Docker.io Howto
From Cactus Howto
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Documentation
- http://www.herr-norbert.de/2014/10/04/docker-owncloud/
- http://phusion.github.io/baseimage-docker/
- http://aws.amazon.com/de/ec2/ - to test running docker within a cloud
- http://docs.docker.com/examples/postgresql_service/
Basics
A running instance of an image is called container. You can make changes to a container (e.g. delete a file), but these changes will not affect the image. However, you can create a new image from a running container (and all it changes) using docker commit <container-id> <image-name>.
Create Docker account
This step is optional and only needed if you want to publicly upload images.
sudo docker login
Setup
sample docker running under Ubuntu 14.04.1:
itsecorg@pbuilder:~$ sudo aptitude install docker.io
Proxy setup
- First, create a systemd drop-in directory for the docker service:
sudo mkdir /etc/systemd/system/docker.service.d
- Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service] Environment="HTTP_PROXY=http://proxy.example.com:80/"
- If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/" Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
- Flush changes:
sudo systemctl daemon-reload
- Verify that the configuration has been loaded:
sudo systemctl show --property Environment docker Environment=HTTP_PROXY=http://proxy.example.com:80/
- Restart Docker:
sudo systemctl restart docker
Remove all images and containers
tim@pbuilder:~/dock1$ cat remove_all.sh #!/bin/bash # Delete all containers docker rm $(docker ps -a -q) # Delete all images docker rmi $(docker images -q) tim@pbuilder:~/dock1$
Image and Container Handling
Search images
sudo docker search --filter=stars=50 "ubuntu"
NAME DESCRIPTION STARS OFFICIAL AUTOMATED ubuntu Official Ubuntu base image 934 [OK] itsecorg@pbuilder:~$
Install / list / remove images
itsecorg@pbuilder:~$ sudo docker pull ubuntu:14.04.1 itsecorg@pbuilder:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu 14.04.1 5506de2b643b 3 weeks ago 199.3 MB itsecorg@pbuilder:~$
Remove
Remove Container
itsecorg@pbuilder:~$ sudo docker rm busybox
Remove Image(s)
itsecorg@pbuilder:~$ sudo docker rmi 0b310e6bf058 c5881f11ded9 463ff6be4238 195eb90b5349 3db9c44f4520
Show containers
itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=true itsecorg@pbuilder:~$ sudo docker ps -a --no-trunc=false CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 09a4d97bdc2b ubuntu:14.04.1 sudo http_proxy=http About an hour ago Exited (0) About an hour ago loving_hypatia b4360f35202b ubuntu:14.04.1 sudo http_proxy=http About an hour ago Exited (0) About an hour ago cocky_perlman 8d1fbf98c719 ubuntu:14.04.1 sudo http_proxy=http About an hour ago Exited (0) About an hour ago backstabbing_newton
Create new image from container
Syntax:
sudo docker commit <container-id> <image-name>
Example:
sudo docker commit b4360f35202b ubuntu-new
Example vanilla postgres
Image for testing
... contains http and postgres client (ubuntu client):
tim@ubuntu:~/docker$ cat ubu_client/Dockerfile
FROM ubuntu:14.04.1 MAINTAINER itsecorg@cactus.de RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ apt-get install -y sharutils wget curl postgresql-client && \ apt-get clean && rm -rf /var/lib/apt/lists/*
tim@ubuntu:~/docker$
Building image
tim@ubuntu:~/docker/isodb$ cat Dockerfile.isodb.vanilla (apache Dockerfile: Dockerfile.isoweb)
tim@ubuntu:~/docker/isodb$ sudo docker build -t isodb:0.1 . Sending build context to Docker daemon 513.5 kB Sending build context to Docker daemon Step 0 : FROM ubuntu:14.04.1 ---> 04c5d3b7b065 Step 1 : MAINTAINER itsecorg@cactus.de
<snip>
Running image in container
Running in foreground
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -P --name isodb_test isodb:0.1 2014-12-20 13:00:21 UTC LOG: database system was interrupted; last known up at 2014-12-20 12:58:24 UTC 2014-12-20 13:00:21 UTC LOG: database system was not properly shut down; automatic recovery in progress 2014-12-20 13:00:21 UTC LOG: redo starts at 0/1782F70 2014-12-20 13:00:21 UTC LOG: record with zero length at 0/1782FB0 2014-12-20 13:00:21 UTC LOG: redo done at 0/1782F70 2014-12-20 13:00:21 UTC LOG: last completed transaction was at log time 2014-12-20 12:58:24.396264+00 2014-12-20 13:00:21 UTC LOG: database system is ready to accept connections 2014-12-20 13:00:21 UTC LOG: autovacuum launcher started
Running in background
