Containers out-of-the-box do not provide security monitoring. Therefore, it is important to have a comprehensive view of what is happening in runtime. This ensures that containers operate smoothly without security issues that can easily affect other containers and the entire infrastructure. Some security aspects to continuously watch out for when running Docker containers are:

• Container management: Docker container management involves supervising actions performed on a container to keep it running smoothly. Threat actors can get hold of containers and perform malicious activities such as viewing critical content, opening ports, creating, stopping or even destroying containers. Ability to distinguish unusual Docker events can be challenging. Observing these actions in near real-time as they occur can help organizations running Docker containers make better informed decisions.

• Container resource consumption: Monitoring the performance of a container provides insight into its resource utilization. Some core resources include CPU, memory, disk, and network traffic. With resource monitoring, organizations can track container resource consumption and set measures to increase efficiency. These actions prevent imbalances of container resources in Dockerized infrastructures. Additionally, it allows better visibility of infrastructures in the event of a security incident.

• Container health: Container health checks aid an organization in knowing its workload availability. The health status of a container is different from its actual state of operation. For example, a container can run while a web server running in the container may be down and unable to handle requests. This can be due to an attack that, if not monitored, can persist and cause damage to an organization. Monitoring the health status of a container helps to reduce an attack surface and prevent anomalies in the container.

Organizations need to identify and resolve threats quickly and proactively to avoid risks of compromise. For this, keeping track of the above criteria is indispensable and can be accomplished through the use of security monitoring solutions.

Using Wazuh for container monitoring

Wazuh is an open source security platform with unified XDR and SIEM capabilities. Its architecture comprises the Wazuh central components (server, indexer, and dashboard) and a universal agent. The solution provides protection for devices in clouds and on-premises infrastructures. Wazuh has many features ranging from container monitoring, file integrity monitoring, vulnerability detection, security configuration assessment, and more. Wazuh is multi-platform and expands its flexibility through integration with other security solutions.

Figure 1 below shows an example of real-time monitoring of Docker containers using Wazuh.

Figure 1: Real-time monitoring of Docker containers using Wazuh

For the use cases below, the Wazuh agent is installed on endpoints running Docker containers. The agent collects security and runtime data from the containers and forwards it to the Wazuh server for log analysis, correlation, and alerting.

Monitoring container events

Wazuh has a Docker module that communicates with the Docker Engine API to gather information on Docker containers. The only configuration necessary is to enable the Docker listener module to allow us to monitor Docker events. The Wazuh dashboard in Figure 2 below shows an example of detected container events in a Docker environment.

Figure 2: Docker events detected in a Docker environment

Monitoring container resource utilization

Wazuh can be used to monitor the performance of Docker containers in an endpoint.  The Wazuh command monitoring module allows you to monitor the output of specific commands and trigger alerts accordingly. This gives organizations a clear view of the container for abnormal activities. The Wazuh dashboard in Figure 3 below shows the CPU, memory, and network traffic consumption of containers in an endpoint.

Figure 3: Resource consumption of containers in a Docker environment

Monitoring container health

The Wazuh command monitoring module is used to monitor the health status of containers in Dockerized environments. Figure 4 below shows the health status of containers running on an endpoint.

Figure 4: Health status of containers in a Docker environment

Conclusion

Robust monitoring and easy debugging are key factors for container security. This ensures complete coverage of metrics and the events happening in your Dockerized container infrastructures. We have seen how Wazuh facilitates and improves an organization’s visibility through its container security monitoring capabilities. Visit this documentation to get a detailed explanation of how to perform container monitoring with Wazuh.

Wazuh is free to use, easy to deploy, and has a continuously growing community that supports thousands of users. To get started with Wazuh, visit the Quickstart installation guide and explore the features it provides.

The post Using Wazuh for Docker Container Monitoring appeared first on Tech Chronicles.

Some specific tools, however, are still missing: an equivalent of docker-compose, for example does not exists yet. In this tutorial we will see how to install and run the original Docker CE on Rhel8 by using the official Docker repository for CentOS7.

In this tutorial you will learn:

• How to enable the docker-ce repository on RHEL 8 / CentOS 8
• How to install docker and docker-compose on RHEL 8 / CentOS 8

Software Requirements and Conventions Used

What is Docker?

Docker is an open source project which allows the creation and distribution of applications inside containers, which are standardized environments that can be easily replicated, independently from the host system. While in Red Hat Enterprise Linux 7 Docker was officially supported, on the new release of this open source operating system, it has been replaced by a series of other tools developed by Red Hat itself: buildah and podman.

By the use of an external repository, however, it’s still possible to install Docker CE (Community Edition). In this tutorial we will see how to install this repository; notice however, that it was originally meant for CentOS 7 (a RHEL clone), and the community version of Docker has no official support for Red Hat Enterprise Linux. Because of this, issues exist – we discuss them below.

Adding the external repository

Since Docker is not available on RHEL 8 / CentOS 8, we need to add an external repository to obtain the software. In this case we will use the official Docker CE CentOS repository: this is, at the moment of writing, the only way to install Docker CE on RHEL 8 / CentOS 8.

The dnf config-manager utility let us, among the other things, easily enable or disable a repository in our distribution. By default, only the appstream and baseos repositories are enabled on Rhel8; we need to add and enable also the docker-ce repo. All we need to do to accomplish this task, is to run the following command:

$ sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo

We can verify that the repository has been enabled, by looking at the output of the following command:

$ sudo dnf repolist -v

The command above will return detailed information about all the enabled repositories. This is what you should see at this point:

Repo-id      : docker-ce-stable
Repo-name    : Docker CE Stable - x86_64
Repo-revision: 1549905809
Repo-updated : Mon 11 Feb 2019 06:23:29 PM CET
Repo-pkgs    : 30
Repo-size    : 618 M
Repo-baseurl : https://download.docker.com/linux/centos/7/x86_64/stable
Repo-expire  : 172,800 second(s) (last: Mon 18 Feb 2019 10:23:54 AM CET)
Repo-filename: /etc/yum.repos.d/docker-ce.repo

Repo-id      : rhel-8-for-x86_64-appstream-rpms
Repo-name    : Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs)
Repo-revision: 1542158694
Repo-updated : Wed 14 Nov 2018 02:24:54 AM CET
Repo-pkgs    : 4,594
Repo-size    : 4.9 G
Repo-baseurl : https://cdn.redhat.com/content/beta/rhel8/8/x86_64/appstream/os
Repo-expire  : 86,400 second(s) (last: Mon 18 Feb 2019 10:23:55 AM CET)
Repo-filename: /etc/yum.repos.d/redhat.repo

Repo-id      : rhel-8-for-x86_64-baseos-rpms
Repo-name    : Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs)
Repo-revision: 1542158719
Repo-updated : Wed 14 Nov 2018 02:25:19 AM CET
Repo-pkgs    : 1,686
Repo-size    : 925 M
Repo-baseurl : https://cdn.redhat.com/content/beta/rhel8/8/x86_64/baseos/os
Repo-expire  : 86,400 second(s) (last: Mon 18 Feb 2019 10:23:56 AM CET)
Repo-filename: /etc/yum.repos.d/redhat.repo
Total packages: 6,310

Installing docker-ce

The docker-ce-stable repository is now enabled on our system. The repository contains several versions of the docker-ce package, to display all of them, we can run:

