docker snippets

How to start a bash shell in Docker

Tagged docker, shell, bash  Languages bash

To start a bash shell in an already running container:

docker exec -it <container id/name> bash

To start a bash shell using an image of a container that is not running:

docker run -i -t --entrypoint /bin/bash <image id>

How to access a service running on the host from a docker container

Tagged host, ip, ufw, container, docker, docker-compose, subnet  Languages bash

How to access a service running on the host from a docker container? Easy…

  1. Create a custom network (bridge)
  2. Make the docker container use the network
  3. On the host make the service listen to the hosts IP address on the custom network
version: "3.8"
services:
  "mycontainer":
    image: registry.gitlab.com/xxx/mycontainer:v1
    networks:
      - mynetwork
    env_file: ./mycontainer.env
networks:
  mynetwork:
    ipam:
      config:
        - subnet: 172.25.0.0/16

The docker container will be assigned an IP from the 172.25.0.0/16 subnet.

Now, just make sure the service is listening to the host’s IP address on the network which should be 172.25.0.1.

Lastly, remember to allow the traffic in the firewall. See UFW example below:

# Check where the connection is coming from:
sudo dmesg
# Unblock the connections by source IP
sudo ufw allow in from "172.25.0.5" to 172.17.0.1 port 5432
# Or, unblock the connections by network name
sudo ufw allow in on <name of network> to 172.17.0.1 port 5432

Bad ideas

There are many other ways of achieving this, which are more or less bad ideas…

  • Option 1: docker hostnames

This option is mostly useful in development environments:

# Mac
ping docker.for.mac.localhost

# Windows
ping docker.for.win.localhost

# Linux: use the Docker IP or the hosts external IP, see:
# https://github.com/docker/for-linux/issues/264#issuecomment-385698947
  • Option 2: host networking

This option is not a good idea if you plan on hosting many projects on the same server.

Note that it’s not possible to use host networking on Mac or Windows, only Linux:

The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server.

See:

Configure Docker to use a private container registry using a self-signed certificate

Tagged self-signed, registry, docker  Languages bash

How to configure Docker to use a private container registry using a self-signed certificate.

Tested on Docker version 18.09.4, build d14af54.

  • Copy self-signed certificate from the registry server to the docker server

On your laptop:

$ scp [email protected]://etc/ssl/certs/selfsigned.crt [email protected]://etc/ssl/certs/private-docker-registry.crt
  • Restart docker daemon

On the docker server:

$ sudo service docker restart
  • Login to the registry from the docker server

On the docker server:

sudo docker login -u christian registry-server
> WARNING! Your password will be stored unencrypted in /home/christian/.docker/config.json.

How to configure Kubernetes to pull images from a private Docker registry

Tagged registry, docker, kubernetes, private  Languages bash, yml

How to configure Kubernetes to pull images from a private Docker registry:

  • First configure Docker by following the steps outlined here:

https://snippets.aktagon.com/snippets/869-configure-docker-to-use-a-private-container-registry-using-a-self-signed-certificate

  • Verify that the Docker configuration contains the authentication information
sudo cat ~/.docker/config.json
{
    "auths": {
        "<registry-server>": {
            "auth": "<hash>"
        }
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.09.4 (linux)"
    }
}
  • Base64 encode the config.json file
cat ~/.docker/config.json | base64 -w0 > config.base64.json
  • Create secret.yml and add the contents of config.base64.json to dockerconfigjson
apiVersion: v1
kind: Secret
metadata:
 name: registrypullsecret
data:
 .dockerconfigjson: <config.base64.json>
type: kubernetes.io/dockerconfigjson
  • Import the secret into Kubernetes
kubectl create -f secret.yml && kubectl get secrets
  • Test that the secret was imported into Kubernetes
kubectl get secrets

