In this post, you will understand how Docker works while deploying one Web Server with NGINX+PHP and one Database Server with MariaDB in two different Dockers.

Any time you want to install one software with ‘apt-get’ in Linux, make sure you update the local database with the cloud:

sudo apt update

It is also recommended you keep your system up to date:

sudo apt upgrade

Install Docker.IO to be able to download images from the internet as easy as it works with ‘apt-get’:

sudo apt install docker.io -y

Note there is no image pulled yet (pull is the term used for download and extract images):

sudo docker images

For this exercise, we will use Debian but you can choose Ubuntu, for example:

sudo docker pull debian

OR

sudo docker pull ubuntu

Since it was not specified the version, the latest released version will be chosen: Downloaded newer image for debian:latest

Now, if you check the images ‘debian:latest’ will be there:

sudo docker images

Many Container can be made from the same Image and none of them will make changes in the Image content, but all will use the content of it simultaneously (like a read-only file).

To create the Container for the Web Server based on the Debian image type:

sudo docker run --name html -d -it -p 80:80 -v ~/html:/var/www/html debian:latest /bin/bash

Description of the syntax:

  • sudo docker run
    • ‘run’ actually created the container.
  • –name html
    • ‘–name’ is the argument to the name of the container, in this case I called ‘html’.
  • -d -it
  • -p 80:80
    • ‘-p’ will expose the port that your container is listening to, so any request to the host machine will be forwarded to the container line NAT (port 80 external to 80 internal).
  • -v ~/html:/var/www/html
    • ‘-v’ maps one directory from the host (‘~/html’) machine to the docker (‘/var/www/html’). It is important to keep the files accessible outside the container. You can change the host path to any host you want. You can also add :ro to make the mounted directory read-only inside the docker.
  • debian:latest
    • the image used to run the docker.
  • /bin/bash
    • Bash shell will be attached every time you enter the terminal.

Now, you can see the Docker called ‘html’ was already created:

sudo docker ps -a

And the ‘html’ is also running:

sudo docker ps

To enter the terminal and be able to issue commands inside the Docker type:

sudo docker attach html

OR

sudo docker exec -it html bash

OR if you want to force enter as the root user:

sudo docker exec -u 0 -it database bash

This command will attach the default input and output of the Docker to your terminal. If you type ‘exit’ you will end the process. To exit and leave the Docker running type CTRL+P and then CTRL+Q.

Inside the Docker, you work like inside one VM, nothing you do there will affect the host operating system.

Then you install the programs for the Web Server in Docker. Sudo is not necessary because inside the Docker the active user is already ‘root’:

apt update && apt upgrade && apt install nano locate nginx php-fpm -y

You can remove the current configuration file and create a new one or just make several changes to it:

rm /etc/nginx/sites-available/default
nano /etc/nginx/sites-available/default

If you removed it, just paste this new content and save the file:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  root /var/www/html;
  index index.php index.html index.htm;
  server_name _;
  location / {
  autoindex on;
  try_files $uri $uri/ =404;
}
location ~ .php$ {
  include snippets/fastcgi-php.conf;
  fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
location ~ /.ht {
  deny all;
}
}

To save type CTRL+O and to close the editor type CTRL+X.

Now start both services, PHP interpreter and HTTP server:

service php7.3-fpm start
service nginx start

If the first service does not start, check the version installed (in bold above) and modify the command the configuration file.

With any web browser enter http://127.0.0.1/. You may see the content of your home directory. According to the new configuration file only index one file to the directory if its name is ‘index.php’ or ‘index.html’ or ‘index.htm’.

Use the keyboard to exit the Docker and keep it running (CTRL+P and then CTRL+Q) and go to the directory that the website will be placed, remove the file that was automatically created and create one index file:

sudo chmod 777 -R ~/html
cd ~/html
rm index.nginx-debian.html
nano index.php

Paste this PHP code in the new file:

<?php
phpinfo();
?>

This code prints all the configurations of the HTTP server and the PHP interpreter. Go back to the web browser and refresh the page (F5).

Now that the Web Server is done, let’s create the Database Server:

sudo docker run --name database -d -it -p 3306:3306 -v ~/mysql:/var/lib/mysql debian:latest /bin/bash

And let’s go inside the Docker called ‘database’ to install the server:

sudo docker attach database

OR

sudo docker exec -it database bash

Issue the command:

apt update && apt upgrade && apt install nano locate mariadb-server mariadb-client -y
service mysql start
mysql_secure_installation

Follow the steps to set a password for root (initially has no password created), remove root accounts that are accessible from outside the localhost, remove anonymous-user accounts and remove the test database.

Test if the MYSQL server is running:

mysql -u root -p
> SHOW databases;
> quit

Use the keyboard to exit the Docker and keep it running (CTRL+P and then CTRL+Q).

In summary:

  • 1: There is only one Image in your system, even if this image is been used in more than one Container. This image cannot be removed unless all the dependent Container is removed.
  • 2: This shows that at this time only one Container is running.
  • 3: There are three Containers in the system, all based on the same Debian Image. The Container colled ’empty’ was created just to show the initial size of one empty Container.
  • 4: List all the Containers with the current size. Note, the empty Container has the same size as the Image. And it grows as much as new programs and files were added on it. That is another reason to keep the data files from the server outside of the docker (the folders ‘~/html’ and ‘~/mysql’).