$ dnf list docker-ce --showduplicates | sort -r
docker-ce.x86_64            3:19.03.2-3.el7                     docker-ce-stable
docker-ce.x86_64            3:19.03.1-3.el7                     docker-ce-stable
docker-ce.x86_64            3:19.03.0-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.9-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.8-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.7-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.6-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.5-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.4-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.3-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.2-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.1-3.el7                     docker-ce-stable
docker-ce.x86_64            3:18.09.0-3.el7                     docker-ce-stable
docker-ce.x86_64            18.06.3.ce-3.el7                    docker-ce-stable
docker-ce.x86_64            18.06.2.ce-3.el7                    docker-ce-stable
docker-ce.x86_64            18.06.1.ce-3.el7                    docker-ce-stable
docker-ce.x86_64            18.06.0.ce-3.el7                    docker-ce-stable
docker-ce.x86_64            18.03.1.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            18.03.0.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.12.1.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.12.0.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.09.1.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.09.0.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.06.2.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.06.1.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.06.0.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.03.3.ce-1.el7                    docker-ce-stable
docker-ce.x86_64            17.03.2.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.03.1.ce-1.el7.centos             docker-ce-stable
docker-ce.x86_64            17.03.0.ce-1.el7.centos             docker-ce-stable

What version to install? Well, Red Hat seems to have somehow blocked the installation of containerd.io > 1.2.0-3.el7, which is a dependency of docker-ce. Because of this, simply running the sudo dnf install docker-ce command, won’t work. As we will see in a minute, it’s still possibile to workaround this problem; once docker-ce is installed, however, another problem becomes evident: as long as firewalld, the system firewall manager is enabled, DNS resolution inside docker containers does not work.

This is, of course a critical problem. However, if you still want to proceed with the installation, here are the possible methods that can be used to avoid the dependencies issues:

• Install a specific version of docker-ce which requires an installable version of the containerd.io package;
• Force the installation providing the --nobest option
• Install the latest available containerd.io rpm manually;

Install a specific version of docker-ce

To install a specific version, all we have to do is to provide the fully qualified package name, for example:

$ sudo dnf install docker-ce-3:18.09.1-3.el7

Force the installation of docker-ce with the –nobest option

Normally, when installing a package, the best available candidate is selected from a repository. In this case, for example, the installation of the latest version of docker-ce is attempted (and fails). By using the --nobest option, we can change this behavior so that the first version of docker-ce with satisfiable dependencies is selected as “fallback”, in this case 3:18.09.1-3.el7.

$ sudo dnf install --nobest docker-ce
Dependencies resolved.

Problem: package docker-ce-3:19.03.2-3.el7.x86_64 requires containerd.io >= 1.2.2-3, but none of the providers can be installed
  - cannot install the best candidate for the job
  - package containerd.io-1.2.2-3.3.el7.x86_64 is excluded
  - package containerd.io-1.2.2-3.el7.x86_64 is excluded
  - package containerd.io-1.2.4-3.1.el7.x86_64 is excluded
  - package containerd.io-1.2.5-3.1.el7.x86_64 is excluded
  - package containerd.io-1.2.6-3.3.el7.x86_64 is excluded
=======================================================================================================================================================
 Package                            Arch         Version                                                  Repository                              Size
=======================================================================================================================================================
Installing:
 docker-ce                          x86_64       3:18.09.1-3.el7                                          docker-ce-stable                        19 M
Installing dependencies:
 containerd.io                      x86_64       1.2.0-3.el7                                              docker-ce-stable                        22 M
 docker-ce-cli                      x86_64       1:19.03.2-3.el7                                          docker-ce-stable                        39 M
 container-selinux                  noarch       2:2.94-1.git1e99f1d.module+el8.0.0+4017+bbba319f         rhel-8-for-x86_64-appstream-rpms        43 k
 tar                                x86_64       2:1.30-4.el8                                             rhel-8-for-x86_64-baseos-rpms          838 k
 libcgroup                          x86_64       0.41-19.el8                                              rhel-8-for-x86_64-baseos-rpms           70 k
 python3-policycoreutils            noarch       2.8-16.1.el8                                             rhel-8-for-x86_64-baseos-rpms          2.2 M
 python3-libsemanage                x86_64       2.8-5.el8                                                rhel-8-for-x86_64-baseos-rpms          127 k
 python3-setools                    x86_64       4.2.0-2.el8                                              rhel-8-for-x86_64-baseos-rpms          598 k
 checkpolicy                        x86_64       2.8-2.el8                                                rhel-8-for-x86_64-baseos-rpms          338 k
 python3-audit                      x86_64       3.0-0.10.20180831git0047a6c.el8                          rhel-8-for-x86_64-baseos-rpms           85 k
 policycoreutils-python-utils       noarch       2.8-16.1.el8                                             rhel-8-for-x86_64-baseos-rpms          228 k
Skipping packages with broken dependencies:
 docker-ce                          x86_64       3:19.03.2-3.el7                                          docker-ce-stable                        24 M

Transaction Summary
=======================================================================================================================================================
Install  12 Packages
Skip      1 Package

Total download size: 85 M
Installed size: 351 M
Is this ok [y/N]:

Install the latest available containerd.io package manually

If we stricly need to install the latest version of docker-ce, we can install the required version of containerd.io manually, by running:

$ sudo dnf install https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm

After the package is installed, we can simply install the latest docker-ce:

$ sudo dnf install docker-ce
Dependencies resolved.
=======================================================================================================================================================
  Package                          Arch                      Version                             Repository                                        Size
=======================================================================================================================================================
Installing:
  docker-ce                        x86_64                    3:19.03.2-3.el7                     docker-ce-stable                                  24 M
Installing dependencies:
  docker-ce-cli                    x86_64                    1:19.03.2-3.el7                     docker-ce-stable                                  39 M
  tar                              x86_64                    2:1.30-4.el8                        rhel-8-for-x86_64-baseos-rpms                    838 k
  libcgroup                        x86_64                    0.41-19.el8                         rhel-8-for-x86_64-baseos-rpms                     70 k

Transaction Summary
=======================================================================================================================================================
Install  4 Packages

Total download size: 65 M
Installed size: 275 M
Is this ok [y/N]:

This option is less convenient since the containerd.io package is not installed as a dependency of docker-ce, therefore it will not be removed automatically when the latter is uninstalled from the system.

Whatever method we use to install docker-ce, as said before, in order to make DNS resolution work inside Docker containers, we must disable firewalld (a system reboot may be also needed):

$ sudo systemctl disable firewalld

Start and enable the docker daemon

Once docker-ce is installed, we must start and enable the docker daemon, so that it will be also launched automatically at boot. The command we need to run is the following:

$ sudo systemctl enable --now docker

At this point, we can confirm that the daemon is active by running:

$ systemctl is-active docker
active

Similarly, we can check that it is enabled at boot, by running:

$ systemctl is-enabled docker
enabled

Installing docker-compose

Docker compose is a very useful package which let us manage multi-container applications, like for example those based on the LAMP stack, where each part of the environment (PHP, Apache, MariaDB) is provided by a dedicated container (if you are interested in the subject, take a look at our tutorial about creating a docker-based lamp stack). The package is not available on Rhel8, nor an equivalent exists to be used with the Rhel tools. It’s, however, possible to install it in many ways: just keep on reading and decide what suits you best.

