Difference between revisions of "Docker & Kubernetes"
(→Docker) |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 216: | Line 216: | ||
<br /><br /> | <br /><br /> | ||
− | === | + | === How to Run an Interactive Alpine Linux Shell in a Docker Container === |
Alpine Linux is a tiny distrubution of Linux, ideally suited for running in docker containers. One major difference between Alpine Linux and most other Linux distrubtions is the default shell that it runs, as most run the BASH shell, but Alpine uses a much lighter-weight shell, the ASH shell. This can be a "Gotcha" when attempting to run an interactive shell in an Alpine docker container. Most docker shell commands default using /bin/bash as the final docker command argument, but with the Alpine container, you need to use /bin/ash, as shown here in this example of running an Alpine docker container with an interactive ASH shell. | Alpine Linux is a tiny distrubution of Linux, ideally suited for running in docker containers. One major difference between Alpine Linux and most other Linux distrubtions is the default shell that it runs, as most run the BASH shell, but Alpine uses a much lighter-weight shell, the ASH shell. This can be a "Gotcha" when attempting to run an interactive shell in an Alpine docker container. Most docker shell commands default using /bin/bash as the final docker command argument, but with the Alpine container, you need to use /bin/ash, as shown here in this example of running an Alpine docker container with an interactive ASH shell. | ||
<br /><br /> | <br /><br /> | ||
Line 250: | Line 250: | ||
<br /><br /> | <br /><br /> | ||
− | ''' | + | === '''Getting Docker to Work with CSF - Configure Server Firewall - My Favorite "Statefull" Firewall!''' === |
+ | By Default, Docker works with the stock "FirewallD" fireall tool included with most Red Hat based distributions of Linux, such as the required "DOCKER" IPTables Chains. If you're like me and prefer to use a much more powerful and "Stateful" firewall tool such as CSF, the "Configure Server Firewall" freely aviable software by Way of the Web. What I mean by "Stateful" is a "Learning" firewall, one that caretes list of the bad guys as it finds them trying to break into our servers. There are of course black and white lists to specifically block and allow specific users and IP addresses as well. There are other fireall tools such as PFSense, UFW, etc., I've use and had the best results with CSF. The only issue is that if you also run Docker containers on your server, you need to manually create the DOCKER IPTables Chains. However, I have discovered a set of really cool scripts that automate the process, located at these URL's: | ||
<br /><br /> | <br /><br /> | ||
− | + | Download to the server(Docker host) and run this script first: | |
− | + | * [https://github.com/juli3nk/csf-pre_post_sh CSF Pre-Docker] | |
− | * https://github.com/juli3nk/csf- | + | <br /> |
− | * https://github.com/juli3nk/csf- | + | Then, download and run this one on the server: |
− | + | * [https://github.com/juli3nk/csf-post-docker CSF Post-Docker] | |
− | Be sure to run the csf-pre_post_sh script first, and then the | + | |
+ | <br /> | ||
+ | Be sure to run the csf-pre_post_sh script first, and then the csf-post-docker script. You should then be able to confirm the new IPTables Chains exist using this command, run as the root superuser: | ||
<pre style="color:blue"> | <pre style="color:blue"> | ||
[root@mail.jrcomputers.net:~]# iptables --list | grep -i docker | [root@mail.jrcomputers.net:~]# iptables --list | grep -i docker | ||
Line 276: | Line 279: | ||
</pre> | </pre> | ||
<br /><br /> | <br /><br /> | ||
+ | If the avove comand shows all of the lines starting with DOCKER, that indicates the required IPTables firwall chains have been created, and your Docker containers should no longer have issue with networking connections and network access to the containers. | ||
== Kubernetes == | == Kubernetes == | ||
Kubernetes info coming soon... | Kubernetes info coming soon... |
Latest revision as of 02:45, 18 August 2024
Docker
NOTICE: The following documentation refers to installation of Docker on a Red Hat Enterprise or CentOS Linux Server
Overlay Linux Kernel Driver
To begin with, Docker runs best with the "overlay2" Linux kernel driver enabled/loaded. Run this command as the root/superuser or with sudo, as seen here to enable the kernel module at each reboot:
[jamie@cos8vm51.dawgland.com:~]$ sudo echo "overlay" > /etc/modules-load.d/overlay.conf;
Reboot and double check that the Linux kernel overlay module is loaded with this command:
[jamie@cos8vm51.dawgland.com:~]$ lsmod | grep overlay overlay 135168 0 [jamie@cos8vm51.dawgland.com:~]$
If you get the "overlay 135168 0" response after typing the "lsmod | grep overlay" command, you are good to go The actual number doesn't matter, as long as it shows the word "overlay", indicating the "Overlay" Linux kernel module is loaded into the kernel. If not, you need a newer Linux kernel that supports the overlay2 driver, which is beyond the scope of this article, and you basically need to pick a different newer Linux distribution.
