Docker

From Christoph's Personal Wiki
Revision as of 00:22, 7 September 2016 by Christoph (Talk | contribs)

Jump to: navigation, search

Docker is an open-source project that automates the deployment of applications inside software containers. Quote of features from docker web page:

Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.[1]

Install docker

Note: For this install, I will be using Ubuntu 16.04 LTS (Xenial Xerus). Docker requires a 64-bit version of Ubuntu as well as a kernel version equal to or greater than 3.10. My system satisfies both requirements.

  • Setup the docker repo to install from:
$ sudo apt-get update -y
$ sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
$ echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" | sudo tee /etc/apt/sources.list.d/docker.list
$ sudo apt-get update -y

Make sure you are about to install from the Docker repo instead of the default Ubuntu 16.04 repo:

$ apt-cache policy docker-engine

The output of the above command show look something like the following:

docker-engine:
  Installed: (none)
  Candidate: 1.11.2-0~xenial
  Version table:
     1.11.2-0~xenial 500
        500 https://apt.dockerproject.org/repo ubuntu-xenial/main amd64 Packages
     1.11.1-0~xenial 500
        500 https://apt.dockerproject.org/repo ubuntu-xenial/main amd64 Packages
     1.11.0-0~xenial 500
        500 https://apt.dockerproject.org/repo ubuntu-xenial/main amd64 Packages
  • Install docker:
$ sudo apt-get install -y docker-engine
  • Check on the status of docker:
$ sudo systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2016-07-12 12:31:08 PDT; 6s ago
     Docs: https://docs.docker.com
 Main PID: 3392 (docker)
   CGroup: /system.slice/docker.service
           ├─3392 /usr/bin/docker daemon -H fd://
           └─3411 docker-containerd -l /var/run/docker/libcontainerd/docker-containerd.sock --runtime docker-runc --start-timeout 2m
  • Make sure the docker service automatically starts after a machine reboot:
$ sudo systemctl enable docker
  • Execute docker without `sudo`:
$ sudo usermod -aG docker $(whoami)

Log out and log back in to use docker without `sudo`.

  • Check that docker has been successfully installed and configured:
$ docker run hello-world
...
This message shows that your installation appears to be working correctly.
...

Install your own Docker private registry

Note: I will use CentOS 7 for this install and assume you already have docker and docker-compose installed (see above).

For this install, I will assume you have a domain name registered somewhere. I will use docker.example.com as my example domain. Replace anywhere you see that below with your actual domain name.

  • Install dependencies:
$ yum install -y nginx  # used for the registry endpoint
$ yum install -y httpd-tools  # for the htpasswd utility
  • Setup docker registry directory structure:
$ mkdir -p /opt/docker-registry/{data,nginx}
$ cd /opt/docker-registry
  • Create a docker-compose file:
$ vim docker-compose.yml  # and add the following:
nginx:
  image: "nginx:1.9"
  ports:
    - 5043:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d:ro
registry:
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  environment:
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
  volumes:
    - ./data:/data
  • Create an Nginx configuration file:
$ vim /opt/docker-registry/nginx/registry.conf  # and add the following:
upstream docker-registry {
  server registry:5000;
}

server {
  listen 443;
  server_name docker.example.com;

  # SSL
  ssl on;
  ssl_certificate /etc/nginx/conf.d/docker.example.com.crt;
  ssl_certificate_key /etc/nginx/conf.d/docker.example.com.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    # To add basic authentication to v2 use auth_basic setting plus add_header
    auth_basic "registry.localhost";
    auth_basic_user_file /etc/nginx/conf.d/registry.password;
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}
$ cd /opt/docker-registry/nginx
$ htpasswd -c registry.password <username>  # replace <username> with your actual username
$ htpasswd registry.password <username2>  # [optional] add a 2nd user
  • Setup your own certificate signing authority (for use with SSL):
$ cd /opt/docker-registry/nginx
  • Generate a new root key:
$ openssl genrsa -out docker-registry-CA.key 2048
  • Generate a root certificate (enter anything you like at the prompts):
$ openssl req -x509 -new -nodes -key docker-registry-CA.key -days 3650 -out docker-registry-CA.crt

Then generate a key for your server (this is the file referenced by ssl_certificate_key in the Nginx configuration above):

$ openssl genrsa -out docker.example.com.key 2048

Now we have to make a certificate signing request (CSR). After you type the following command, OpenSSL will prompt you to answer a few questions. Enter anything you like for the first few, however, when OpenSSL prompts you to enter the "Common Name", make sure to enter the domain or IP of your server.

$ openssl req -new -key docker.example.com.key -out docker.example.com.csr
  • Sign the certificate request:
$ openssl x509 -req -in docker.example.com.csr -CA docker-registry-CA.crt -CAkey docker-registry-CA.key -CAcreateserial -out docker.example.com.crt -days 3650

This section is incomplete. It will be updated presently.

References

  1. https://www.docker.com/what-docker

External links