppress this message

Starting up ubuntu client container and linking to webserver:

tim@ubuntu:~/docker/ubu_client$ sudo docker run --rm -t -i --hostname=ubuclient1 --link isoweb_test:ubu1 ubu_client bash
root@ubuclient1:/# wget --no-check-certificate  https://$UBU1_PORT_443_TCP_ADDR:$UBU1_PORT_443_PORT
--2014-12-21 12:45:32--  https://172.17.0.119/
Connecting to 172.17.0.119:443... connected.
WARNING: cannot verify 172.17.0.119's certificate, issued by '/C=DE/O=Cactus eSecurity/L=Frankfurt/CN=09a2b0b24e0e /emailAddress=itsecorg@cactus.de':
 Self-signed certificate encountered.
   WARNING: certificate common name '09a2b0b24e0e' doesn't match requested host name '172.17.0.119'.
HTTP request sent, awaiting response... 500 Internal Server Error
2014-12-21 12:45:32 ERROR 500: Internal Server Error.

root@ubuclient1:/#

Using phusion/baseimage

tim@pbuilder:~/phusion$ sudo docker search -s 100 "phusion"
NAME                DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
phusion/baseimage   A special image that is configured for cor...   451

tim@ubuntu:~$ sudo docker pull phusion/baseimage:0.9.15
tim@ubuntu:~$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu              14.04.1             04c5d3b7b065        4 days ago          192.7 MB
phusion/baseimage   0.9.15              cf39b476aeec        11 weeks ago        289.4 MB
tim@ubuntu:~$ 

...
# run container with ssh listening on port 2222/tcp and a shell in parallel
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 192.168.100.96:2222:22 -i phusion/baseimage:0.9.15


...
*** Runit started as PID 95
*** Running bash -l...
root@b2a9f8dfff35:/# 

# run container with ssh listening on port 2222/tcp
tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 2222:22 -i phusion/baseimage:0.9.15
...
*** Runit started as PID 95



tim@pbuilder:~/phusion$ sudo docker run --name="isodb" -h iso-db phusion/baseimage:0.9.15
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
No SSH host key available. Generating one...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
Creating SSH2 ED25519 key; this may take some time ...
invoke-rc.d: policy-rc.d denied execution of restart.
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 95

tim@pbuilder:~$ pwd
/home/tim
tim@pbuilder:~$ cat phusion/Dockerfile
# Use phusion/baseimage as base image. To make your builds
# reproducible, make sure you lock down to a specific version, not
# to `latest`! See
# https://github.com/phusion/baseimage-docker/blob/master/Changelog.md
# for a list of version numbers.
FROM phusion/baseimage:0.9.15

# Set correct environment variables.
ENV HOME /root

# Regenerate SSH host keys. baseimage-docker does not contain any, so you
# have to do that yourself. You may also comment out this instruction; the
# init system will auto-generate one during boot.
RUN /etc/my_init.d/00_regen_ssh_host_keys.sh

# Use baseimage-docker's init system.
CMD ["/sbin/my_init"]

# ...put your own build instructions here...
RUN mkdir -p $HOME/.ssh
COPY id_rsa.pub $HOME/.ssh/
RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub
RUN chmod 600 $HOME/.ssh/authorized_keys

# Clean up APT when done.
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

tim@pbuilder:~$


tim@pbuilder:~$ sudo docker build -t itsecorg/base phusion/
Sending build context to Docker daemon 4.608 kB
Sending build context to Docker daemon
Step 0 : FROM phusion/baseimage:0.9.15
 ---> cf39b476aeec
Step 1 : ENV HOME /root
 ---> Using cache
 ---> a6321e755610
Step 2 : RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
 ---> Using cache
 ---> 37d8605f992d
Step 3 : CMD ["/sbin/my_init"]
 ---> Using cache
 ---> e6f97e12568c
Step 4 : RUN mkdir -p $HOME/.ssh
 ---> Using cache
 ---> dce7809f4362
Step 5 : COPY id_rsa.pub $HOME/.ssh/
 ---> Using cache
 ---> 3dfba0cc70c0
Step 6 : RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub
 ---> Using cache
 ---> e235cefc1126
Step 7 : RUN chmod 600 $HOME/.ssh/authorized_keys
 ---> Using cache
 ---> 15c305685afe
Step 8 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 ---> Using cache
 ---> 1fc643e36a1d
Successfully built 1fc643e36a1d
tim@pbuilder:~$

tim@pbuilder:~$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
itsecorg/base       latest              1fc643e36a1d        28 minutes ago      292.2 MB


tim@pbuilder:~$ sudo docker run itsecorg/base -p 2222:22
2014/11/21 12:45:32 exec: "-p": executable file not found in $PATH
tim@pbuilder:~$ sudo docker run  -p 2222:22 itsecorg/base
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 12


tim@pbuilder:~$ sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          9228        819/sshd
tcp6       0      0 :::2222                 :::*                    LISTEN      0          1513329     11865/docker.io
tcp6       0      0 :::22                   :::*                    LISTEN      0          9230        819/sshd
tim@pbuilder:~$

tim@pbuilder:~$ sudo docker ps -a
CONTAINER ID        IMAGE                      COMMAND                CREATED              STATUS                          PORTS               NAMES
d8ae08a0c160        3dfba0cc70c0               /bin/sh -c 'cat $HOM   About a minute ago   Exited (1) About a minute ago                       desperate_almeida
e1aefedbc11c        phusion/baseimage:0.9.15   /sbin/my_init          About an hour ago    Up About an hour                                    isodb
tim@pbuilder:~$ sudo docker rm e1aefedbc11c
Error response from daemon: Impossible to remove a running container, please stop it first or use -f
2014/11/21 13:22:36 Error: failed to remove one or more containers
tim@pbuilder:~$ sudo docker stop e1aefedbc11c
e1aefedbc11c
tim@pbuilder:~$ sudo docker rm e1aefedbc11c
e1aefedbc11c
tim@pbuilder:~$

Changing config files

Replacing settings:

RUN sed -i.orig \
-e "s/^memory_limit\s*=.*/memory_limit = 200M/" \
-e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \
-e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \
-e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \
-e "s|^doc_root\s*=.*|doc_root = /usr/share/itsecorg/web|" \
-e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \
-e "s/^expose_php\s*=.*/expose_php = Off/" \
-e "s/^display_errors\s*=.*/display_errors = Off/" \
-e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \
-e "s/^error_log\s*=.*/error_log = syslog/" \
-e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \
-e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \
-e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \
-e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \
/etc/php5/apache2/php.ini /etc/php5/cli/php.ini

RUN sed -i.orig \
-e "s|^host\s*all\s*all\s*127.0.0.1/32\s*md5|# &|" \
-e "s|^host\s*all\s*all\s*::1/128\s*md5|# &|" \
/etc/postgresql/main/9.3/pg_hba.conf

Adding settings:

RUN cat <<EOT >> /etc/postgresql/main/9.3/pg_hba.conf
host    all         dbadmin             127.0.0.1/32          md5
host    all         itsecorg            127.0.0.1/32          md5
host    all         +dbbackupusers      127.0.0.1/32          trust
host    all         +configimporters    127.0.0.1/32          trust
host    all         confexporter        127.0.0.1/32          trust
host    all         +secuadmins         127.0.0.1/32          md5
host    all         +reporters          127.0.0.1/32          md5
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
EOT