Simple Dockerfile for Ruby on Rails applications

Tagged docker, ruby, dockerfile, rails  Languages bash
#
# Ruby on Rails Dockerfile
#
# ## Features:
#
# - Ruby
# - Puma
# - Yarn
# - Node
# - PostgreSQL
#
# ## Configuration
#
# ```bash
# mkdir .docker
# cat << EOF > .docker/envrc.dev
# RAILS_ENV=development
# DB_HOST=localhost
# DB_NAME=app_development
# DB_USER=app
# DB_PASS=password
# EOF
# cat << EOF > .docker/envrc.prod
# RAILS_ENV=production
# DB_HOST=postgres
# DB_NAME=app_production
# DB_USER=app
# DB_PASS=password
# EOF
# ```
#
# ## Usage
#
# ```bash
# $ docker build . -t <image name>
#
# # Development
# $ docker run --network=host --env-file=.docker/envrc.dev <image name>
#
# # Production
# $ docker run -p 3000:3000 --env-file=.docker/envrc.prod <image name>
# ```
#
FROM ruby:2.6.3

# Add Yarn to apt
# RUN curl -o- -L https://yarnpkg.com/install.sh | bash
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list

# Install dependencies
RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs yarn

# Don't run as root
RUN useradd --user-group -m --home /app --shell /bin/false app
RUN chown app:app /app
RUN chmod -R 740 /app
USER app

# Set working dir
ENV RAILS_ROOT /app
WORKDIR $RAILS_ROOT

ARG RAILS_ENV
ARG DB_HOST
ARG DB_NAME
ARG DB_USER
ARG DB_PASS

# Set ENV variables
ENV RAILS_ENV ${RAILS_env}
ENV RACK_ENV ${RAILS_ENV}
ENV DB_HOST ${DB_HOST}
ENV DB_NAME ${DB_NAME}
ENV DB_USER ${DB_USER}
ENV DB_PASS ${DB_PASS}

# Add and cache Ruby & Javascript dependencies
COPY --chown=app Gemfile Gemfile
COPY --chown=app Gemfile.lock Gemfile.lock
ADD package.json yarn.lock /tmp/
# Install Ruby and Javascript dependencies
RUN gem install bundler:2.0.2
RUN bundle install --jobs 20 --retry 5 --with=$RAILS_ENV --deployment
RUN yarn install

# Add project files
COPY --chown=app . .
# Precompile assets
RUN bundle exec rake assets:precompile

RUN mkdir -p log tmp/pids

EXPOSE 3000
CMD ["bundle", "exec", "puma", "-C", "config/puma.rb"]

UFW + Docker = No firewall

Tagged docker, elasticsearch, gotcha, iptables, ufw, wtf  Languages 

TLDR: Docker can and will override existing iptable rules and expose your services to the Internet

This means you have to think twice when installing Docker on a machine that is only protected by an iptables-based firewall such as UFW. You might think you are protected by your firewall, but you very likely are not. This is probably one of the more common reasons why Elasticsearch servers, which are unprotected by default, are exposed to the internet.

For details, see: https://github.com/docker/for-linux/issues/690

Solution 1: External firewall

One solution is to use a firewall provided by the hosting provider (DO, AWS, GCP, etc.).

Solution 2: Disable Docker’s iptables “feature”

Disable iptables in Docker by adding the following switch:

--iptables=false

Solution 2: Listen on private IPs

This is perhaps the easiest to implement and easiest to forget: expose your containers and services on one of the following private IP address ranges:

  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255

Note that binding to 127.0.0.1 will not work with Docker Swarm.

How to set the environment variables in a cron script (Docker)

Tagged cron, docker, env, crontab, environment, docker-compose  Languages bash

To give your cron script access to the same environment variables as the Docker container, you can read and export the environment variables for the PID 1 process in your script:

crontab -l
* * * * * /app/run.sh jobs.xxx

/app/run.sh

#!/usr/bin/env bash
# Read the environment variables for the main process (PID 1) running in the Docker container:
export $(xargs -0 -a "/proc/1/environ")

python3 -m $1