Difference between revisions of "Docker & Kubernetes"

From TheBestLinux.com
Jump to navigation Jump to search
 
(10 intermediate revisions by the same user not shown)
Line 250: Line 250:
 
<br /><br />
 
<br /><br />
  
''' ===Getting Docker to Work with CSF - Configure Server Firewall - My Favorite "Statefull" Firewall!=== '''
+
=== '''Getting Docker to Work with CSF - Configure Server Firewall - My Favorite "Statefull" Firewall!''' ===
 +
By Default, Docker works with the stock "FirewallD" fireall tool included with most Red Hat based distributions of Linux, such as the required "DOCKER" IPTables Chains.  If you're like me and prefer to use a much more powerful and "Stateful" firewall tool such as CSF, the "Configure Server Firewall" freely aviable software by Way of the Web.  What I mean by "Stateful" is a "Learning" firewall, one that caretes list of the bad guys as it finds them trying to break into our servers.  There are of course black and white lists to specifically block and allow specific users and IP addresses as well.  There are other fireall tools such as PFSense, UFW, etc., I've use and had the best results with CSF.  The only issue is that if you also run Docker containers on your server, you need to manually create the DOCKER IPTables Chains.  However, I have discovered a set of really cool scripts that automate the process, located at these URL's:
 
<br /><br />
 
<br /><br />
By Default, Docker works with the stock "FirewallD" fireall tool included with most Red Hat baased distributions of Linux, such as the required "DOCKER" IPTables Chains.  If you're like me and prefer to use a much more powerful and "Stateful" firewall tool such as CSF, the "Configure Server Firewall" freely aviable software by Way of the Web.  What I mean by "Stateful" is a "Learning" firewall, one that caretes list of the bad guys as it finds them trying to break into our servers.  There are of course black and white lists to specifically block and allow specific users and IP addresses as well.  There are other fireall tools such as PFSense, UFW, etc., I've use and had the best results with CSF.  The only issue is that if you also run Docker containers on your server, you need to manually create the DOCKER IPTables Chains.  However, I have discovered a set of really cool scripts that automate the process, located at these URL's:
+
Download to the server(Docker host) and run this script first:
<br /><br/>
+
[https://github.com/juli3nk/csf-pre_post_sh CSF Pre-Docker]
*  https://github.com/juli3nk/csf-post-docker
+
<br />
*  https://github.com/juli3nk/csf-pre_post_sh
+
Then, download and run this one on the server:
<br /><br />
+
[https://github.com/juli3nk/csf-post-docker CSF Post-Docker]
Be sure to run the csf-pre_post_sh script first, and then the csf0-oost-docker script.  You should then be able to confirm the new IPTables Chains exist using this command, run as the root superuser:
+
 
 +
<br />
 +
Be sure to run the csf-pre_post_sh script first, and then the csf-post-docker script.  You should then be able to confirm the new IPTables Chains exist using this command, run as the root superuser:
 
<pre style="color:blue">
 
<pre style="color:blue">
 
[root@mail.jrcomputers.net:~]# iptables --list | grep -i docker
 
[root@mail.jrcomputers.net:~]# iptables --list | grep -i docker
Line 276: Line 279:
 
</pre>
 
</pre>
 
<br /><br />
 
<br /><br />
 +
If the avove comand shows all of the lines starting with DOCKER, that indicates the required IPTables firwall chains have been created, and your Docker containers should no longer have issue with networking connections and network access to the containers.
  
 
== Kubernetes ==
 
== Kubernetes ==
 
Kubernetes info coming soon...
 
Kubernetes info coming soon...

Latest revision as of 02:45, 18 August 2024

Docker

NOTICE: The following documentation refers to installation of Docker on a Red Hat Enterprise or CentOS Linux Server

Overlay Linux Kernel Driver

To begin with, Docker runs best with the "overlay2" Linux kernel driver enabled/loaded. Run this command as the root/superuser or with sudo, as seen here to enable the kernel module at each reboot:

[jamie@cos8vm51.dawgland.com:~]$ sudo echo "overlay" > /etc/modules-load.d/overlay.conf;

Reboot and double check that the Linux kernel overlay module is loaded with this command:

[jamie@cos8vm51.dawgland.com:~]$ lsmod | grep overlay
overlay               135168  0
[jamie@cos8vm51.dawgland.com:~]$ 

If you get the "overlay 135168 0" response after typing the "lsmod | grep overlay" command, you are good to go The actual number doesn't matter, as long as it shows the word "overlay", indicating the "Overlay" Linux kernel module is loaded into the kernel. If not, you need a newer Linux kernel that supports the overlay2 driver, which is beyond the scope of this article, and you basically need to pick a different newer Linux distribution.