Global installation

The way we should install docker-compose varies depending on whether we want to install it globally or just for a single user. At the moment of writing, the only way to install it globally is to download the binary from the github page of the project:

$ curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o docker-compose

Once the binary is downloaded, we move it into /usr/local/bin and we make it executable:

$ sudo mv docker-compose /usr/local/bin && sudo chmod +x /usr/local/bin/docker-compose

The /usr/local hierarchy is not chosen randomly. This directory structure is made to be used for files installed by the local administrator manually (for software compiled from source, for example), in order to ensure separation from the software installed with the system package manager.

Although it’s possible for a normal user to run docker-related commands if he is part of the docker group (the group is automatically created when we install docker-ce), by default they must be executed with root privileges for security reasons. When we need to do the latter, since the /usr/local/bin directory is not in the root user’s PATH, we either need to call the binary specifying its location or add /usr/local/bin to the PATH itself. The first option is the one which I recommend in this case.

Per-user installation

If our user is part of the docker group, and thus it is allowed to run docker commands, and since docker-compose is available as a python package, we can also install it using pip, the python package manager. First, make sure pip itself is installed:

$ sudo dnf install python3-pip

To obtain docker-compose we run:

$ pip3.6 install docker-compose --user

Please notice that even if would be possible to run pip as root to install a package globally, this is not recommended and highly discouraged.

Testing docker

We installed docker and docker-compose, now to check that everything works as expected, we can try to build an image and run a container: in this case we will use the official httpd one. All we have to do is to launch the following command:

sudo docker run --rm --name=linuxconfig-test -p 80:80 httpd

Since the httpd image does not exists locally it will be automatically fetched and built. Finally, a container based on it will be launched in the foreground (it will be automatically removed when stopped). We should be able to see the It works! message when we reach our machine ip via browser.

Conclusions

Red Hat Enterprise Linux 8 does not support Docker: on this distribution it has been replaced by Red Hat own tools like buildah and podman, which are compatible with Docker but don’t need a server/client architecture to run. Using native tools, where possible, is always the recommended way to go, but for a reason or another you may still want to install the original Docker. In this tutorial, we saw how it is possible to install Docker CE on Rhel8, by using the official Docker repository for CentOS7, which is a 100% compatible clone.

This is not an ideal solution, and as we saw, at the moment, some workarounds are needed to make Docker work on RHEL8. If some new issues arises, or better solutions to the problems mentioned above are found, this article will be updated accordingly.

The post How to install Docker CE on RHEL 8 / CentOS 8 appeared first on Tech Chronicles.

How to manage Docker containers

A Docker container has a lifecycle that you can manage and track the state of the container.

To place a container in the run state, use the run command. You can also restart a container that is already running. When restarting a container, the container receives a termination signal to enable any running processes to shut down gracefully before the container’s kernel is terminated.

A container is considered in a running state until it’s either paused, stopped, or killed. A container, however, may also exit from the run state by itself. A container can self-exit when the running process completes, or if the process goes into a fault state.

To pause a running container, use the pause command. This command suspends all processes in the container.

To stop a running container, use the stop command. The stop command enables the working process to shut down gracefully by sending it a termination signal. The container’s kernel terminates after the process shuts down.

To send a kill signal if you need to terminate the container, use the kill command. The running process doesn’t capture the kill signal, only the container’s kernel. This command will forcefully terminate the working process in the container.

Lastly, to remove containers that are in a stopped state, use the remove command. After removing a container, all data stored in the container gets destroyed.

How to view available containers

To list running containers, run the docker ps command. To see all containers in all states, pass the -a argument.

Here is an example.

docker ps -a

Here is the output from that command.

CONTAINER ID    IMAGE        COMMAND         CREATED       STATUS           PORTS        NAMES
d93d40cc1ce9    tmp-ubuntu:latest  "dotnet website.dll …"  6 seconds ago    Up 5 seconds        8080/tcp      happy_wilbur
33a6cf71f7c1    tmp-ubuntu:latest  "dotnet website.dll …"  2 hours ago     Exited (0) 9 seconds ago            adoring_borg

There are three items to review in the previous output:

• The image name listed in the IMAGE column. In this example, tmp-ubuntu: latest. Notice how you’re allowed to create more than one container from the same image. This feature is a powerful management feature that you use to enable scaling in your solutions.
• The status of the container listed in the STATUS column. In this example, you have one container that is running, and one container that has exited. The container’s status usually is your first indicator of the health of the container.
• The name of the container listed in the NAMES column. Apart from the container ID in the first column, containers will also receive a name. In this example, you didn’t explicitly provide a name for each container, and as a result, Docker gave the container a random name. To give a container an explicit name using the --name flag, use the run command.

Why are containers given a name?

This feature enables you to run multiple container instances of the same image. Container names are unique, which means if you specify a name, that name can’t be reused to create a new container. The only way to reuse a specific name is to remove the previous container.

How to run a container

To start a container, run the docker run command. You only need to specify the image to run with its name or ID to launch the container from the image. A container launched in this manner provides an interactive experience.

Here, to run the container with our website in the background, add the -d flag.

docker run -d tmp-ubuntu

The command, in this case, only returns the ID of the new container.

After an image is specified to run, Docker finds the image, loads container from the image, and executes the command specified as the entry point. It’s at this point that the container is available for management.

How to pause a container

To pause a container, run the docker pause command. Here is an example.

docker pause happy_wilbur

Pausing a container will suspend all processes. This command enables the container to continue processes at a later stage. The docker unpause command unsuspends all processes.

How to restart a container

To restart containers, run the docker restart command. Here is an example.

docker restart happy_wilbur

The container receives a stop command, followed by a start command. If the container doesn’t respond to the stop command, then a kill signal is sent.

How to stop a container

To stop a running container, run the docker stop command. Here is an example.

docker stop happy_wilbur

The stop command sends a termination signal to the container and the process running in the container.

How to remove a container

To remove a container, run the docker rm command. Here is an example.

docker rm happy_wilbur

After you remove the container, all data in the container is destroyed. It’s essential to always consider containers as temporary when thinking about storing data.

Docker container storage configuration

As described earlier, always consider containers as temporary when the app in a container needs to store data.

Let’s assume your tracking portal creates a log file in a subfolder to the root of the app; that is, directly to the file system of the container. When your app writes data to the log file, the system writes the data to the writable container layer.

Even though this approach works, it, unfortunately, has several drawbacks.

• Container storage is temporary

  Your log file won’t persist between container instances. For example, let’s assume that you stop and remove the container. When you launch a new container instance, the new instance bases itself on the image specified, and all your previous data will be missing. Remember, all data in a container is destroyed with the container when you remove a container.

• Container storage is coupled to the underlying host machine

  Accessing or moving the log file from the container is difficult to do as the container is coupled to the underlying host machine. You’ll have to connect to the container instance to access the file.

• Container storage drives are less performant

  Containers implement a storage driver to allow your apps to write data. This driver introduces an extra abstraction to communicate with the host OS kernel and is less performant than writing directly to a host filesystem.

Containers can make use of two options to persist data. The first option is to make use of volumes, and the second is bind mounts.

What is a volume?

A volume is stored on the host filesystem at a specific folder location. Choose a folder where you know the data isn’t going to be modified by non-Docker processes.

Docker creates and manages the new volume by running the docker volume create command. This command can form part of our Dockerfile definition, which means that you can create volumes as part of the container creation process. Docker will create the volume if it doesn’t exist when you try to mount the volume into a container the first time.

