Docker is by far the most popular application container solution, and Docker Swarm is an integrated functionality of Docker Engine that orchestrates a group of Docker engines into a single virtual Docker engine. It provides high-availability and aggregated computing power of the cluster.
DOCKER INSTALLATION
sudo apt update && sudo apt upgrade -y sudo apt install docker.io -y
DOCKER SWARM SETUP
On the node you want do be the manager of the cluster, initialise Swarm:
sudo docker swarm init
Copy and paste the generated command on all other nodes to join the cluster as workers. It will loo like this:
sudo docker swarm join --token ************************************************************* 192.168.10.10:2377
Check all the nodes of the cluster:
sudo docker node ls
In the future, to add more workers nodes to the cluster, issue the following command from the current manager node to get the command again:
sudo docker join-token worker
Or for an additional manager node:
sudo docker join-token manager
Finally, to remove a node from the cluster:
sudo docker swarm leave
OR
sudo docker node rm ****************** --force
If needed to promote (or demote) a standby manager to the current leader:
sudo docker node promote ******************
To make a node not legible for running loads:
sudo docker node update --availability drain
Or to change it back:
sudo docker node update --availability active
DOCKER BASIC COMMANDS
Note there is no image pulled yet (pull is the term used for download and extract images):
sudo docker images
For this exercise, we will use Debian but you can choose Ubuntu, for example:
sudo docker pull debian
OR
sudo docker pull ubuntu
Since it was not specified the version, the latest released version will be chosen: Downloaded newer image for debian:latest
Now, if you check the images ‘debian:latest’ will be there:
sudo docker images
Many Container can be made from the same Image and none of them will make changes in the Image content, but all will use the content of it simultaneously (like a read-only file).
Web Server Example
sudo docker run --name html -d -it -p 80:80 -v ~/html:/var/www/html debian:latest /bin/bash
Description of the syntax:
- sudo docker run
- ‘run’ actually created the container.
- –name html
- ‘–name’ is the argument to the name of the container, in this case I called ‘html’.
- -d -it
- -p 80:80
- ‘-p’ will expose the port that your container is listening to, so any request to the host machine will be forwarded to the container line NAT (port 80 external to 80 internal).
- -v ~/html:/var/www/html
- ‘-v’ maps one directory from the host (‘~/html’) machine to the docker (‘/var/www/html’). It is important to keep the files accessible outside the container. You can change the host path to any host you want. You can also add :ro to make the mounted directory read-only inside the docker.
- debian:latest
- the image used to run the docker.
- /bin/bash
- Bash shell will be attached every time you enter the terminal.
Now, you can see the Docker called ‘html’ was already created:
sudo docker ps -a
And the ‘html’ is also running:
sudo docker ps
To enter the terminal and be able to issue commands inside the Docker type:
sudo docker attach html
OR
sudo docker exec -it html bash
OR if you want to force enter as the root user:
sudo docker exec -u 0 -it database bash
This command will attach the default input and output of the Docker to your terminal. If you type ‘exit’ you will end the process. To exit and leave the Docker running type CTRL+P and then CTRL+Q.
Then you install the programs for the Web Server in Docker. Sudo is not necessary because inside the Docker the active user is already ‘root’:
apt update && apt upgrade && apt install nano locate nginx php-fpm -y
You can remove the current configuration file and create a new one or just make several changes to it:
rm /etc/nginx/sites-available/default nano /etc/nginx/sites-available/default
If you removed it, just paste this new content and save the file:
server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.php index.html index.htm; server_name _; location / { autoindex on; try_files $uri $uri/ =404; } location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm.sock; } location ~ /.ht { deny all; } }
To save type CTRL+O and to close the editor type CTRL+X.
Now start both services, PHP interpreter and HTTP server:
service php7.3-fpm start service nginx start
If the first service does not start, check the version installed (in bold above) and modify the command the configuration file.
With any web browser enter http://127.0.0.1/. You may see the content of your home directory. According to the new configuration file only index one file to the directory if its name is ‘index.php’ or ‘index.html’ or ‘index.htm’.
