Archive for the ‘docker’ Category

Docker – create Postfix container

Posted: February 21, 2019 in docker, Linux

In this post we’ll create Docker image with postfix installed and configured as Office 365 relay host, pip3 will be also installes as well as Python request.

cacert.pem file contains Microsoft certificates for secure connection. Content of that file is output of following command:

openssl s_client -showcerts -starttls smtp -crlf -connect smtp.office365.com:587

start.sh is simple bash script which starts postfix and saslauthd services and sends test email. In order to prevent closing docker container before sending email i added sleep command at the end

#!/bin/bash

service postfix start && service saslauthd start
echo "sending email..."
echo "this is the body" | mail -s "this is the subject" "dvucanovic@example.com"
sleep 20

requirements.txt contains one string: requests, it will be used by pip3 command

Docker file

FROM: ubuntu:latest

WORKDIR /home

COPY . .

RUN echo "postfix postfix/mailname string rundeck.example.com" | debconf-set-selections && echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && apt-get update -y && apt-get install postfix sasl2-bin mailutils python3-pip -y && pip3 install --no-cache-dir -r requirements.txt && sed -i s/START=no/START=yes/g /etc/default/saslauthd && echo "[smtp.office365.com]:587 svc-user@example.com:password" > /etc/postfix/sasl_passwd && echo "/.+/ ssvc-user@example.com" > /etc/postfix/sender_canonical && sed -i 's/inet_protocols = all/inet_protocols = ipv4/g' /etc/postfix/main.cf && sed -i 's/relayhost = /relayhost = [smtp.office365.com]:587/g' /etc/postfix/main.cf && sed -i '/smtpd_use_tls=yes/a smtp_sasl_auth_enable = yes' /etc/postfix/main.cf && sed -i '/smtpd_use_tls=yes/a smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' /etc/postfix/main.cf && sed -i '/smtpd_use_tls=yes/a smtp_sasl_security_options = noanonymous' /etc/postfix/main.cf && sed -i '/smtpd_use_tls=yes/a smtp_tls_security_level = may' /etc/postfix/main.cf && sed -i '/smtpd_use_tls=yes/a sender_canonical_maps = regexp:/etc/postfix/sender_canonical' /etc/postfix/main.cf && sed -i '/smtpd_use_tls=yes/a smtp_tls_CAfile = /etc/postfix/cacert.pem' /etc/postfix/main.cf && sed -i 's#128#& 172.17.0.0/16#' /etc/postfix/main.cf && mv /home/cacert.pem /etc/postfix/ && postmap hash:/etc/postfix/sasl_passwd && postmap hash:/etc/postfix/sender_canonical

ENTRYPOINT ["./start.sh"]

Put all 3 files in same directory and run

docker build . -t some_tag

 

Advertisements

Rundeck – Run Docker container

Posted: January 4, 2019 in docker, RunDeck

In previous article we configured email monitoring by Zabbix, in this one we’ll schedule python script for sending data to Zabbix, to be run from Docker container
Docker image is created from this file, script will be copied to Docker container, and zabbix agent will be installed

FROM python:3.7.2-stretch

RUN wget http://repo.zabbix.com/zabbix/3.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.4-1%2Bbionic_all.deb apt-get update -y && apt-get install zabbix-agent -y && mkdir /email_parsing

WORKDIR /email/parsing

COPY start.py .

ENTRYPOINT ["python", "./start.py"]

Create container from image:

docker build . -t zabbix/parse_email:1.0.0

Install Docker on Rundeck, and add Rundeck user to Docker group

usermod -a -G docker rundeck
systemctl restart docker
systemctl restart rundeckd

Create Rundeck job-Local Command

2.PNG

Create password vault for mailbox – see this post for reference and specify it as parameter for script,container will be deleted after every run

docker run --rm zabbix/parse_email:1.0.0 "-password" ${option.mailboxpassword}

Dockerizing Zabbix trapper

We can create docker image for zabbix trapper commands

Dockerfile:

FROM ubuntu:latest

RUN apt-get update -y && apt-get install wget -y && wget http://repo.zabbix.com/zabbix/4.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.0-1%2Bbionic_all.deb && apt-get install zabbix-agent -y && mkdir /zabbix_sender

WORKDIR /zabbix_sender

COPY . .