To stop the docker:

sudo docker stop html

OR

sudo docker stop database

To start the Docker after stop or reboot of host machine:

sudo docker start html
sudo docker exec -d html /etc/init.d/php7.3-fpm start
sudo docker exec -d html /etc/init.d/nginx start

OR

sudo docker start database
sudo docker exec -d mysql service mysql start

Note: after the Docker be started, the services in it will not start automatically. The command ‘exec’ informs the Docker to execute the following command inside, for example: ‘service mysql start’ or ‘/etc/init.d/nginx start’.

Removing all the created Dockers and Images:

sudo docker stop html
sudo docker stop database
sudo docker rm html
sudo docker rm database
sudo docker rmi debian

BACKING UP

  • commit
    • Creates an image from a running container.
    • sudo docker commit -p [container-id] backup_image
  • tag
    • Create a tagged image that refers to the source image.
    • sudo docker tag backup_image localhost:5000/bkp-img:v1
  • push
    • Shares the image to the Docker Hub registry or to a self-hosted.
    • sudo docker push bkp-img:v1
  • pull
    • Pulls a pulled image from the Docker Hub registry or to a self-hosted.
    • sudo docker pull localhost:5000/bkp-img:v1
  • save
    • Save the image to a TAR file.
    • sudo docker save -o backup_image.tar backup_image
  • load
    • Extract the image from a TAR file.
    • sudo docker load -i /tmp/backup_image.tar

See the full list of commands in Docker Docs [Link].


DOCKER FILE

A Dockerfile is used to create an image. See example:

FROM nginx:alpine
ADD . /usr/share/nginx/html
RUN mkdir /app
WORKDIR /app
COPY script.sh .
CMD script.sh

Note: the commands ADD and COPY are very similar but as a good practice, COPY should always be used unless the special features of ADD in needed: handle URL as source, or extracting the content of a TAR file to the destination.

The Dockerfile has no extension.

Creating a .dockerignore to prevent some files to be added to the build.

Dockerfile
.git
anotherfile.zip
*.php
and_so_on.txt

Then build your image:

sudo docker build --tag webserver:latest .

The “.” (dot at the end) informs where the Docker file is located, in this case in the current directory.

TIP: Consider using the very lightweight ALPINE when possible, mainly if it will run on RaspberryPi Zero. Read more about it [Link].


PERSISTENT DATA

All the data stored in the container by default will be destroyed after the container is deleted.

There are two main alternatives to this issue:

  • Mount a local directory inside the container and keep the desired data outside it. It is also called host volumes or bind volumes but it is not a volume;
  • Create a volume to be attached to a container.

On the preview examples, a local directory was mounted the container using the argument -v:

sudo docker run --name database -d -it -p 3306:3306 -v ~/mysql:/var/lib/mysql debian:latest /bin/bash

The local directory /home/my_user_id/mysql (~/mysql for short) was available inside the container at the location /var/lib/mysql.

If the docker crashes or gets deleted the data will be safe and can be easily backup or migrate.

Volumes types:

  • Anonymous:
    • The volume will be automatically created but the name will be a random hash which makes it difficult to manage.
sudo docker run --name database -d -it -p 3306:3306 -v /var/lib/mysql debian:latest /bin/bash
  • Named:
    • First, create it with the desired name then run the container.
sudo docker volume create volume_name
sudo docker run --name database -d -it -p 3306:3306 -v volume_name:/var/lib/mysql debian:latest /bin/bash

NETWORK

Dockers are always attached to an network type:

  • Bridge (default)
    • It uses a mapped port from the host to the container.
    • On the preview examples, the host port 3306 was mapped to the same port in the container using the argument -p:
sudo docker run --name database -d -it -p 3306:3306 -v volume_name:/var/lib/mysql debian:latest /bin/bash
  • Host
    • The docker will be available only internally in an overlay network and will require a service to created and load balance the traffic.
    • If this is the case, I recommend using an orchestrator such as K3s or K8s instead of doing it manually.
  • None
    • As the name implies, there is no network.

EMBEDDED DNS

The important thing to know about the embedded DNS is that the docker automatically resolves names based on the names of the containers.

Always give a meaningful name to the containers and use them as addresses instead of the internal IP because there is no guarantee that the containers will get the same IP every time.


HARDENING DOCKER IMAGES

  • Start choosing solid hardened base images (most are poorly written),
  • Always use official images from certified authors (otherwise they might contain malicious code and backdoors),
  • Updating and upgrading the image right after pulling is always a good idea,
  • Check for default configurations and apply all the best practices in the market to the necessary applications and services,
  • That being said, stop/disable/remove all unnecessary services,
  • Run multiple security scans against your image, such as:
    • Docker Scan – A native feature of Docker (example sudo docker scan ubuntu:latest).
    • Trivy [Link] – Available directly from GitHub or as a Docker container.
    • Anchore Grype [Link] – Inline script execution that created a Docker container.
    • Docker Bench [Link]
  • Create your own base image from all you have worked on to be the standard for your projects.

BONUS

Create your own speed test server.

  • Open-source solution LibreSpeed [Link]:
sudo docker run -e MODE=standalone -p 80:80 -it adolfintel/speedtest
  • Open-source solution OpenSpeedTest [Link]:
docker run --restart=unless-stopped --name=openspeedtest -d -p 80:3000 openspeedtest/latest

READ ALSO

Snap vs Docker vs Multipass [Link]

Managing Dockers with Yacht [Link]

NextCloud using Docker [Link]

Kubernetes Cheat Sheet [Link]

 

One Reply to “How to Use Docker”

Comments are closed.