Volumes are stored within directories on the host filesystem. Docker will mount and manage the volumes in the container. After mounting, these volumes are isolated from the host machine.

Multiple containers can simultaneously use the same volumes. Volumes also don’t get removed automatically when a container stops using the volume.

In this example, you can create a directory on our container host, and mount this volume into the container when you create the tracking portal container. When your tracking portal logs data, you can access this information via the container host’s filesystem. You’ll have access to this log file even if your container is removed.

What is a bind mount?

A bind mount is conceptually the same as a volume, however, instead of using a specific folder, you can mount any file or folder on the host. You’re also expecting the host can change the contents of these mounts. Just like volumes, the bind mount is created if you mount it, and it doesn’t yet exist on the host.

Bind mounts have limited functionality compared to volumes, and even though they’re more performant, they depend on the host having a specific folder structure in place.

Volumes are considered the preferred data storage strategy to use with containers.

Docker container network configuration

The default Docker network configuration allows for the isolation of containers on the Docker host. This feature enables you to build and configure apps that can communicate securely with each other.

Docker provides three pre-configured network configurations:

• Bridge
• Host
• none

You choose which of these network configurations to apply to your container depending on its network requirements.

What is the bridge network?

The bridge network is the default configuration applied to containers when launched without specifying any additional network configuration. This network is an internal, private network used by the container, and isolates the container network from the Docker host network.

Each container in the bridge network is assigned an IP address and subnet mask with the hostname defaulting to the container name. Containers connected to the default bridge network are allowed to access other bridge connected containers by IP address. The bridge network doesn’t allow communication between containers using hostnames.

By default, Docker doesn’t publish any container ports. To enable port mapping between the container ports and the Docker host ports, use the Docker port --publish flag.

The publish flag effectively configures a firewall rule that maps the ports.

In this example, your tracking portal is accessible to clients browsing to port 80. You’ll have to map port 80 from the container to an available port on the host. You have port 8080 open on the host, which enables you to set the flag like this.

--publish 8080:80

Any client browsing to the Docker host IP and port 8080 can access the tracking portal.

What is the host network?

The host network enables you to run the container on the host network directly. This configuration effectively removes the isolation between the host and the container at a network level.

In this example, let’s assume you decide to change the networking configuration to the host network option. Your tracking portal is still accessible using the host IP. You can now use the well known port 80 instead of a mapped port.

Keep in mind that the container can use only ports not already used by the host.

What is the none network?

To disable networking for containers, use the none network option.

Operating system considerations

Keep in mind that there are differences between desktop operating systems for the Docker network configuration options. For example, the Docker0 network interface isn’t available on macOS when using the bridge network, and using the host network configuration isn’t supported for both Windows and macOS desktops.

These differences might affect the way your developers configure their workflow to manage container development.

The post How Docker containers work appeared first on Tech Chronicles.

Maintain the Host & Daemon Software

It should go without saying, but protecting the host is as important as always. Docker regularly releases security patches for the daemon, so ensure you have a good strategy for updating and maintaining the environment.

• Regularly patch the docker software installed on the server.
• Regularly update the underlying operating system and software
• Harden your server and setup host based intrusion detection, with docker configurations.

Don’t Run in Privileged Mode

Privileged mode gives a container access to many capabilities reserved for root on the host machine, such as control of all devices, the ability to create and manage other containers, and exceptions to any resource limitations imposed by cgroups.

Device control can be used to do all sorts of unfriendly things, such as change the host partition table, mount and read or modify sensitive host file systems, etc.

If at all possible, don’t run containers in privileged mode. Some applications may require this and have a valid use case, such as fully managing other docker containers. If so, don’t place containers unrelated to the privileged one on the same host, to limit the damage if the privileged container is breached.

In general, it is better to selectively add capabilities to the container, rather than giving blanket privileged access. You can see all default and addable privileges in the runtime documentation.

Remove Default Capabilities. Add back what is needed

In the same vein as above (adding capabilities as needed instead of running privileged), I recommend removing all default capabilities and only adding what will be used – frequently no capabilities will be needed in production.

Docker containers run with the following capabilities by default:

As mentioned, it’s best to drop all of these and only selectively add the specific capabilities needed. This takes a little more management overhead, because you may have to work with the application team to determine what is really needed.

Run a container with no capabilities:

# docker run --cap-drop=all my_container

Add back in only net_bind_service and setuid capabilities:

# docker run --cap-drop=all --cap-add net_bind_service --add-cap setuid my_container

Mount Storage Carefully

Some Docker guides will walk you through how to mount storage from various locations. This is generally fine when done correctly, but can lead to potential issues. A few things to be wary of:

• Don’t mount the Docker socket file – any process with read/write access to the socket file also has admin rights over docker processes on the same host. This may be OK if the container mounting the socket is trusted and it’s purpose is to manage other containers on the same host.
• Don’t mount sensitive host file systems – It’s best to mount only a clean filesystem to the container, that is not shared with the host for any reason except being container storage.
• Don’t mount file systems to more than one container – It may be tempting to mount filesystems to multiple containers to share files, but do so with care, as files modified in one will also be modified in the other.

Only Run Trusted Images

We want to avoid a scenario where an attacker could modify images hosted for deployment, or convince the host to startup a container an attacker specified from an untrusted source. The solution to this is Docker Trusted Images and image signing.

Setting up this process takes a little work – we will need to create offline master keys along with a key creation and rotation process for engineers who will be creating and uploading images, so it’s not for every organization.

The Docker documentation has an excellent walkthrough for setting up a trusted registry and the various keys and infrastructure required to do this. Beause of the added risk of losing a master key, this is something you should embark on with a good understanding of chain of trust and key management in your organization.

Be Aware of Docker Networks

Tools such as docker compose can help glue containers together by creating docker specific networks. These networks can provide decent network segmentation out of the box when networks are created with care, but create a single large network by default.

Because the default configuration is one network for all containers, it is easy to create a container network that allows communication between any containers on any port, which is not monitored by traditional network tools. This is especially true with containers running on the same host, where no actual network traffic is generated, but container separation is depended upon.

To mitigate this, leverage orchestration tools that offer networking definition tools, or work with teams to ensure that networks are being well defined between various containers.

Final Words

I recommend you also check out the official docker security documentation. It has a wealth of information and can expand on these topics including more information about the underlying mechanisms.

The post Deploying Docker Securely appeared first on Tech Chronicles.

Here we’ll look at the differences between software, packages, and images as used in Docker. Knowing the differences between these concepts will help us better understand how Docker images work.

We’ll also briefly discuss the roles of the OS running on the host and the OS running in the container.

Software packaged into a container

The software packaged into a container isn’t limited to the applications our developers build. When we talk about software, we refer to application code, system packages, binaries, libraries, configuration files, and the operating system running in the container.

For example, assume we’re developing an order tracking portal that our company’s various outlets will use. We need to look at the complete stack of software that will run our web application. The application we’re building is a .NET Core MVC app, and we plan to deploy the application using Nginx as a reverse proxy server on Ubuntu Linux. All of these software components form part of the container image.

What is a container image?

A container image is a portable package that contains software. It’s this image that, when run, becomes our container. The container is the in-memory instance of an image.

A container image is immutable. Once you’ve built an image, the image can’t be changed. The only way to change an image is to create a new image. This feature is our guarantee that the image we use in production is the same image used in development and QA.