Required Packages
Docker requires some basic utilities and tools provided by specific Linux packages. For Red Hat Enterprise Linux and CentOS Linux, these packages at minimum are required:
- device-mapper-persistent-data
- dnf-utils
- fuse-overlayfs
- lvm2
- wget
To install these packages, or at least double check to make sure they are installed, and if not, then install them, open up a terminal if you are not already at the command prompt of the machine you want to install Docker on. Then, become the root/superuser. I use the "sudo" utility to do this, but you may have other methods depending on your system and preferences.
Here is an example of me doing so on a brand new VM(Virtual Machine) with a minimal installation of CentOS 8, fully updated using the "DNF" utility, which I will also demonstrate the command used to check for updates and refresh the package cache.
First, become the root user:
[jamie@cos8minvm.dawgland.com:~]$ sudo su - Last login: Tue Apr 6 19:41:31 PDT 2021 on pts/0 [root@cos8minvm.dawgland.com:~]#
And now that I am the "root", aka the "SuperUser", I will check for updates and refresh the package cache in one command:
[root@cos8minvm.dawgland.com:~]# dnf check-update --refresh CentOS Linux 8 - AppStream 7.5 kB/s | 4.3 kB 00:00 CentOS Linux 8 - BaseOS 12 kB/s | 3.9 kB 00:00 CentOS Linux 8 - Extras 51 B/s | 1.5 kB 00:30 Extra Packages for Enterprise Linux Modular 8 - 27 kB/s | 15 kB 00:00 Extra Packages for Enterprise Linux 8 - x86_64 33 kB/s | 14 kB 00:00 [root@cos8minvm.dawgland.com:~]#
And the actual command to install the required packages, using the DNF utility. If you are running a pre-8.x version of Red Hat Enterprise or CentOS, substitute "yum" in place of "dnf":
[root@cos8minvm.dawgland.com:~]# dnf -y install device-mapper-persistent-data dnf-utils fuse-overlayfs lvm2 wget Last metadata expiration check: 0:05:46 ago on Tue 06 Apr 2021 08:06:14 PM PDT. Dependencies resolved. ================================================================================ Package Arch Version Repo Size ================================================================================ Installing: device-mapper-persistent-data x86_64 0.8.5-4.el8 baseos 468 k fuse-overlayfs x86_64 1.3.0-2.module_el8.3.0+699+d61d9c41 appstream 72 k lvm2 x86_64 8:2.03.09-5.el8 baseos 1.6 M wget x86_64 1.19.5-10.el8 appstream 734 k yum-utils noarch 4.0.17-5.el8 baseos 68 k Installing dependencies: device-mapper-event x86_64 8:1.02.171-5.el8 baseos 268 k device-mapper-event-libs x86_64 8:1.02.171-5.el8 baseos 267 k fuse3 x86_64 3.2.1-12.el8 baseos 50 k fuse3-libs x86_64 3.2.1-12.el8 baseos 94 k libaio x86_64 0.3.112-1.el8 baseos 33 k lvm2-libs x86_64 8:2.03.09-5.el8 baseos 1.1 M Enabling module streams: container-tools rhel8 Transaction Summary ================================================================================ Install 11 Packages Total download size: 4.7 M Installed size: 11 M Downloading Packages: (1/11): device-mapper-event-1.02.171-5.el8.x86_ 644 kB/s | 268 kB 00:00 (2/11): device-mapper-event-libs-1.02.171-5.el8 2.3 MB/s | 267 kB 00:00 (3/11): fuse-overlayfs-1.3.0-2.module_el8.3.0+6 130 kB/s | 72 kB 00:00 (4/11): device-mapper-persistent-data-0.8.5-4.e 3.9 MB/s | 468 kB 00:00 (5/11): fuse3-libs-3.2.1-12.el8.x86_64.rpm 1.6 MB/s | 94 kB 00:00 (6/11): libaio-0.3.112-1.el8.x86_64.rpm 564 kB/s | 33 kB 00:00 (7/11): fuse3-3.2.1-12.el8.x86_64.rpm 231 kB/s | 50 kB 00:00 (8/11): lvm2-2.03.09-5.el8.x86_64.rpm 6.2 MB/s | 1.6 MB 00:00 (9/11): yum-utils-4.0.17-5.el8.noarch.rpm 1.2 MB/s | 68 kB 00:00 (10/11): lvm2-libs-2.03.09-5.el8.x86_64.rpm 2.7 MB/s | 1.1 MB 00:00 (11/11): wget-1.19.5-10.el8.x86_64.rpm 485 kB/s | 734 kB 00:01 -------------------------------------------------------------------------------- Total 1.0 MB/s | 4.7 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : libaio-0.3.112-1.el8.x86_64 1/11 Installing : device-mapper-event-libs-8:1.02.171-5.el8.x86_64 2/11 Installing : device-mapper-event-8:1.02.171-5.el8.x86_64 3/11 Running scriptlet: device-mapper-event-8:1.02.171-5.el8.x86_64 3/11 Installing : lvm2-libs-8:2.03.09-5.el8.x86_64 4/11 Installing : device-mapper-persistent-data-0.8.5-4.el8.x86_64 5/11 Installing : fuse3-libs-3.2.1-12.el8.x86_64 6/11 Running scriptlet: fuse3-libs-3.2.1-12.el8.x86_64 6/11 Installing : fuse3-3.2.1-12.el8.x86_64 7/11 Installing : fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41 8/11 Running scriptlet: fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41 8/11 Installing : lvm2-8:2.03.09-5.el8.x86_64 9/11 Running scriptlet: lvm2-8:2.03.09-5.el8.x86_64 9/11 Installing : yum-utils-4.0.17-5.el8.noarch 10/11 Installing : wget-1.19.5-10.el8.x86_64 11/11 Running scriptlet: wget-1.19.5-10.el8.x86_64 11/11 Verifying : fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41 1/11 Verifying : wget-1.19.5-10.el8.x86_64 2/11 Verifying : device-mapper-event-8:1.02.171-5.el8.x86_64 3/11 Verifying : device-mapper-event-libs-8:1.02.171-5.el8.x86_64 4/11 Verifying : device-mapper-persistent-data-0.8.5-4.el8.x86_64 5/11 Verifying : fuse3-3.2.1-12.el8.x86_64 6/11 Verifying : fuse3-libs-3.2.1-12.el8.x86_64 7/11 Verifying : libaio-0.3.112-1.el8.x86_64 8/11 Verifying : lvm2-8:2.03.09-5.el8.x86_64 9/11 Verifying : lvm2-libs-8:2.03.09-5.el8.x86_64 10/11 Verifying : yum-utils-4.0.17-5.el8.noarch 11/11 Installed: device-mapper-event-8:1.02.171-5.el8.x86_64 device-mapper-event-libs-8:1.02.171-5.el8.x86_64 device-mapper-persistent-data-0.8.5-4.el8.x86_64 fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64 fuse3-3.2.1-12.el8.x86_64 fuse3-libs-3.2.1-12.el8.x86_64 libaio-0.3.112-1.el8.x86_64 lvm2-8:2.03.09-5.el8.x86_64 lvm2-libs-8:2.03.09-5.el8.x86_64 wget-1.19.5-10.el8.x86_64 yum-utils-4.0.17-5.el8.noarch Complete! [root@cos8minvm.dawgland.com:~]#
Add Docker-CE Software Repository to System
Use this command to add the Docker-CE software repository to your /etc/yum.repos.d directory. The CE in "Docker-CE" stands for "Community Edition", in case you're wondering! Having the Docker-CE yum repository allows you to easily add and remove Docker related software. Here's the command to install the "repo", as it's abbreviated:
[root@cos8minvm.dawgland.com:~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo Adding repo from: https://download.docker.com/linux/centos/docker-ce.repo [root@cos8minvm.dawgland.com:~]#
Installation of Docker and Docker Compose
Now that you have all the prerequesits in place, and have configured the Docker-CE(CE=Community Edition, aka, the free version!), you can perform the actual installation process of dockr, docker compose and all of the related packages.