Required Packages

Docker requires some basic utilities and tools provided by specific Linux packages. For Red Hat Enterprise Linux and CentOS Linux, these packages at minimum are required:

  • device-mapper-persistent-data
  • dnf-utils
  • fuse-overlayfs
  • lvm2
  • wget


To install these packages, or at least double check to make sure they are installed, and if not, then install them, open up a terminal if you are not already at the command prompt of the machine you want to install Docker on. Then, become the root/superuser. I use the "sudo" utility to do this, but you may have other methods depending on your system and preferences.

Here is an example of me doing so on a brand new VM(Virtual Machine) with a minimal installation of CentOS 8, fully updated using the "DNF" utility, which I will also demonstrate the command used to check for updates and refresh the package cache.


First, become the root user:

[jamie@cos8minvm.dawgland.com:~]$ sudo su -
Last login: Tue Apr  6 19:41:31 PDT 2021 on pts/0
[root@cos8minvm.dawgland.com:~]#


And now that I am the "root", aka the "SuperUser", I will check for updates and refresh the package cache in one command:

[root@cos8minvm.dawgland.com:~]# dnf check-update --refresh
CentOS Linux 8 - AppStream                      7.5 kB/s | 4.3 kB     00:00    
CentOS Linux 8 - BaseOS                          12 kB/s | 3.9 kB     00:00    
CentOS Linux 8 - Extras                          51  B/s | 1.5 kB     00:30    
Extra Packages for Enterprise Linux Modular 8 -  27 kB/s |  15 kB     00:00    
Extra Packages for Enterprise Linux 8 - x86_64   33 kB/s |  14 kB     00:00    
[root@cos8minvm.dawgland.com:~]#


And the actual command to install the required packages, using the DNF utility. If you are running a pre-8.x version of Red Hat Enterprise or CentOS, substitute "yum" in place of "dnf":

[root@cos8minvm.dawgland.com:~]# dnf -y install device-mapper-persistent-data dnf-utils fuse-overlayfs lvm2 wget
Last metadata expiration check: 0:05:46 ago on Tue 06 Apr 2021 08:06:14 PM PDT.
Dependencies resolved.
================================================================================
 Package                       Arch   Version                   Repo       Size
================================================================================
Installing:
 device-mapper-persistent-data x86_64 0.8.5-4.el8               baseos    468 k
 fuse-overlayfs                x86_64 1.3.0-2.module_el8.3.0+699+d61d9c41
                                                                appstream  72 k
 lvm2                          x86_64 8:2.03.09-5.el8           baseos    1.6 M
 wget                          x86_64 1.19.5-10.el8             appstream 734 k
 yum-utils                     noarch 4.0.17-5.el8              baseos     68 k
Installing dependencies:
 device-mapper-event           x86_64 8:1.02.171-5.el8          baseos    268 k
 device-mapper-event-libs      x86_64 8:1.02.171-5.el8          baseos    267 k
 fuse3                         x86_64 3.2.1-12.el8              baseos     50 k
 fuse3-libs                    x86_64 3.2.1-12.el8              baseos     94 k
 libaio                        x86_64 0.3.112-1.el8             baseos     33 k
 lvm2-libs                     x86_64 8:2.03.09-5.el8           baseos    1.1 M
Enabling module streams:
 container-tools                      rhel8                                    

Transaction Summary
================================================================================
Install  11 Packages

