0%

Docker Tutorial

Angels by @daydreamerro, Romania

Building and deploying new applications is faster with containers.

Docker containers wrap up software and its dependencies into a standardized unit for software development that includes everything it needs to run: code, runtime, system tools and libraries.

This guarantees that your application will always run the same and makes collaboration as simple as sharing a container image.

Install Docker-ce

docker.io is very old, the version is 1.XXX.
docker-ce is newer, the version is 17.XXX or 18.XXX.

1
2
3
4
5
6
7
:~$ sudo apt-get -y install apt-transport-https ca-certificates software-properties-common
:~$ curl -fsSL get.docker.com | sed '/Aliyun/,/;;/{
/;;/a\
Singhua)\
DOWNLOAD_URL="https://mirrors.tuna.tsinghua.edu.cn/docker-ce"\
;;
}' > get-docker.sh && sudo sh get-docker.sh --mirror Singhua

if you want to change the sources.list of docker after installtion

1
2
3
4
# example for raspbian
:~$ echo '#deb [arch=armhf] https://download.docker.com/linux/raspbian stretch stable
deb [arch=armhf] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/raspbian stretch stable
' > /etc/apt/sources.list.d/docker.list

Give the normal user’s ability ro run Docker

1
:~$ sudo usermod -aG docker [user's name]

After that, re-login system, we will run command docker without sudo.

1
2
3
4
5
6
:~$ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 72300a873c2c 3 weeks ago 64.2MB
alpine 3.8 c8bccc0af957 8 weeks ago 4.41MB
:~$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Use Host network

The network performance loss of docker is mainly caused by the bridged network. Because it does require network address translation (NAT), and “userland-proxy” is created for each port.

If we use the host network mode for a container, that container’s network stack is not isolated from the Docker host (the container shares the host’s networking namespace), and the container does not get its own IP-address allocated. For instance, if you run a container which binds to port 80 and you use host networking, the container’s application is available on port 80 on the host’s IP address.

Note: Given that the container does not have its own IP-address when using host mode networking, port-mapping does not take effect, and the -p, --publish, -P, and --publish-all option are ignored, producing a warning instead:

WARNING: Published ports are discarded when using host network mode

The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server.

Use option --net=host or --network host to bind host’s network.

Example

Start a nginx container which binds directly to port 80 on the Docker host.

1
2
3
4
5
6
7
# Method 1
:~$ docker run --rm -d --network host --name my_nginx nginx
# Method 2
:~$ docker run --rm -d --net=host --name my_nginx nginx
:~$
:~$ sudo netstat -tulpn | grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 522/nginx
  • --rm: remove the container once it exits/stops.
  • -d: start the container detached (in the background).
  • --network host: use host network.

Cache-Mirror Dockerhub For Speed

In China, downloading images from Dockerhub is very slow.
So here we use Dockerhub’s mirror to improve download speed.

Name Address
Azure https://dockerhub.azk8s.cn
Docker Official https://registry.docker-cn.com
163 http://hub-mirror.c.163.com
Aliyun (Need login) https://<your_code>.mirror.aliyuncs.com
1
2
3
4
5
6
7
:~$ sudo mkdir -p /etc/docker
:~$ sudo cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://dockerhub.azk8s.cn"]
}
EOF
:~$ sudo systemctl restart docker

Check if the settings take effect

1
2
3
4
5
6
:~$ docker info
...
...
Registry Mirrors:
https://dockerhub.azk8s.cn/
...

docker images

ipsec_vpn_server

There are two services running: Libreswan (pluto) for the IPsec VPN, and xl2tpd for L2TP support.

The default IPsec configuration supports:

  • IKEv1 with PSK and XAuth (“Cisco IPsec”)
  • IPsec/L2TP with PSK

The ports that are exposed for this container to work are:

  • 4500/udp and 500/udp for IPsec

Install

For use on Raspberry Pis (ARM architecture), you must first build this Docker image on your RPi using instructions from Build from source code, instead of pulling from Docker Hub.

  • Build from source code
    • if you want to modify the source code:
      1
      2
      3
      4
      :~$ git clone https://github.com/hwdsl2/docker-ipsec-vpn-server.git
      :~$ cd docker-ipsec-vpn-server
      ....
      :~$ sudo docker build -t hwdsl2/ipsec-vpn-server .
    • use this if not modifying the source code:
      1
      :~$ sudo docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server.git
  • in x86_64 architecture, install with Docker Hub
    1
    2
    3
    :~$ sudo docker search ipsec-vpn-server
    ...
    :~$ sudo docker pull hwdsl2/ipsec-vpn-server

ipsec-vpn-server configuration

Set Environment variables:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
:~$ nano ./vpn.env
# Define your own values for these variables
# - DO NOT put "" or '' around values, or add space around =
# - DO NOT use these special characters within values: \ " '
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password

# (Optional) Define additional VPN users
# - Uncomment and replace with your own values
# - Usernames and passwords must be separated by spaces
VPN_ADDL_USERS="additional_username_1 additional_username_2"
VPN_ADDL_PASSWORDS="additional_password_1 additional_password_2"

# (Optional) Use alternative DNS servers
# - By default, clients are set to use Google Public DNS
# - Example below shows using Cloudflare's DNS service
# VPN_DNS_SRV1=1.1.1.1
# VPN_DNS_SRV2=1.0.0.1

Note: In your env file, DO NOT put “” or ‘’ around values, or add space around =. DO NOT use these special characters within values: \ “ ‘.A secure IPsec PSK should consist of at least 20 random characters.

run ipsec-vpn-server and configure

  1. run the image of docker, bind vpn.env to local file
    1
    2
    3
    4
    5
    6
    7
    8
    9
    :~$ sudo docker run \
    --name ipsec-vpn-server \
    -v "$(pwd)/vpn.env:/opt/src/vpn.env:ro" \
    --restart=always \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    hwdsl2/ipsec-vpn-server
    # -v "local file:file in docker:file permission"
  2. Bash shell inside container
    1
    2
    3
    4
    5
    :~$ sudo docker exec -it ipsec-vpn-server env TERM=xterm bash -l
    [email protected]:~$ apt-get update && apt-get -y install nano
    [email protected]:~$ ...some other command
    [email protected]:~$ exit
    :~$ sudo docker restart ipsec-vpn-server
  3. Retrieve VPN login details
  • show the vpn name,password,ipsec-preshare-key
    1
    :~$ sudo docker logs ipsec-vpn-server
  • Check server status
    1
    :~$ sudo docker exec -it ipsec-vpn-server ipsec status
  • display current established VPN connections
    1
    :~$ sudo docker exec -it ipsec-vpn-server ipsec whack --trafficstatus
  • add, edit or remove VPN user accounts
    1. update your env file,
    2. restart the Docker container
      1
      :~$ sudo docker restart ipsec-vpn-server

svn server image

Please See SVN Tutorial

Transmisson-Daemon

Please See Transmission-Daemon

Py-KMS server

Please see Py-KMS


References:
Docker.com
Angles by @daydreamerro
docker-ipsec-vpn-server
docker-svn-server
docker-transmission-daemon
docker-Py-KMS

---- The End Thanks ----
Donate if you like the article.