Docker implementation for a small project in Production, part 2

→ Part 1

In the first part, we prepared our operating system for using Docker containers.
')
After we have completed the reboot, we will see the authorization invitations, but it will not be possible to do this from the server console, for the reason that authorization in the system is possible only by key. By default, the core user does not have a password. Of course, it can be installed using the command:

sudo passwd core 

After that, enter a new password 2 times, but this will be possible after we log in to the console from another, for example, a home machine, using previously created keys, which of course we have registered in the config file.

It can be used as a terminal client if you are a Linux, MacOS user, or Putty if you are working with Windows. How to configure a connection to our server, I will not describe, this is a trivial task. It is only necessary to take into account that during the installation we changed the port from standard to 2222. Therefore, do not forget to specify this in the connection parameters.

For some hosting providers, in the case of a virtual private cloud service, you must configure the border router by creating a dst-nat rule with the following content:

 Source IP: Your Public IP Address Source Port: 2222 Destination IP: Your Private IP Address Destination Port: 2222 

We need to explain to our router which port to which server to connect to. In the case of a conventional virtual machine with a public address on eth0, of course, there will be no such problems. For greater privacy, you can configure our IPTABLES, and this can be done at the configuration stage, or use a custom file located at:

 /usr/share/oem/cloud-config.yml 

It is quite simple to do this, I will show, using the example of raising as a container service with sshguard (a daemon that reads the authorization log and adds unwanted users to the IPTABLES block list).

To begin with, we will assemble our container, we can of course use the already prepared one taken from the hub, but we will assemble our own, based on minimalistic Alpine Linux. For the organization of space and storage of various kinds of files, I decided for myself to make the following directory structure on the server:

 /cloud/containers -  ,     ,     /cloud/etc/ -    ,   ,         /cloud/data/ -     ,  ,   ... /cloud/run/ -     unix      ,   php-fpm   uwsgi  

So let's start, suppose we have prepared the structure of our directories, of course, to whom it is convenient, and then we will execute the command:

 vi Dockerfile 

Why am I using vi editor? I remind the system is minimalistic, so there are no other editors in CoreOS, for example, vim nano mcedit and others (I’ll tell you how to solve this problem a bit later, we won’t get ahead of ourselves).

After launching the editor, translate it into insert mode by pressing the “i” key on the keyboard, and place the following text:

 FROM alpine:3.2 RUN apk add --update \ iptables \ ip6tables \ sshguard \ && rm -fr /var/cache/apk/* ENTRYPOINT ["/usr/sbin/sshguard"] 

The first FROM line indicates which base image to use to build our container, as I said, we will use Alpine Linux version 3.2.

With the line beginning with RUN, we say, execute the following commands, in our example we will install additional packages and sshguard itself. Then we specify the entry point to our container / usr / sbin / sshguard.

That's all, now we need to save the container configuration file. To do this, leave the insert mode on the keyboard by pressing the “ESC” key, then transfer vi to the command mode by pressing “Shift +:” and write “wq” and press “Enter”. We’re all done with the configuration file. Now we proceed to the assembly of our container. To do this, perform the following in the console:

 docker build -t local/sshguard . 

Let's take a closer look at this command, we specify the Docker through the build command to build the container into the local repository named sshguard, you can use your own repository on hub.docker.com, for example, but do not forget to docker push repo / container. The -t key waits for the following parameter to tag (name) our image, in this case, we will build the local image local / sshguard. Instead of a point, you need to specify the path to our Dockerfile, but if we are in the same directory as the file itself, then the point will be enough.

After that the assembly of the container will begin, the hash of our container will be the result of a successful assembly. You can view all created images on our server using the command:

 docker images 

Delete the image with one or more names or id separated by a space:

 docker images rmi image_id  image_name 

Great, we have compiled an image with our service, now it would not be bad to start using it. We will use our image as a service, running it through systemd.

To do this, proceed to editing the file /usr/share/oem/cloud-config.yml, and add the following content. We use our favorite vi, by analogy above.

 #cloud-config coreos: units: - name: sshguard.service command: start content: | [Unit] Description=sshguard After=docker.service Requires=docker.service [Service] TimeoutStartSec=0 ExecStartPre=-/usr/bin/docker kill sshguard ExecStartPre=-/usr/bin/docker rm sshguard ExecStartPre=/usr/bin/docker pull local/sshguard # setup sshguard tables ExecStartPre=-/usr/sbin/iptables -N sshguard ExecStartPre=-/usr/sbin/ip6tables -N sshguard # block abuser traffic ExecStartPre=-/usr/sbin/iptables -D INPUT -j sshguard ExecStartPre=-/usr/sbin/ip6tables -D INPUT -j sshguard ExecStartPre=-/usr/sbin/iptables -A INPUT -j sshguard ExecStartPre=-/usr/sbin/ip6tables -A INPUT -j sshguard ExecStart=/bin/sh -c 'journalctl --no-pager -q -f -t sshd | sed -u "s/\\[[0-9]*\\]//" | docker run -i --name sshguard --rm --net=host --privileged local/sshguard' ExecStop=-/usr/bin/docker stop sshguard ExecStop=-/usr/bin/docker rm sshguard 

After saving the file, it would be nice to initialize the system in order to apply our custom settings. To do this, run the command in the console:

 sudo coreos-cloudinit --from-file /usr/share/oem/cloud-config.yml 

Using the configuration file above, you can create the necessary rules in the necessary IPTABLES chains by analogy, substituting your parameters. It is not difficult and I will not describe it.

The result of our actions was a ready server that can block offenders of the console order for a certain time interval. You can read about the additional parameters of sshguard in the official documentation and customize it to your taste. We used the default settings. In more detail, I only consider the startup command itself:

 ExecStart=/bin/sh -c 'journalctl --no-pager -q -f -t sshd | sed -u "s/\\[[0-9]*\\]//" | docker run -i --name sshguard --rm --net=host --privileged local/sshguard' 

since all the logs from us through journalctl get to the logging server, we need to extract them, at the same time filter and transfer to the input of sshguard starting in the container. The parameter --net = host says that we need to perform all actions on our machine where the Docker daemon is running, while we start the container in privileged mode by specifying the key --privileged.

Now it would not be bad to start working with our containers, but first I would like to talk about one service .

This is a great cloud dashboard for managing your containers. But first you need to install it, in the case of CoreOS it is extremely easy to do this, for this we do:

 sudo curl -s http://getnucleus.io/install/coreos_installer.sh | bash -s -- 

More information about the installation can be found here .

Then we perform authorization and can manage our containers, without connecting via ssh to the server console. To do this, in the upper right corner click on the rocket icon, and execute our team by analogy as we would have done in the console. For example, run the container with Nginx, for this we enter:

 docker run -p 80:80 -p 443:443 --name=nginx nginx 

After executing the command, we will have a container in the list called nginx and published ports 80 and 443. You can read files and scripts in other articles or in official documentation about how to forward the server configuration. By clicking on the sandwich, in the Control Deck column, you can not only manage our container, but also look at the resources it consumes, memory, CPU, networks, and so on.

In the next article I will talk about how to organize the infrastructure for a blog on WP using Varnish, Memcached, PHP7.1-FPM, Nginx, Mariadb, as well as which extensions for php 7.1 to include and how to set it all up. Thanks for attention.