Total download size: 4.7 M
Installed size: 11 M
Downloading Packages:
(1/11): device-mapper-event-1.02.171-5.el8.x86_ 644 kB/s | 268 kB     00:00    
(2/11): device-mapper-event-libs-1.02.171-5.el8 2.3 MB/s | 267 kB     00:00    
(3/11): fuse-overlayfs-1.3.0-2.module_el8.3.0+6 130 kB/s |  72 kB     00:00    
(4/11): device-mapper-persistent-data-0.8.5-4.e 3.9 MB/s | 468 kB     00:00    
(5/11): fuse3-libs-3.2.1-12.el8.x86_64.rpm      1.6 MB/s |  94 kB     00:00    
(6/11): libaio-0.3.112-1.el8.x86_64.rpm         564 kB/s |  33 kB     00:00    
(7/11): fuse3-3.2.1-12.el8.x86_64.rpm           231 kB/s |  50 kB     00:00    
(8/11): lvm2-2.03.09-5.el8.x86_64.rpm           6.2 MB/s | 1.6 MB     00:00    
(9/11): yum-utils-4.0.17-5.el8.noarch.rpm       1.2 MB/s |  68 kB     00:00    
(10/11): lvm2-libs-2.03.09-5.el8.x86_64.rpm     2.7 MB/s | 1.1 MB     00:00    
(11/11): wget-1.19.5-10.el8.x86_64.rpm          485 kB/s | 734 kB     00:01    
--------------------------------------------------------------------------------
Total                                           1.0 MB/s | 4.7 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : libaio-0.3.112-1.el8.x86_64                           1/11 
  Installing       : device-mapper-event-libs-8:1.02.171-5.el8.x86_64      2/11 
  Installing       : device-mapper-event-8:1.02.171-5.el8.x86_64           3/11 
  Running scriptlet: device-mapper-event-8:1.02.171-5.el8.x86_64           3/11 
  Installing       : lvm2-libs-8:2.03.09-5.el8.x86_64                      4/11 
  Installing       : device-mapper-persistent-data-0.8.5-4.el8.x86_64      5/11 
  Installing       : fuse3-libs-3.2.1-12.el8.x86_64                        6/11 
  Running scriptlet: fuse3-libs-3.2.1-12.el8.x86_64                        6/11 
  Installing       : fuse3-3.2.1-12.el8.x86_64                             7/11 
  Installing       : fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41    8/11 
  Running scriptlet: fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41    8/11 
  Installing       : lvm2-8:2.03.09-5.el8.x86_64                           9/11 
  Running scriptlet: lvm2-8:2.03.09-5.el8.x86_64                           9/11 
  Installing       : yum-utils-4.0.17-5.el8.noarch                        10/11 
  Installing       : wget-1.19.5-10.el8.x86_64                            11/11 
  Running scriptlet: wget-1.19.5-10.el8.x86_64                            11/11 
  Verifying        : fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41    1/11 
  Verifying        : wget-1.19.5-10.el8.x86_64                             2/11 
  Verifying        : device-mapper-event-8:1.02.171-5.el8.x86_64           3/11 
  Verifying        : device-mapper-event-libs-8:1.02.171-5.el8.x86_64      4/11 
  Verifying        : device-mapper-persistent-data-0.8.5-4.el8.x86_64      5/11 
  Verifying        : fuse3-3.2.1-12.el8.x86_64                             6/11 
  Verifying        : fuse3-libs-3.2.1-12.el8.x86_64                        7/11 
  Verifying        : libaio-0.3.112-1.el8.x86_64                           8/11 
  Verifying        : lvm2-8:2.03.09-5.el8.x86_64                           9/11 
  Verifying        : lvm2-libs-8:2.03.09-5.el8.x86_64                     10/11 
  Verifying        : yum-utils-4.0.17-5.el8.noarch                        11/11 

Installed:
  device-mapper-event-8:1.02.171-5.el8.x86_64                                   
  device-mapper-event-libs-8:1.02.171-5.el8.x86_64                              
  device-mapper-persistent-data-0.8.5-4.el8.x86_64                              
  fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64                     
  fuse3-3.2.1-12.el8.x86_64                                                     
  fuse3-libs-3.2.1-12.el8.x86_64                                                
  libaio-0.3.112-1.el8.x86_64                                                   
  lvm2-8:2.03.09-5.el8.x86_64                                                   
  lvm2-libs-8:2.03.09-5.el8.x86_64                                              
  wget-1.19.5-10.el8.x86_64                                                     
  yum-utils-4.0.17-5.el8.noarch                                                 

Complete!
[root@cos8minvm.dawgland.com:~]#


Add Docker-CE Software Repository to System

Use this command to add the Docker-CE software repository to your /etc/yum.repos.d directory. The CE in "Docker-CE" stands for "Community Edition", in case you're wondering! Having the Docker-CE yum repository allows you to easily add and remove Docker related software. Here's the command to install the "repo", as it's abbreviated:

[root@cos8minvm.dawgland.com:~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
Adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
[root@cos8minvm.dawgland.com:~]#



Installation of Docker and Docker Compose

Now that you have all the prerequesits in place, and have configured the Docker-CE(CE=Community Edition, aka, the free version!), you can perform the actual installation process of dockr, docker compose and all of the related packages.