tim@ubuntu:~/docker/isodb$ sudo docker run -d -P --name isodb0.9 --hostname=psql_server isodb:0.9 293fc3635360376d010072455b5b2bad6e5232b1e7aed1ff45a2857155ad4fbd tim@ubuntu:~/docker/isodb$
Connecting to container
Connecting from host system
in new window, find out listening port:
tim@ubuntu:~/docker/isodb$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1858243dede0 isodb:0.3 /usr/lib/postgresql/ 27 seconds ago Up 26 seconds 0.0.0.0:49153->5432/tcp isodb0.9 tim@ubuntu:~/docker/isodb$ psql -h localhost -p 49153 -d isodb -U itsecorg --password
Connecting from other container via link
Containers can be linked to another container's ports directly using -link remote_name:local_alias in the client's docker run. This will set a number of environment variables that can then be used to connect:
tim@ubuntu:~/docker/isodb$ sudo docker run --rm -t -i --hostname=psql_client --link isodb0.9:ubu1 isodb:0.9 bash
postgres@psql_client:/$ psql -h $UBU1_PORT_5432_TCP_ADDR -p $UBU1_PORT_5432_TCP_PORT -d isodb -U itsecorg --password
Password for user itsecorg:
psql (9.3.5)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
isodb=> select * from error limit 3;
error_id | error_lvl | error_txt_ger | error_txt_eng
-----------------------------+-----------+-----------------------------------+------------------------------------
MSG_NUMBER_CHANGES_RULE_CHG | 4 | Anzahl geaenderte Regeln | number of rules changed
MSG_NUMBER_CHANGES_SVC_CHG | 4 | Anzahl geaenderte Dienste | number of network services changed
MSG_NUMBER_CHANGES_OBJ_CHG | 4 | Anzahl geaenderte Netzwerkobjekte | number of network objects changed
(3 rows)
isodb=>
Running and linking second container
Building webserver:
tim@ubuntu:~/docker/isoweb$ sudo docker build -t isoweb:0.1 .
Running webserver in container:
tim@ubuntu:~/docker/isoweb$ sudo docker run --rm -P --name isoweb_test isoweb:0.1
[Sun Dec 21 12:49:43.697580 2014] [core:warn] [pid 1] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.127. Set the 'ServerName' directive globally to suppress this message
Starting up ubuntu client container and linking to webserver:
tim@ubuntu:~/docker/ubu_client$ sudo docker run --rm -t -i --hostname=ubuclient1 --link isoweb_test:ubu1 ubu_client bash root@ubuclient1:/# wget --no-check-certificate https://$UBU1_PORT_443_TCP_ADDR:$UBU1_PORT_443_PORT --2014-12-21 12:45:32-- https://172.17.0.119/ Connecting to 172.17.0.119:443... connected. WARNING: cannot verify 172.17.0.119's certificate, issued by '/C=DE/O=Cactus eSecurity/L=Frankfurt/CN=09a2b0b24e0e /emailAddress=itsecorg@cactus.de': Self-signed certificate encountered. WARNING: certificate common name '09a2b0b24e0e' doesn't match requested host name '172.17.0.119'. HTTP request sent, awaiting response... 500 Internal Server Error 2014-12-21 12:45:32 ERROR 500: Internal Server Error. root@ubuclient1:/#
Using phusion/baseimage
tim@pbuilder:~/phusion$ sudo docker search -s 100 "phusion" NAME DESCRIPTION STARS OFFICIAL AUTOMATED phusion/baseimage A special image that is configured for cor... 451 tim@ubuntu:~$ sudo docker pull phusion/baseimage:0.9.15 tim@ubuntu:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu 14.04.1 04c5d3b7b065 4 days ago 192.7 MB phusion/baseimage 0.9.15 cf39b476aeec 11 weeks ago 289.4 MB tim@ubuntu:~$ ... # run container with ssh listening on port 2222/tcp and a shell in parallel tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 192.168.100.96:2222:22 -i phusion/baseimage:0.9.15 ... *** Runit started as PID 95 *** Running bash -l... root@b2a9f8dfff35:/# # run container with ssh listening on port 2222/tcp tim@pbuilder:~/phusion$ sudo docker run --rm -t -p 2222:22 -i phusion/baseimage:0.9.15 ... *** Runit started as PID 95 tim@pbuilder:~/phusion$ sudo docker run --name="isodb" -h iso-db phusion/baseimage:0.9.15 *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... No SSH host key available. Generating one... Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... Creating SSH2 ED25519 key; this may take some time ... invoke-rc.d: policy-rc.d denied execution of restart. *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 95 tim@pbuilder:~$ pwd /home/tim tim@pbuilder:~$ cat phusion/Dockerfile # Use phusion/baseimage as base image. To make your builds # reproducible, make sure you lock down to a specific version, not # to `latest`! See # https://github.com/phusion/baseimage-docker/blob/master/Changelog.md # for a list of version numbers. FROM phusion/baseimage:0.9.15 # Set correct environment variables. ENV HOME /root # Regenerate SSH host keys. baseimage-docker does not contain any, so you # have to do that yourself. You may also comment out this instruction; the # init system will auto-generate one during boot. RUN /etc/my_init.d/00_regen_ssh_host_keys.sh # Use baseimage-docker's init system. CMD ["/sbin/my_init"] # ...put your own build instructions here... RUN mkdir -p $HOME/.ssh COPY id_rsa.pub $HOME/.ssh/ RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub RUN chmod 600 $HOME/.ssh/authorized_keys # Clean up APT when done. RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* tim@pbuilder:~$ tim@pbuilder:~$ sudo docker build -t itsecorg/base phusion/ Sending build context to Docker daemon 4.608 kB Sending build context to Docker daemon Step 0 : FROM phusion/baseimage:0.9.15 ---> cf39b476aeec Step 1 : ENV HOME /root ---> Using cache ---> a6321e755610 Step 2 : RUN /etc/my_init.d/00_regen_ssh_host_keys.sh ---> Using cache ---> 37d8605f992d Step 3 : CMD ["/sbin/my_init"] ---> Using cache ---> e6f97e12568c Step 4 : RUN mkdir -p $HOME/.ssh ---> Using cache ---> dce7809f4362 Step 5 : COPY id_rsa.pub $HOME/.ssh/ ---> Using cache ---> 3dfba0cc70c0 Step 6 : RUN cat $HOME/.ssh/id_rsa.pub >>$HOME/.ssh/authorized_keys && rm $HOME/.ssh/id_rsa.pub ---> Using cache ---> e235cefc1126 Step 7 : RUN chmod 600 $HOME/.ssh/authorized_keys ---> Using cache ---> 15c305685afe Step 8 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ---> Using cache ---> 1fc643e36a1d Successfully built 1fc643e36a1d tim@pbuilder:~$ tim@pbuilder:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE itsecorg/base latest 1fc643e36a1d 28 minutes ago 292.2 MB tim@pbuilder:~$ sudo docker run itsecorg/base -p 2222:22 2014/11/21 12:45:32 exec: "-p": executable file not found in $PATH tim@pbuilder:~$ sudo docker run -p 2222:22 itsecorg/base *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 12 tim@pbuilder:~$ sudo netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 9228 819/sshd tcp6 0 0 :::2222 :::* LISTEN 0 1513329 11865/docker.io tcp6 0 0 :::22 :::* LISTEN 0 9230 819/sshd tim@pbuilder:~$ tim@pbuilder:~$ sudo docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d8ae08a0c160 3dfba0cc70c0 /bin/sh -c 'cat $HOM About a minute ago Exited (1) About a minute ago desperate_almeida e1aefedbc11c phusion/baseimage:0.9.15 /sbin/my_init About an hour ago Up About an hour isodb tim@pbuilder:~$ sudo docker rm e1aefedbc11c Error response from daemon: Impossible to remove a running container, please stop it first or use -f 2014/11/21 13:22:36 Error: failed to remove one or more containers tim@pbuilder:~$ sudo docker stop e1aefedbc11c e1aefedbc11c tim@pbuilder:~$ sudo docker rm e1aefedbc11c e1aefedbc11c tim@pbuilder:~$
Changing config files
Replacing settings:
RUN sed -i.orig \ -e "s/^memory_limit\s*=.*/memory_limit = 200M/" \ -e "s/^max_execution_time\s*=.*/max_execution_time = 900/" \ -e "s/^default_charset\s*=.*/default_charset = \"utf\-8\"/" \ -e "s|^include_path\s*=.*|include_path = \"/usr/share/php:/usr/share/lib/php:/usr/share/itsecorg/web/include:/usr/share/itsecorg/etc:/usr/share/itsecorg/web/htdocs/inctxt:/usr/share/itsecorg/web/htdocs/hilfe\"|" \ -e "s|^doc_root\s*=.*|doc_root = /usr/share/itsecorg/web|" \ -e "s/^sql\.safe_mode\s*=.*/sql.safe_mode = On/" \ -e "s/^expose_php\s*=.*/expose_php = Off/" \ -e "s/^display_errors\s*=.*/display_errors = Off/" \ -e "s/^display_startup_errors\s*=.*/display_startup_errors = Off/" \ -e "s/^error_log\s*=.*/error_log = syslog/" \ -e "s/^log_errors_max_len\s*=.*/log_errors_max_len = 0/" \ -e "s/^pgsql\.log_notice\s*=.*/pgsql.log_notice = 1/" \ -e "s|^session\.save_path\s*=.*|session.save_path = /var/itsecorg/session|" \ -e "s/^session\.gc_maxlifetime\s*=.*/session\.gc_maxlifetime = 14400/" \ /etc/php5/apache2/php.ini /etc/php5/cli/php.ini RUN sed -i.orig \ -e "s|^host\s*all\s*all\s*127.0.0.1/32\s*md5|# &|" \ -e "s|^host\s*all\s*all\s*::1/128\s*md5|# &|" \ /etc/postgresql/main/9.3/pg_hba.conf
Adding settings:
RUN cat <<EOT >> /etc/postgresql/main/9.3/pg_hba.conf host all dbadmin 127.0.0.1/32 md5 host all itsecorg 127.0.0.1/32 md5 host all +dbbackupusers 127.0.0.1/32 trust host all +configimporters 127.0.0.1/32 trust host all confexporter 127.0.0.1/32 trust host all +secuadmins 127.0.0.1/32 md5 host all +reporters 127.0.0.1/32 md5 host all all 127.0.0.1/32 md5 host all all ::1/128 md5 EOT