What is the host OS?

The host OS is the OS on which the Docker engine runs. Docker containers running on Linux share the host OS kernel and don’t require a container OS as long as the binary can access the OS kernel directly.

However, Windows containers need a container OS. The container depends on the OS kernel to manage services such as the file system, network management, process scheduling, and memory management.

What is the container OS?

The container OS is the OS that is part of the packaged image. We have the flexibility to include different versions of Linux or Windows OSs in a container. This flexibility allows us to access specific OS features or install additional software our applications may use.

The container OS is isolated from the host OS and is the environment in which we deploy and run our application. Combined with the image’s immutability, this isolation means the environment for our application running in development is the same as in production.

In our example, we’re using Ubuntu Linux as the container OS and this OS doesn’t change from development or production. The image we use is always the same.

What is the Stackable Unification File System (Unionfs)?

Unionfs is used to create Docker images. Unionfs is a filesystem that allows you to stack several directories, called branches, in such a way that it appears as if the content is merged. However, the content is physically kept separate. Unionfs allows you to add and remove branches as you build out your file system.

For example, assume we’re building an image for our web application from earlier. We’ll layer the Ubuntu distribution as a base image on top of the boot file system. Next we’ll install Nginx and our web app. We’re effectively layering Nginx and the web app on top of the original Ubuntu image.

A final writeable layer is created once the container is run from the image. This layer however, does not persist when the container is destroyed.

What is a base image?

A base image is an image that uses the Docker scratch image. The scratch image is an empty container image that doesn’t create a filesystem layer. This image assumes that the application you’re going to run can directly use the host OS kernel.

What is a parent image?

A parent image is a container image from which you create your images.

For example, instead of creating an image from scratch and then installing Ubuntu, we’ll rather use an image already based on Ubuntu. We can even use an image that already has Nginx installed. A parent image usually includes a container OS.

What is the main difference between base and parent images?

Both image types allow us to create a reusable image. However, base images allow us more control over the contents of the final image. Recall from earlier that an image is immutable, you can only add to an image and not subtract.

What is a Dockerfile?

A Dockerfile is a text file that contains the instructions we use to build and run a Docker image. The following aspects of the image are defined:

• The base or parent image we use to create the new image
• Commands to update the base OS and install additional software
• Build artifacts to include, such as a developed application
• Services to expose, such a storage and network configuration
• Command to run when the container is launched

Let’s map these aspects to an example Dockerfile. Suppose we’re creating a Docker image for our ASP.NET Core website. The Dockerfile may look like the following example.

# Step 1: Specify the parent image for the new image
FROM ubuntu:18.04

# Step 2: Update OS packages and install additional software
RUN apt -y update &&  apt install -y wget nginx software-properties-common apt-transport-https \
	&& wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb \
	&& dpkg -i packages-microsoft-prod.deb \
	&& add-apt-repository universe \
	&& apt -y update \
	&& apt install -y dotnet-sdk-3.0

# Step 3: Configure Nginx environment
CMD service nginx start

# Step 4: Configure Nginx environment
COPY ./default /etc/nginx/sites-available/default

# STEP 5: Configure work directory
WORKDIR /app

# STEP 6: Copy website code to container
COPY ./website/. .

# STEP 7: Configure network requirements
EXPOSE 80:8080

# STEP 8: Define the entry point of the process that runs in the container
ENTRYPOINT ["dotnet", "website.dll"]

We’re not going to cover the Dockerfile file specification here or the detail of each command in our above example. However, notice that there are several commands in this file that allow us to manipulate the structure of the image.

Recall, we mentioned earlier that Docker images make use of unionfs. Each of these steps creates a cached container image as we build the final container image. These temporary images are layered on top of the previous and presented as single image once all steps complete.

Finally, notice the last step, step 8. The ENTRYPOINT in the file indicates which process will execute once we run a container from an image.

How to manage Docker images

Docker images are large files that initially get stored on your PC and we need tools to manage these files.

The Docker CLI allows us to manage images by building, listing, removing, and running them. We manage Docker images by using the docker client. The client doesn’t execute the commands directly and sends all queries to the dockerd daemon.

We aren’t going to cover all the client commands and command flags here, but we’ll look at some of the most used commands. The learn more section of this module includes links to Docker documentation, which covers all commands and command flags in detail.

How to build an image

We use the docker build command to build Docker images. Let’s assume we use the Dockerfile definition from earlier to build an image. Here is an example that shows the build command.

docker build -t temp-ubuntu .

Here is the output generated from the build command:

Sending build context to Docker daemon  4.69MB
Step 1/8 : FROM ubuntu:18.04
 ---> a2a15febcdf3
Step 2/8 : RUN apt -y update && apt install -y wget nginx software-properties-common apt-transport-https && wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && dpkg -i packages-microsoft-prod.deb && add-apt-repository universe && apt -y update && apt install -y dotnet-sdk-3.0
 ---> Using cache
 ---> feb452bac55a
Step 3/8 : CMD service nginx start
 ---> Using cache
 ---> ce3fd40bd13c
Step 4/8 : COPY ./default /etc/nginx/sites-available/default
 ---> 97ff0c042b03
Step 5/8 : WORKDIR /app
 ---> Running in 883f8dc5dcce
Removing intermediate container 883f8dc5dcce
 ---> 6e36758d40b1
Step 6/8 : COPY ./website/. .
 ---> bfe84cc406a4
Step 7/8 : EXPOSE 80:8080
 ---> Running in b611a87425f2
Removing intermediate container b611a87425f2
 ---> 209b54a9567f
Step 8/8 : ENTRYPOINT ["dotnet", "website.dll"]
 ---> Running in ea2efbc6c375
Removing intermediate container ea2efbc6c375
 ---> f982892ea056
Successfully built f982892ea056
Successfully tagged temp-ubuntu:latest

Don’t worry if you don’t understand the above output. However, notice the steps listed in the output. When each step executes, a new layer gets added to the image we’re building.

Also, notice that we execute a number of commands to install software and manage configuration. For example, in step 2, we run the apt -y update and apt install -y commands to update the OS. These commands execute in a running container that is created for that step. Once the command has run, the intermediate container is removed. The underlying cached image is kept on the build host and not automatically deleted. This optimization ensures that later builds reuse these images to speed up build times.

What is an image tag?

An image tag is a text string that is used to version an image.

In the example build from earlier, notice the last build message that reads “Successfully tagged temp-ubuntu: latest“. When building an image, we name and optionally tag the image using the -t command flag. In our example, we named the image using -t temp-ubuntu, while the resulting image name was tagged temp-ubuntu: latest. An image is labeled with the latest tag if you don’t specify a tag.

A single image can have multiple tags assigned to it. By convention, the most recent version of an image is assigned the latest tag and a tag that describes the image version number. When you release a new version of an image, you can reassign the latest tag to reference the new image.

Here is another example. Suppose you want to use the .NET Core samples Docker images. Here we have four platforms versions that we can choose from:

• mcr.microsoft.com/dotnet/core/samples:dotnetapp
• mcr.microsoft.com/dotnet/core/samples:aspnetapp
• mcr.microsoft.com/dotnet/core/samples:wcfservice
• mcr.microsoft.com/dotnet/core/samples:wcfclient

How to list images

The Docker software automatically configures a local image registry on your machine. You can view the images in this registry with the docker images command.

docker images

The output looks like the example below.