Use the keyboard to exit the Docker and keep it running (CTRL+P and then CTRL+Q) and go to the directory that the website will be placed, remove the file that was automatically created and create one index file:
sudo chmod 777 -R ~/html cd ~/html rm index.nginx-debian.html nano index.php
Paste this PHP code in the new file:
<?php phpinfo(); ?>
This code prints all the configurations of the HTTP server and the PHP interpreter. Go back to the web browser and refresh the page (F5).
Database Example
sudo docker run --name database -d -it -p 3306:3306 -v ~/mysql:/var/lib/mysql debian:latest /bin/bash
And let’s go inside the Docker called ‘database’ to install the server:
sudo docker attach database
OR
sudo docker exec -it database bash
Issue the command:
apt update && apt upgrade && apt install nano locate mariadb-server mariadb-client -y service mysql start mysql_secure_installation
Follow the steps to set a password for root (initially has no password created), remove root accounts that are accessible from outside the localhost, remove anonymous-user accounts and remove the test database.
Test if the MYSQL server is running:
mysql -u root -p > SHOW databases; > quit
Use the keyboard to exit the Docker and keep it running (CTRL+P and then CTRL+Q).
Examples Summary
sudo docker images sudo docker ps sudo docker ps -a sudo docker ps -as
In summary:
- 1: There is only one Image in your system, even if this image is been used in more than one Container. This image cannot be removed unless all the dependent Container is removed.
- 2: This shows that at this time only one Container is running.
- 3: There are three Containers in the system, all based on the same Debian Image. The Container colled ’empty’ was created just to show the initial size of one empty Container.
- 4: List all the Containers with the current size. Note, the empty Container has the same size as the Image. And it grows as much as new programs and files were added on it. That is another reason to keep the data files from the server outside of the docker (the folders ‘~/html’ and ‘~/mysql’).
To stop the docker:
sudo docker stop html
OR
sudo docker stop database
To start the Docker after stop or reboot of host machine:
sudo docker start html sudo docker exec -d html /etc/init.d/php7.3-fpm start sudo docker exec -d html /etc/init.d/nginx start
OR
sudo docker start database sudo docker exec -d mysql service mysql start
Note: after the Docker be started, the services in it will not start automatically. The command ‘exec’ informs the Docker to execute the following command inside, for example: service mysql start
or /etc/init.d/nginx start
.
Examples Cleanup
sudo docker stop html sudo docker stop database sudo docker rm html sudo docker rm database sudo docker rmi debian
Debugging
sudo docker logs dockerName sudo docker stats dockerName
DOCKER IMAGES
- commit
- Creates an image from a running container.
- sudo docker commit -p [container-id] backup_image
- tag
- Create a tagged image that refers to the source image.
- sudo docker tag backup_image localhost:5000/bkp-img:v1
- push
- Shares the image to the Docker Hub registry or to a self-hosted.
- sudo docker push bkp-img:v1
- pull
- Pulls a pulled image from the Docker Hub registry or to a self-hosted.
- sudo docker pull localhost:5000/bkp-img:v1
- save
- Save the image to a TAR file.
- sudo docker save -o backup_image.tar backup_image
- load
- Extract the image from a TAR file.
- sudo docker load -i /tmp/backup_image.tar
See the full list of commands in Docker Docs [Link].
DOCKER FILE
A Dockerfile is used to create an image. See example:
FROM nginx:alpine ADD . /usr/share/nginx/html RUN mkdir /app WORKDIR /app COPY script.sh . CMD script.sh
Note: the commands ADD and COPY are very similar but as a good practice, COPY should always be used unless the special features of ADD in needed: handle URL as source, or extracting the content of a TAR file to the destination.
The Dockerfile has no extension.
Creating a .dockerignore to prevent some files to be added to the build.
Dockerfile .git anotherfile.zip *.php and_so_on.txt
Then build your image:
sudo docker build --tag webserver:latest .
The “.” (dot at the end) informs where the Docker file is located, in this case in the current directory.
TIP: Consider using the very lightweight ALPINE when possible, mainly if it will run on RaspberryPi Zero. Read more about it [Link].
PERSISTENT DATA
All the data stored in the container by default will be destroyed after the container is deleted.
There are two main alternatives to this issue:
- Mount a local directory inside the container and keep the desired data outside it. It is also called host volumes or bind volumes but it is not a volume;
- Create a volume to be attached to a container.