Type this command to install all of the docker packages and tools:

dnf install docker-ce docker-ce-cli docker-ce-rootless-extras docker-compose-plugin docker-scan-plugin containerd.io



Enable the Docker Daemon/Server

Type the following command to enable and start the docker server, also known as a daemon. Once this command has been run, it should never need to be run again, unless for some reason you or someone else purposely disabled the daemon.

[jamie@mail ~]$ sudo systemctl enable --now docker



Allow your normal local user account to run docker containers, which is MUCh safter than trying to run them as the room superuser!!!

[jamie@mail ~]$ sudo usermod -aG docker $USER



Testing Docker - Basic Functionality

Perform a basic simple test of docker:

[jamie@mail.dawgland.com:~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
719385e32844: Already exists 
Digest: sha256:4f53e2564790c8e7856ec08e384732aa38dc43c52f02952483e3f003afbf23db
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

[jamie@mail.dawgland.com:~]$ 



How to Run an Interactive Alpine Linux Shell in a Docker Container

Alpine Linux is a tiny distrubution of Linux, ideally suited for running in docker containers. One major difference between Alpine Linux and most other Linux distrubtions is the default shell that it runs, as most run the BASH shell, but Alpine uses a much lighter-weight shell, the ASH shell. This can be a "Gotcha" when attempting to run an interactive shell in an Alpine docker container. Most docker shell commands default using /bin/bash as the final docker command argument, but with the Alpine container, you need to use /bin/ash, as shown here in this example of running an Alpine docker container with an interactive ASH shell.

Type this command to start up an Alpine Linux docker container with an interactive shell:

[jamie@mail.dawgland.com:~]$ docker run -it --rm alpine /bin/ash
/ #



Note the following sections of the command: /bin/ash is Ash (Almquist Shell) provided by BusyBox

  • --rm Automatically remove the container when it exits (docker run --help)
  • -i Interactive mode (Keep STDIN open even if not attached)
  • -t Allocate a pseudo-TTY



After typing the above docker command, you will be at the / # prompt. Try this command to confirm the version of Linux within the shell:

/ # cat /etc/os-release 



Note the output of the command gives the contents of the file within the /etc/os-release file inside of the running Apline Linux container OS, completely isolated from the host OS!

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.18.4
PRETTY_NAME="Alpine Linux v3.18"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
/ #



Getting Docker to Work with CSF - Configure Server Firewall - My Favorite "Statefull" Firewall!

By Default, Docker works with the stock "FirewallD" fireall tool included with most Red Hat based distributions of Linux, such as the required "DOCKER" IPTables Chains. If you're like me and prefer to use a much more powerful and "Stateful" firewall tool such as CSF, the "Configure Server Firewall" freely aviable software by Way of the Web. What I mean by "Stateful" is a "Learning" firewall, one that caretes list of the bad guys as it finds them trying to break into our servers. There are of course black and white lists to specifically block and allow specific users and IP addresses as well. There are other fireall tools such as PFSense, UFW, etc., I've use and had the best results with CSF. The only issue is that if you also run Docker containers on your server, you need to manually create the DOCKER IPTables Chains. However, I have discovered a set of really cool scripts that automate the process, located at these URL's:

Download to the server(Docker host) and run this script first:


Then, download and run this one on the server:


Be sure to run the csf-pre_post_sh script first, and then the csf-post-docker script. You should then be able to confirm the new IPTables Chains exist using this command, run as the root superuser:

[root@mail.jrcomputers.net:~]# iptables --list | grep -i docker
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
Chain DOCKER (4 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
Chain DOCKER-USER (1 references)



If the avove comand shows all of the lines starting with DOCKER, that indicates the required IPTables firwall chains have been created, and your Docker containers should no longer have issue with networking connections and network access to the containers.

Kubernetes

Kubernetes info coming soon...