REPOSITORY          TAG                     IMAGE ID            CREATED                     SIZE
tmp-ubuntu          latest             f89469694960        14 minutes ago         1.69GB
tmp-ubuntu          version-1.0        f89469694960        14 minutes ago         1.69GB
ubuntu              18.04                   a2a15febcdf3        5 weeks ago            64.2MB

Notice how the image is listed with its Name, Tag, and an Image ID. Recall that we can apply multiple labels to an image. Here is such an example. Even though the image names are different, we can see the IDs are the same.

The image ID is a useful way to identify and manage images where the name or tag of an image might be ambiguous.

How to remove an image

You can remove an image from the local docker registry with the docker rmi command. Specify the name or ID of the image to remove. This example removes the image for the sample web app using the image name:

docker rmi temp-ubuntu:version-1.0

You can’t remove an image if the image is still in use by a container. The docker rmi command returns an error message, which lists the container relying on the image.

We’ve explored the basics of Docker images, how to manage these images and how to run a container from an image.

The post How Docker Images Work appeared first on Tech Chronicles.

The post Containers vs Virtual Machines (VMs): What’s the Difference? appeared first on Tech Chronicles.

Conclusion

The post Docker Image Vs Container: The Major Differences appeared first on Tech Chronicles.

1. Fundamentals

1.1. Concepts

• Union file system (UFS): allows to overlay multiple file systems appearing as a single system whereby equal folders are merged and equally named files hide their previous versions
• Image: a portable read-only file system layer optionally stacked on a parent image
• Dockerfile: used to build an image and declare the command executed in the container
• Registry: is the place where to push and pull from named / tagged images
• Container: an instance of an image with a writable file system layer on top, virtual networking, ready to execute a single application
• Volume: a directory outside the UFS that can be mounted inside containers for persistent and shared data
• Network: acts as a namespace for containers
• Service: a flexible number of container replicas running on a cluster of multiple hosts

1.2. Lifecycle

A typical docker workflow:

• build an image based on a Dockerfile
• tag and push the image to a registry
• login to the registry from the runtime environment to pull the image
• optionally create a volume or two to provide configuration files and hold data that needs to be persisted
• run a container based on the image
• stop and start the container if necessary
• commit the container to turn it into an image (note: makes the image harder to reproduce)
• in exceptional situations, exec additional commands inside the container
• to replace a container with an updated version:
  • pull the new image from the registry
  • stop the running container
  • backup your volumes to be prepared for a potential rollback
  • run the newer one by specifying a temporary name
  • if successful, remove the old container and rename the new one accordingly

2. Recipes

2.1. Docker Engine

Show docker disk usage

docker system df

Remove unused data

docker system prune

This prompts for confirmation and will remove: all stopped containers, all volumes not used by at least one container, all networks not used by at least one container and all dangling images

2.1.1. Building Images

Debug image build

• docker image build shows the IDs of all temporary containers and intermediate images
• use docker container run -it IMAGE_ID with the ID of the image resulting from the last successful build step and try the next command manually

List all local tags for the same image

docker image ls --no-trunc | grep $(docker image inspect -f {{.Id}} IMAGE:TAG)

2.1.2. Running Containers

Start container and run command inside

docker container run -it ubuntu:14.04 /bin/bash

Start a shell in a running container

docker container exec -it CONTAINER /bin/bash

Start a container as another user

docker container run -u root IMAGE

List all existing containers

docker container ls -a

List running processes inside a container

docker container top CONTAINER

Follow the logs

docker container logs -f --tail=1000 CONTAINER

Stop all running containers

docker container stop $(docker container ls -q)

Remove all stopped containers, except those suffixed ‘-data’:

docker container ls -a -f status=exited | grep -v '\-data *$'| awk '{if(NR>1) print $1}' | xargs -r docker container rm

Remove all stopped containers (warning: removes data-only containers too)

docker container prune

List all images

docker image ls -a

Remove all unused images

docker image prune

Show image history of container

docker image history --no-trunc=true $(docker container inspect -f '{{.Image}}' CONTAINER)

Show file system changes compared to the original image

docker container diff CONTAINER

Backup directory content from container to host directory

docker container run --rm --volumes-from SOURCE_CONTAINER:ro -v $(pwd):/backup alpine \
 tar cvf /backup/backup_$(date +%Y-%m-%d_%H-%M).tar /data

Restore directory content to container from host directory

docker container run --rm --volumes-from TARGET_CONTAINER:ro -v $(pwd):/backup alpine \
 tar xvf /backup/backup.tar

Show names of volumes used by a container

docker container inspect -f '{{ range .Mounts }}{{ .Name }} {{ end }}' CONTAINER

Show names and mount point destinations of volumes used by a container

docker container inspect -f '{{ range .Mounts }}{{ .Name }}:{{ .Destination }} {{ end }}' CONTAINER

Start all paused / stopped containers

• does not work together with container dependencies

Edit and update a file in a container

docker container cp CONTAINER:FILE /tmp/ && docker container run --name=nano -it --rm -v /tmp:/tmp \
 piegsaj/nano nano /tmp/FILE ; \
cat /tmp/FILE | docker container exec -i CONTAINER sh -c 'cat > FILE' ; \
rm /tmp/FILE

Deploy war file to Apache Tomcat server instantly

docker container run -i -t -p 80:8080 -e WAR_URL=“<http://web-actions.googlecode.com/files/helloworld.war>” \
 bbytes/tomcat7

Dump a Postgres database into current directory on the host

echo "postgres_password" | sudo docker container run -i --rm --link db:db -v $PWD:/tmp postgres:8 sh -c ' \
 pg_dump -h ocdb -p $OCDB_PORT_5432_TCP_PORT -U postgres -F tar -v openclinica \
 > /tmp/ocdb_pg_dump_$(date +%Y-%m-%d_%H-%M-%S).tar'

Backup data folder

docker container run --rm --volumes-from oc-data -v $PWD:/tmp piegsaj/openclinica \
 tar cvf /tmp/oc_data_backup_$(date +%Y-%m-%d_%H-%M-%S).tar /tomcat/openclinica.data

Restore volume from data-only container

docker container run --rm --volumes-from oc-data2 -v $pwd:/tmp piegsaj/openclinica \
 tar xvf /tmp/oc_data_backup_*.tar

Get the IP address of a container

docker container inspect -f '{{ .NetworkSettings.IPAddress }}' CONTAINER

2.1.3. Using Volumes

Declare a volume via Dockerfile

RUN mkdir /data && echo "some content" > /data/file && chown -R daemon:daemon /data
VOLUME /data

after the VOLUME directive, its content can not be changed within the Dockerfile

Create an anonymous volume at runtime

docker container run -it -v /data debian /bin/bash

Create a volume at runtime that is bound to a host directory

docker container run --rm -v /tmp:/data debian ls -RAlph /data

Create a named volume and use it

docker volume create --name=test
docker container run --rm -v test:/data alpine sh -c 'echo "Hello named volumes" > /data/hello.txt'
docker container run --rm -v test:/data alpine sh -c 'cat /data/hello.txt'

List the content of a volume

docker container run --rm -v data:/data alpine ls -RAlph /data

Copy a file from host to named volume

echo "debug=true" > test.cnf && \
docker volume create --name=conf && \
docker container run --rm -it -v $(pwd):/src -v conf:/dest alpine cp /src/test.cnf /dest/ && \
rm -f test.cnf && \
docker container run --rm -it -v conf:/data alpine cat /data/test.cnf

Copy content of existing volume to a new named volume

docker volume create --name VOL_B

• than:

docker container run --rm -v VOL_A:/source/folder:ro -v VOL_B:/target/folder \
 alpine cp -r /source/folder /target

or without the need for an intermediate directory (cp implementations differ):

 docker container run --rm -v VOL_A:/source:ro -v VOL_B:/target debian cp -TR /source /target

List all orphaned volumes

docker volume ls -qf dangling=true

Remove all orphaned volumes

docker volume rm $(docker volume ls -qf dangling=true)

Caution, this also removes named volumes that are currently not mounted by any container!