On the preview examples, a local directory was mounted the container using the argument -v:
sudo docker run --name database -d -it -p 3306:3306 -v ~/mysql:/var/lib/mysql debian:latest /bin/bash
The local directory /home/my_user_id/mysql (~/mysql for short) was available inside the container at the location /var/lib/mysql.
If the docker crashes or gets deleted the data will be safe and can be easily backup or migrate.
Volumes types:
- Anonymous:
- The volume will be automatically created but the name will be a random hash which makes it difficult to manage.
sudo docker run --name database -d -it -p 3306:3306 -v /var/lib/mysql debian:latest /bin/bash
- Named:
- First, create it with the desired name then run the container.
sudo docker volume create volume_name sudo docker run --name database -d -it -p 3306:3306 -v volume_name:/var/lib/mysql debian:latest /bin/bash
PORT MAPPING
Dockers are always attached to an network type:
- Bridge (default)
- It uses a mapped port from the host to the container.
- On the preview examples, the host port 3306 was mapped to the same port in the container using the argument -p:
sudo docker run --name database -d -it -p 3306:3306 -v volume_name:/var/lib/mysql debian:latest /bin/bash
- Host
- The docker will be available only internally in an overlay network and will require a service to created and load balance the traffic.
- If this is the case, I recommend using an orchestrator such as K3s or K8s instead of doing it manually.
- None
- As the name implies, there is no network.
EMBEDDED DNS
The important thing to know about the embedded DNS is that the docker automatically resolves names based on the names of the containers.
Always give a meaningful name to the containers and use them as addresses instead of the internal IP because there is no guarantee that the containers will get the same IP every time.
BASIC TIPS AND TRICKS
- Start choosing solid hardened base images (most are poorly written),
- Consider using
podman
instead ofdocker
command to run containers not as root whenever possible, - Always use official images from certified authors (otherwise they might contain malicious code and backdoors),
- Updating and upgrading the image right after pulling is always a good idea,
- Check for default configurations and apply all the best practices in the market to the necessary applications and services,
- That being said, stop/disable/remove all unnecessary services,
- Run multiple security scans against your image, such as:
- Create your own base image from all you have worked on to be the standard for your projects.
DOCKER CLEAN UP
Remove unused assets.
sudo docker container prune sudo docker volume prune sudo docker image prune sudo docker network prune sudo docker system prune
Note: the command with system will remove all unused containers, volumes, and images in this order.
DOCKER SWARM BASIC COMMANDS
Service
On production, containers are not manually executed but the concept of services will define what is needed and the orchestrator (Swarm) will make it happens. A service might contain multiple containers.
Create a simple service manually:
sudo docker service create --name http --publish 8000:80 nginx
List all existent services:
sudo docker service ls
Scaling a service (setting the number of running instances):
sudo docker service scale http=10
Removing a service:
sudo docker service rm http
Defining the number of replicas en version on the creation:
sudo docker service create --replicas 5 --name http php:7.4-cli
Updating the version of the image:
sudo docker service update --image php:8.0-cli --update-delay 5s http
Stack
The concept of stack is even broader than a service because it may contain many more resources: network, services, etc.
sudo docker stack deploy -y application_stack.yaml application_stack
Use the same command to update a stack after making changes to it YAML configuration. The orchestrator will only apply the changes to the desired state (NOT re-deploy everything).
Example of a stack file:
version: '3.7' services: nginx: image: nginx:latest ports: - "80:80" - "443:443" networks: - nginx-net deploy: replicas: 3 update_config: parallelism: 1 delay: 5s restart_policy: condition: on-failure networks: nginx-net: driver: overlay
BONUS
Create your own speed test server.
- Open-source solution LibreSpeed [Link]:
sudo docker run -e MODE=standalone -p 80:80 -it adolfintel/speedtest
- Open-source solution OpenSpeedTest [Link]:
docker run --restart=unless-stopped --name=openspeedtest -d -p 80:3000 openspeedtest/latest
READ ALSO
Snap vs Docker vs Multipass [Link]
Managing Dockers with Yacht [Link]
NextCloud using Docker [Link]
Kubernetes Cheat Sheet [Link]