ENTRYPOINT ["./start.sh"]

start.sh:

#!/bin/bash


while test -n "$1"; do
    case "$1" in
      -j|-job)
          job_name=$2
          shift 2
         ;;
    esac
done

#echo $job_name

if [ "$job_name" == "some_job" ]; then

   zabbix_sender -z zabbix_host -s rundeck -k job_status[job_name] -o "job $job_name failed" -vv

i created docker container with tag “zabbix_sender”, it takes job name as parameter

If using remote registry add step for login to it:

echo password | docker login --username username --password-stdin registry_name

Now, we can add Error handler in Rundeck, so if job fails,Zabbix alert will be triggered, under command click “cog” icon and select “Add error handler”

1.PNG

click Command or Local Command and add following line:

docker run --rm zabbix_sender -job ${option.job_name}

job name is declared as Rundeck option

Docker stack deploy

Posted: October 4, 2018 in docker

Docker stack is used to deploy containers on docker swarm. Syntax is very similar to docker-compose with some modification.

docker-compose.yml example file


services:
apache_httpd:
image: httpd:latest
deploy:
mode: replicated
replicas: 2
labels:
com.docker.descr: "test description"
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
placement:
constraints:
- node.role == worker
preferences:
- spread: node.labels.zone
resources:
limits:
memory: 50M
reservations:
cpus: '0.10'
update_config:
parallelism: 1
delay: 10s
monitor: 4s

mode: replicated
replicas: 2

create 2 containers

labels: create docker label

placement:
constraints:
- node.role == worker

deploy container on worker

preferences:
- spread: node.labels.zone

deploy services evenly on all nodes with label zone.

resources:
limits:
memory: 50M

Assign 50 MB for each container

deply stack named stack:

docker stack deploy stack -c docker-compose.yml

list stack:

docker stack ps stack
ID                  NAME                       IMAGE               NODE                DESIRED STATE       CURRENT STATE                     ERROR               PORTS
px316bdihumh        stack_apache_httpd.1       httpd:latest        docker              Running             Running less than a second ago
wtkbnp1b2gmb         \_ stack_apache_httpd.1   httpd:latest        docker              Shutdown            Shutdown less than a second ago
9i6sxjt18igr        stack_apache_httpd.2       httpd:latest        docker              Running             Running less than a second ago
zhzz1keqtitc         \_ stack_apache_httpd.2   httpd:latest        docker              Shutdown            Shutdown less than a second ago</pre>
docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
8qanlez114d9 stack_apache_httpd replicated 2/2 httpd:latest *:80->80/tcp

Configuring Docker Swarm

Posted: October 2, 2018 in docker

A swarm is a group of machines that are running Docker and joined into a cluster.

Consider it as some kind of failover cluster.If one docker host is down, remaining containers will run on other docker host.Swarm has 2 nodes:

-manager:managing docker containers.

-worker:execute containers

Creating swarm:

docker swarm init

1.PNG

To join other docker host to this swarm type:

docker swarm join --token SWMTKN-1-49kz2okua328qsqibfmv0tiu5fxq3ou7ivu27qwwjxuim3g03m-3epqd7g12fkre623hzvl1ta41 172.23.124.227:2377

172.23.124.227 is IP of machine on which docker swarm is initiated

To check swarm status:

docker info

2.png

On swarm manager run bellow command to get docker members

docker node ls

3.PNG

4.PNG

We can see that docker host dockerswarm is swarm manager.

To promote worker to manager run following command on manager:

[root@dockerswarm ~]# docker node promote docker
Node docker promoted to a manager in the swarm.docker node promote docker

To create 6 nginx containers run:


docker service create --replicas 6 -p 80:80 nginx

5.PNG

6.PNG

To see service status:

docker service ps xenodochial_hawking

7.PNG

8.PNG

From picture above we can see that nginx container is evenly distributed among docker hosts.

We can access nginx container through docker host IP’s

curl 172.23.124.231

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.

Thank you for using nginx.

To limit containers to particular dosker host:

docker service update --constraint-add "node.hostname==docker" xenodochial_hawking

To revert to previous configuration:

docker service update --rollback xenodochial_hawking

To remove service:

docker service rm xenodochial_hawking

Configuring Portus Docker registry

Posted: October 1, 2018 in docker

In last post we installed Portus registry.Now we’ll create user and Teams.

Under Users click Create New user

1.png

Set username/password

2.PNG

Teams are the way in which we can manage our users. Each team owns a set of namespaces, which are used to group repositories. Besides grouping namespaces, teams are used to manage the permissions in which each team member can push/pull certain repositories. This is done through Teams roles.

  • Viewer: viewers can only pull from the repositories owned by the team.
  • Contributor: contributors can both pull and push from the repositories owned by the team.
  • Owner: owners have the same permissions as contributors, but they can also manage the list of team members. Owners can: add/remove team members and edit the role of team members.

Under Teams click Create new team.

3.png

Specify Teams owner

4.PNG

Once Teams is created, add members

5.png

Specify role

6.PNG

A namespace is simply a collection of repositories. Namespaces are the way in which Portus is able to manage repositories in a friendly and clear way. Each namespace belongs to a team.