2.2. Docker Machine

On a local VM

Get the IP address of the virtual machine for access from host

docker-machine ip default

Add persistent environment variable to boot2docker

echo 'echo '\''export ENVTEST="Hello Env!"'\'' > /etc/profile.d/custom.sh' | \
sudo tee -a /var/lib/boot2docker/profile > /dev/null

and restart with docker-machine restart default

Install additional linux packages in boot2docker

• create the file /var/lib/boot2docker/bootsync.sh with a content like:

#!/bin/sh
sudo /bin/su - docker -c 'tce-load -wi nano'

Recreate any folders and files on boot2docker startup

• store folders / files in /var/lib/boot2docker/restore-on-boot and
• create the file /var/lib/boot2docker/bootsync.sh with a content like:

#!/bin/sh
sudo mkdir -p /var/lib/boot2docker/restore-on-boot && \
sudo rsync -a /var/lib/boot2docker/restore-on-boot/ /

2.3. Dockerfile

Add a periodic health check

HEALTHCHECK --interval=1m --timeout=3s --retries=5 \
 CMD curl -f <http://localhost/> || exit 1

• see also: HEALTHCHECK

2.4. Logging

Enable log rotation for Docker

• create the file /etc/logrotate.d/docker and insert:

/var/lib/docker/containers/*/*.log {
  daily
  rotate 14
  compress
  delaycompress
  missingok
  copytruncate
}

• check /etc/cron.daily/logrotate and /etc/crontab for general logrotate configuration.

This example will keep all container logs for 14 days.

3. Showcases

3.1. Private Docker Registry

Setup with boot2docker or natively on Linux

printf "\nPulling registry image ...\n" && \
docker image pull registry ; \

printf "\nPreparing registry-cert volume ...\n" && \
docker volume create --name=registry-cert && \
cd /tmp && \
openssl genrsa -out registry.key 4096 && \
openssl req -new -nodes -sha256 -subj '/CN=localhost' -key /tmp/registry.key -out /tmp/registry.csr && \
openssl x509 -req -days 3650 -signkey /tmp/registry.key -in /tmp/registry.csr -out /tmp/registry.pem && \
docker container run --rm -it -v /tmp:/from -v registry-cert:/to --entrypoint sh registry \
 -c 'cp /from/registry.key /to && cp /from/registry.pem /to' && \

printf "\nLetting docker client trust certificate ...\n" && \
if [ -d /var/lib/boot2docker ] ;
then
    sudo mkdir -p /var/lib/boot2docker/certs && \
    sudo cp /tmp/registry.pem /var/lib/boot2docker/certs
else
    sudo mkdir -p /etc/docker/certs.d/localhost && \
    sudo cp /tmp/registry.pem /etc/docker/certs.d/localhost
fi && \

printf "\nPreparing registry-auth volume (please change 'reg_user' and 'reg_password') ...\n" && \
docker volume create --name=registry-auth && \
docker container run --rm --entrypoint /bin/sh -v registry-auth:/auth registry \
 -c 'htpasswd -Bbn reg_user reg_password > /auth/htpasswd' && \

printf "\nPreparing registry-data volume ...\n" && \
docker volume create --name=registry-data && \

printf "\nRunning registry container ...\n" && \
docker container run --name registry -h registry -d \
-v registry-data:/var/lib/registry \
-v registry-auth:/auth:ro \
-v registry-cert:/certs:ro \
--restart=always \
-p 5000:5000 \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.pem \
-e REGISTRY_AUTH=htpasswd \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_STORAGE_DELETE_ENABLED=true \
registry

Usage example

docker image pull alpine:latest && \
docker login -u reg_user -p reg_password localhost:5000 && \
docker image tag alpine:latest localhost:5000/alpine:private && \
docker image rm alpine:latest && \
docker image push localhost:5000/alpine:private && \
docker image rm -f localhost:5000/alpine:private && \
docker image pull localhost:5000/alpine:private && \
docker logout localhost:5000 && \
docker image ls | grep alpine && \
printf "Deleting image from registry ...\n" && \
curl -X DELETE -u reg_user:reg_password --insecure \
https://localhost:5000/v2/alpine/manifests/$(docker image ls --digests | grep localhost:5000/alpine | awk '{print $3}')

Removal

docker container rm -f registry && \
docker volume rm registry-data registry-cert registry-auth

Further Reading

• advanced authentication: Docker Registry 2 authentication server
• developer notes about deleting images from the registry

3.2. Continuous Integration Tool Stack

Setup with docker-machine / boot2docker

• make a directory called ci in your home directory on your host system and change into it

• create a file named docker-compose.yml with the following content:

version: "2"

services:

  jenkins:
    image: jenkins
    ports:
      - "8082:8082"
      - "50000:50000"
    restart: always
    env_file: .env
    environment:
      - "JAVA_OPTS=-Dmail.smtp.starttls.enable=true -Dorg.apache.commons.jelly.tags.fmt.timeZone=Europe/Berlin"
      - "JENKINS_OPTS=--httpPort=8082"
    volumes:
      - jenkins_home:/var/jenkins_home
    
  nexus:
    image: sonatype/nexus3
    ports:
      - "8081:8081"
    restart: always
    env_file: .env
    volumes:
      - nexus-data:/nexus-data
    
  sonarqube:
    image: sonarqube
    ports:
      - "9000:9000"
    restart: always
    env_file:
      - .env
      - sonarqube.env
    environment:
      - SONARQUBE_JDBC_URL=jdbc:postgresql://postgres:5432/sonar
      - SONARQUBE_JDBC_USERNAME=sonar
    volumes:
      - sonarqube_conf:/opt/sonarqube/conf
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_bundled-plugins:/opt/sonarqube/lib/bundled-plugins
    links:
      - postgres

  postgres:
    image: postgres
    ports:
      - "5432:5432"
    restart: always
    env_file:
      - .env
      - sonarqube.env
    environment:
      - POSTGRES_USER=sonar
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data

volumes:
  jenkins_home:
  nexus-data:
  sonarqube_conf:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_bundled-plugins:
  postgresql:
  postgresql_data:

• create a second file named .env that defines a timezone:

TZ=Europe/Berlin

• create a third file named sonarqube.env that holds the database passwords:

SONARQUBE_JDBC_PASSWORD=sonar
POSTGRES_PASSWORD=sonar

Usage

• startup all containers:

docker-compose up -d

• watch the logs, type docker-compose logs or docker logs -f ci_jenkins_1

• access the web applications:

  • Jenkins on port 8082
  • Sonatype Nexus on port 8081 and
  • SonarQube on port 9000

Removal

• to remove the tool stack (incl. data), use:

docker-compose down -v

4. Best Practices

Docker Engine

• docker exec is your friend in development, but should be avoided in a production setup

