Docker - be less as hossible
Table of contents
docker-blah is a small project written in nodejs. It is a good "first choice" solution if you are doing just first steps with docker and don't want to setup whole infrastructure, like swarm, for example. Basic functionality are:
-
Create projects and add current nodes with docker daemon to a project
-
Define users, assign roles in projects
-
View/Start/Stop/Delete containers
-
View/Delete images
-
See container's statistics
-
See (stream in a real-time) cointaner's log, define custom logs per/project
-
Run commands in a container in attached/detached mode and stream output
This project will also provide you nice GUI to your local docker daemon
| What | Why / How ? |
|---|---|
| the Docker | ! |
| phusion/baseimage:0.9.18 | perfect image |
| runit | as a part of the baseimage, to keep the node up and running |
| nginx | serve for the static content |
| nodejs 6.x | all packages are installed in the docker-blah base image |
| express 4 | perfect framework |
| dockerode | talk to docker daemon |
| sqlite3 | database |
| nunjucks 2 | template engine |
| connect-redis | session backend |
| winston | logger |
| multer | file uploader |
| socket.io 1.x | websockets, to stream logs & execute commands |
| passport.socketio | websocket auth |
| and more... |
There is the separate documentation
-
Default username/password are
changeme/changeme. Don't forget to change! -
Use
[sudo] sv restart <service_name>to restart a service, likenginxordocker-blahitself. -
Logs are in
/var/log/docker-blah/:-
run: nodejs output & error log -
system.log: main log -
nginx_error.log: nginx error log -
nginx_access.log: nginx access log
-
-
Checkout from git.
-
Run a container:
docker run -d -it -p $HTTP_PORT:80 -p $SSH_PORT:22 \ -v $PATH_TO_SOURCES:/var/www/docker-blah/master \ --name docker-blah-development \ amberovsky/docker-blah-development
-
Access in abrowser via
http://IP:$HTTP_PORTor via shellssh www-data@IP -p $SSH_PORT -
Next, read how to connect your local docker in a development environment.
First, we need to configure docker daemon to listen to a port, so we need certificates to make it secure
This topic is described in details in the official docker docs
The idea is to control all nodes in each project by one set of certificates, per project. So it will be easy to add/remove nodes from a project.
-
CA private key:
openssl genrsa -aes256 -out ca-key.pem 4096
-
CA public key (You can use either IP or DNS in "Common Name"):
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
-
Client key:
openssl genrsa -out key.pem 4096
-
Certificate signing request:
openssl req -subj '/CN=client' -new -key key.pem -out client.csr -
Extensions config file:
echo extendedKeyUsage = clientAuth > extfile.cnf
-
Sign the public key:
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile.cnf -
Remove certificate signing request:
rm -v client.csr
-
Restrict access for keys:
chmod -v 0400 ca-key.pem key.pem
-
Restrict access for certificates:
chmod -v 0444 ca.pem cert.pem
You will need cert.pem, ca.pem and key.pem in a project configuration in the docker-blah. Also, these files are required to generate server certificates.
-
Private key:
openssl genrsa -out server-key.pem 4096
-
Certificate signing request (remember,
$HOSTis the node's IP or DNS name):openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr -
Allow connection using IP/DNS:
echo subjectAltName = $HOST > extfile.cnf
-
Signing the public key:
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf
-
Remove certificate signing request:
rm -v server.csr
-
Restrict access for key:
chmod -v 0400 server-key.pem
-
Restrict access for certificate:
chmod -v 0444 server-cert.pem
Now we need to tell docker daemon to listen on a particular port using TLS. Locate your docker configuration files (probably /etc/sysconfig/docker or /etc/docker
-
Let's create folder for docker certificates
mkdir -p /etc/docker/ssl
-
Move server files:
mv ./server-key.pem /etc/docker/ssl/server-key.pem mv ./server-cert.pem /etc/docker/ssl/server-cert.pem
-
Copy CA key:
cp ./ca.pem /etc/docker/ssl/ca.pem
-
Check access permissions for certificates!
-
Edit docker startup parameters, change $PORT and $IP. (Note we bind also to unix socket to make life a bit easier using local client):
other_args="-H=$IP:$PORT --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem -H unix:///var/run/docker.sock" -
Restart the docker daemon.
-
You might need to change iptables, but not always:
iptables -I INPUT -p tcp --dport 81 -j ACCEPT
-
Test connection on your local machine:
docker --tlsverify --tlscacert=./ca.pem --tlscert=./cert.pem --tlskey=./key.pem -H tcp://$HOST:$PORT version
-
We need two folders - one for configuration file and one for sqlite3 database. Let's say you've decided to use
/var/www/docker-blah/folder (don't forget to get proper permissions!):mkdir -p /var/www/docker-blah/data /var/www/docker-blah/config
-
Create
config.jsonin the/var/www/docker-blah/config:{ "session": { "secret": "hiding ninja", "store_secret": "more hiding ninja", "key": "express.sid" }, "redis": { "host": "10.20.30.40", "port": "6379" }, "noCache": true }Change sessions
secret/store_secretparams for security reasons,keyis not so important. -
If you already have a
redisinstance somewhere in your network:-
Change
redishost/port respectively. -
Run
docker-blah:sudo docker run -d -it --name docker-blah \ -p $PORT:80 \ -v /var/www/docker-blah/config/:/var/www/docker-blah/master/config \ -v /var/www/docker-blah/data/:/var/www/docker-blah/data \ amberovsky/docker-blah-production
-
-
Or, if you want to run redis on the same host:
-
Run redis instance:
sudo docker run -d --name=docker-blah-redis redis
-
Change redis name in the
/var/www/docker-blah/config/config.jsonto theredis -
Run
docker-blawith linkedrediscontainer:sudo docker run -d -it --name docker-blah \ -p $PORT:80 \ -v /var/www/docker-blah/config/:/var/www/docker-blah/master/config \ -v /var/www/docker-blah/data/:/var/www/docker-blah/data \ --link docker-blah-redis:redis \ amberovsky/docker-blah-production
-
Explained in details (except local docker) here
One of use cases of docker-blah is to treat your local docker daemon as a separate node and thus to have nice GUI. Any member of your team can connect its local docker to your team's docker-blah instance.
If you are using docker-blah only for testing purposes (only on your local machine), then this is how you can connect your local docker (OS X):
-
You need to know your docker-machine ip and port. Run in your shell:
docker-machine env default
-
Open
docker-blah, click Select a project -> Connect local docker:
-
You need to provide name, ip, port and certificates.
docker-machinedid them for you. Click Choose file, then press CMD + SHIT + . to see hidden files and folders in the finder. Navigate to the/Users/$username/.docker/machine/machines/default/and chooseca.pem,cert.pemandkey.pemseparately:
-
Click Create!
-
Now you can use your local docker as a standalone node. Click Select a project -> Obama's local docker:
-
At any time you can delete or change your local docker parameters. Click Profile in the top navigation bar, then Local docker in the left panel:
To be done.
Please let me know if you are using docker-blah!
docker-blah is Apache 2.0 licensed
Copyright (C) 2016 Anton Zagorskii aka amberovsky. All rights reserved. Contacts: amberovsky@gmail.com