To create namespace under Namespaces click Create new namespace

7.png

Specify teams for Namespace

8.PNG

 

9.PNG

We set Viewer role to test user.He can pull images from repository but can’t push anything to it

Tag image:

docker tag nginx docker.com/myteam/nginx:latest

Login as test user:

docker login docker.com/myteam
Username: test
Password:
Login Succeeded

Try pushing image to Portus, it will fail

docker push docker.com/myteam/nginx:latest
The push refers to repository [docker.com/myteam/nginx]
e8916cb59586: Layer already exists
3bbff39fa30b: Layer already exists
8b15606a9e3e: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required

 

 

 

Portus is open-source Docker registry where we can store and manage our Docker images.

Installing Docker/docker compose

wget -qO- https://get.docker.com/ | sh

The above command downloads and executes a small installation script written by the Docker team.

Add your user to the docker group with the following command.

sudo usermod -aG docker $(whoami)

Log out and log in from your server to activate your new groups.

Set Docker to start automatically at boot time:

sudo systemctl enable docker.service

Finally, start the Docker service:

sudo systemctl start docker.service

Install docker-compose

sudo yum install epel-release
sudo yum install -y python-pip

Then you can install Docker Compose:

sudo pip install docker-compose

Set hostname (needed for SSL certificate)

vi /etc/hostname
[root@docker secrets]# cat /etc/hosts
127.0.0.1 docker.com localhost.localdomain localhost4 localhost4.localdomain4

Clone Portus gitclone repositiry

git clone https://github.com/SUSE/Portus.git Install Self-signed certificate in Portus/examples/compose/secrets folder generate sertificates

openssl genrsa -des3 -out server.key 4096

openssl req -new -key server.key -out server.csr

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

mv server.crt portus.crt
mv server.key portus.key

1.PNG

0.PNG

Edit /Portus/examples/compose/nginx/nginx.conf (change hostname)

server {
listen 443 ssl http2;
server_name docker.com;
root /srv/Portus/public;

Edit /Portus/examples/compose/docker-compose.yml

Remove all links (exampe below)

links:
- db

links:
- portus:portus

Under nginx section add hostname variable:

nginx:
image: library/nginx:alpine
networks:
 default:
  aliases:
   - ${MACHINE_FQDN}

At the top of file add environment varaible

environment:
- CCONFIG_PREFIX=PORTUS

Edit /Portus/examples/compose/.env file, set MACHINE_FQDN

MACHINE_FQDN=docker.com

SECRET_KEY_BASE=b494a25faa8d22e430e843e220e424e10ac84d2ce0e64231f5b636d21251eb6d267adb042ad5884cbff0f3891bcf911bdf8abb3ce719849ccda9a4889249e5c2
PORTUS_PASSWORD=12341234
DATABASE_PASSWORD=portus

apply changes:

. .env

Run Portus image

docker-compose up -d

2.PNG

Test connection

I tested connection from Windows 10 machine, created a host record for linux Portus host

3.PNG

Set username/pass

4.PNG

Export sertificate to file.

5.PNG

Import certificate to Trusted root certification authority

5-1.PNG

5-2.PNG

Now Sertificate warning will go away.

Define Repository name

4-1.PNG

6.PNG

7.PNG

Pushing & Pulling images to/from Portus repository

C:\Users\ja>docker login docker.com
Username: admin
Password:
Login Succeeded

Tag image to point to Portus registry

tag docker4w/nsenter-dockerd:latest docker.com/registry:ncenter
docker push docker.com/registry:ncenter

8.PNG

Pulling same image from repository

C:\Users\ja>docker rmi docker.com/registry:ncenter
Untagged: docker.com/registry:ncenter
Untagged: docker.com/registry@sha256:2bcdfb81dab062c329a337218a70f48f0f2b973f47cd8afb7f7f96aa78d99a8c
C:\Users\ja>docker pull docker.com/registry:ncenter
ncenter: Pulling from registry
Digest: sha256:2bcdfb81dab062c329a337218a70f48f0f2b973f47cd8afb7f7f96aa78d99a8c
Status: Downloaded newer image for docker.com/registry:ncenter

First create free account on https://hub.docker.com.

Create repository:

1.png

Choose visibility

2.png

Log in to Your repostitory

docker login docker.io

Because i’m already authenticated by Docker for Windows app, othervise, i would need to provide Docker hub credentials

3.png

4.PNG

Push image to Docker Hub:

5.PNG

We need to re-tag image to match our repository name

6.PNG

docker tag httpd:latest dragan979/myrepo:myhttpd

and push it to Docker Hub

docker push dragan979/myrepo:myhttpd

 

6-1.PNG

 

7.PNG