Volumes

• use named volumes to simplify maintenance by separating persistent data from the container and communicating the structure of a project in a more transparent manner

Dockerfile

• always keep environment configuration and secrets out of deployments and images, for example by using environment variables (-e, --env-file)
• always set the USER statement, otherwise the container will run as root user by default, which maps to the root user of the host machine
• use ENTRYPOINT and CMD directives together to make container usage more convenient
• coalesce consecutive RUN directives with && to reduce the costs of a build and to avoid caching of instructions like apt-get update
• to reduce the size of an image, remove temporary resources in the same RUN statement that produces them (otherwise they are still present in an intermediate layer)
• use EXPOSE to document all needed ports
• introduce an additional build Dockerfile for your app, if you have a large set of compile-time dependencies (build container pattern)

5. Additional Material

• Mouat, A. (2015). Using Docker: Developing and Deploying Software with Containers. O’Reilly Media. (German Edition: Docker. Software entwickeln und deployen mit Containern. dpunkt.verlag)
• Turnbull, J. (2016). The Docker Book. Containerization is the new Virtualization.
• Gupta, A. (2016). Docker Container Anti Patterns.
• Piegsa, J. (2016). Dockerbank 2 Workshop. Szenarien des Routinebetriebs. (German Slides)
• Official Docker Documentation
• StackOverflow Documentation
• Awesome Docker
• Docker Labs
• Docker Introduction
• play-with-docker.com

The post Docker Cheat Sheet appeared first on Tech Chronicles.

$ docker container rm [container_name / container_id]
# deleting multiple containers
$ docker container rm [container_1] [container_2] ... [container_N]

$ docker container rm -f [container_name / container_id]

$ docker container prune

$ docker container prune --filter 'NAME=VALUE'

# Example: Deletes stopped containers created until 1 minute ago.
$ docker container prune --filter 'until=1m'

$ docker image ls
# or
$ docker images

docker image rm [image_name:tag / image_id]
# or
docker rmi [image_name:tag / image_id]

$ docker image prune
# or
$ docker rmi $(docker images -qf "dangling=true")

$ docker image prune -a

$ docker network ls
NETWORK ID          NAME                          DRIVER              SCOPE
387cccf19c98        custom_net                    bridge              local
bf5345d30d7f        bridge                        bridge              local
1ae6aef09e5c        host                          host                local
...

$ docker network rm [network_name / network_id]
# or
$ docker network remove [network_name / network_id]

# example
$ docker network rm custom_net
# or
$ docker network rm 387cccf19c98
# or
$ docker network remove 387cc

$ docker network prune

# using --filter you can filter which unused networks you want to delete as we did before with stopped containers
$ docker container prune --filter 'NAME=VALUE'

$ docker network rm custom_net
Error response from daemon: error while removing network: network bi_private id <ID> has active endpoints.

$ docker network inspect custom_net
...
"Containers": [..]
...

$ docker network disconnect -f custom_net container_1
$ docker network disconnect -f custom_net container_2
...
$ docker network disconnect -f custom_net container_N

$ docker network rm custom_net

$ docker volume ls
DRIVER              VOLUME NAME
local               named_volume
local               0a0bce5c74f249a9954120ce3d6cbc5fb388d1fadc27fd55c2a008d2c1bd8d1a
local               1e3f5e108a2e2542f018d0302f3d598bb90ded4cd604fed352c9530d30d35a56
...

$ docker inspect containerid
...
"Mounts": [{volume 6d29ac8a196.. }{ ... }]

$ docker volume rm [volume_name]

$ docker volume prune

# using --filter you can filter which unused volumes you want to delete as we did before with stopped containers and networks.
$ docker volume prune --filter 'NAME=VALUE'

$ docker system prune

$ docker system prune -a

$ docker system prune -a --volumes

The post How to purge Docker images, containers, networks or volumes appeared first on Tech Chronicles.

Before you begin

In this tutorial, we’ll learn how to backup a PostgreSQL database. A Linux machine and Docker will be required to follow this tutorial.

Backup a PostgreSQL local or remote database

Command to backup a local or remote PostgreSQL database using Docker:

$ docker run -i postgres /usr/bin/pg_dump \
  -h [POSTGRESQL_HOST] \
  -U [POSTGRESQL_USER] [POSTGRESQL_DATABASE] > backup.sql

Command to backup multiple PostgreSQL databases using Docker:

$ docker run -i postgres /usr/bin/pg_dumpall \
  -h [POSTGRESQL_HOST] \
  -U [POSTGRESQL_USER] > backup.sql

Command to backup a local or remote PostgreSQL database using Docker with compression (using gzip):

$ docker run -i postgres /usr/bin/pg_dump \
  -h [POSTGRESQL_HOST] \
  -U [POSTGRESQL_USER] [POSTGRESQL_DATABASE] | gzip -9 > backup.sql.gz

Same command below but providing PostgreSQL password as environment variable:

$ docker run -i -e PGPASSWORD=[POSTGRESQL_PASSWORD] postgres /usr/bin/pg_dump \
  -h [POSTGRESQL_HOST] \
  -U [POSTGRESQL_USER] [POSTGRESQL_DATABASE] | gzip -9 > backup.sql.gz

Backup a containerized PostgreSQL database

Command to backup a containerized PostgreSQL database creating a compressed file using Docker and gzip:

$ docker exec [POSTGRESQL_CONTAINER] /usr/bin/pg_dump \
  -U [POSTGRESQL_USER] [POSTGRESQL_DATABASE] | gzip -9 > backup.sql.gz

Same command below but setting PostgreSQL password environment variable to existing container:

$ docker exec [POSTGRESQL_CONTAINER] /bin/bash \
  -c "export PGPASSWORD=[POSTGRESQL_PASSWORD] \
      && /usr/bin/pg_dump -U [POSTGRESQL_USER] [POSTGRESQL_DATABASE]" \
  | gzip -9 > backup.sql.gz

Bonus track: How to dump a portion of a table?

Using Postgres functions you can dump all databases, a database, a schema, only schema data or even a single table dataset. These are some of the available options:

pg_dumpall: Retrieves all databases.

pg_dump: Retrieves specific database.

pg_dump --schema-only DATABASE_NAME: Retrieves only schema/structure of a database.

pg_dump --table TABLE_NAME: Dumps the content of the table TABLE_A.

COPY: Retrieves data from a table and outputs it to a file or stdout. E.g.:

$ docker exec -i [POSTGRESQL_CONTAINER] /usr/bin/psql -U \
  [POSTGRESQL_USER] [POSTGRESQL_DATABASE] \
  -c "COPY (SELECT * FROM [TABLE_NAME] order by time desc limit 1000)
  TO 'dest/folder/filename.txt';"

In previous example we are retrieving last 1000 records from a table TABLE_NAME sorted by time and saving it to a text file dest/folder/filename.txt.

Lately this data file can be restored using the same command COPY as the following example does:

$ docker exec -i [POSTGRESQL_CONTAINER] /usr/bin/psql -U \
  [POSTGRESQL_USER] [POSTGRESQL_DATABASE] \
  -c "COPY [TABLE_NAME] from 'dest/folder/filename.txt' WITH (FORMAT text);"

More info about COPY here: https://www.postgresql.org/docs/10/static/sql-copy.html

The post How to backup a PostgreSQL database using Docker appeared first on Tech Chronicles.