Type this command to install all of the docker packages and tools:
dnf install docker-ce docker-ce-cli docker-ce-rootless-extras docker-compose-plugin docker-scan-plugin containerd.io
Enable the Docker Daemon/Server
Type the following command to enable and start the docker server, also known as a daemon. Once this command has been run, it should never need to be run again, unless for some reason you or someone else purposely disabled the daemon.
[jamie@mail ~]$ sudo systemctl enable --now docker
Allow your normal local user account to run docker containers, which is MUCh safter than trying to run them as the room superuser!!!
[jamie@mail ~]$ sudo usermod -aG docker $USER
Testing Docker - Basic Functionality
Perform a basic simple test of docker:
[jamie@mail.dawgland.com:~]$ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 719385e32844: Already exists Digest: sha256:4f53e2564790c8e7856ec08e384732aa38dc43c52f02952483e3f003afbf23db Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/ [jamie@mail.dawgland.com:~]$
How to Run an Interactive Alpine Linux Shell in a Docker Container
Alpine Linux is a tiny distrubution of Linux, ideally suited for running in docker containers. One major difference between Alpine Linux and most other Linux distrubtions is the default shell that it runs, as most run the BASH shell, but Alpine uses a much lighter-weight shell, the ASH shell. This can be a "Gotcha" when attempting to run an interactive shell in an Alpine docker container. Most docker shell commands default using /bin/bash as the final docker command argument, but with the Alpine container, you need to use /bin/ash, as shown here in this example of running an Alpine docker container with an interactive ASH shell.
Type this command to start up an Alpine Linux docker container with an interactive shell:
[jamie@mail.dawgland.com:~]$ docker run -it --rm alpine /bin/ash / #
Note the following sections of the command:
/bin/ash is Ash (Almquist Shell) provided by BusyBox
- --rm Automatically remove the container when it exits (docker run --help)
- -i Interactive mode (Keep STDIN open even if not attached)
- -t Allocate a pseudo-TTY
After typing the above docker command, you will be at the / # prompt. Try this command to confirm the version of Linux within the shell:
/ # cat /etc/os-release
Note the output of the command gives the contents of the file within the /etc/os-release file inside of the running Apline Linux container OS, completely isolated from the host OS!
NAME="Alpine Linux" ID=alpine VERSION_ID=3.18.4 PRETTY_NAME="Alpine Linux v3.18" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" / #
Getting Docker to Work with CSF - Configure Server Firewall - My Favorite "Statefull" Firewall!
By Default, Docker works with the stock "FirewallD" fireall tool included with most Red Hat based distributions of Linux, such as the required "DOCKER" IPTables Chains. If you're like me and prefer to use a much more powerful and "Stateful" firewall tool such as CSF, the "Configure Server Firewall" freely aviable software by Way of the Web. What I mean by "Stateful" is a "Learning" firewall, one that caretes list of the bad guys as it finds them trying to break into our servers. There are of course black and white lists to specifically block and allow specific users and IP addresses as well. There are other fireall tools such as PFSense, UFW, etc., I've use and had the best results with CSF. The only issue is that if you also run Docker containers on your server, you need to manually create the DOCKER IPTables Chains. However, I have discovered a set of really cool scripts that automate the process, located at these URL's:
Download to the server(Docker host) and run this script first:
Then, download and run this one on the server:
Be sure to run the csf-pre_post_sh script first, and then the csf-post-docker script. You should then be able to confirm the new IPTables Chains exist using this command, run as the root superuser:
[root@mail.jrcomputers.net:~]# iptables --list | grep -i docker DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere DOCKER all -- anywhere anywhere DOCKER all -- anywhere anywhere DOCKER all -- anywhere anywhere DOCKER all -- anywhere anywhere Chain DOCKER (4 references) Chain DOCKER-ISOLATION-STAGE-1 (1 references) DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (4 references) Chain DOCKER-USER (1 references)
If the avove comand shows all of the lines starting with DOCKER, that indicates the required IPTables firwall chains have been created, and your Docker containers should no longer have issue with networking connections and network access to the containers.
Kubernetes
Kubernetes info coming soon...