Docker

Official documentation
Docker hub image register

Docker installation. From the Official tutorial:

• Add docker repository
  • Install packages to allow apt to use a repository over https: apt install apt-transport-https ca-certificates curl gnupg2 lsb-release
  • Add docker repository key: curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
  • Add docker repository: echo "deb [arch="$(dpkg --print-architecture)" signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
• apt update
• apt install docker-ce
• Test docker: docker run --rm hello-world
• If you want a non-root user to be able to run docker, add it to the docker group (gpasswd -a {user} docker then user needs to relog). Be careful! Being able to run docker commands basically gives root access to the system!

Docker compose

Docker Compose is a tool that allow to easily configure and run one or multiple containers based on a yaml file (docker-compose.yml).

Docker compose is now integrated in docker (installed by the docker-compose-plugin package that should be automatically installed alongside docker).
That means that you should now use docker compose instead of docker-compose (see the migration overview.

Compose file reference.
When you write a compose file, you can test its syntax by running docker-compose config. Note that in yaml indentation matters and must be done with spaces.

Allow inter-container communication in firewall

In general, containers on the same network can communicate between them without problems. If a container exposes a port, outside hosts can also communicate with the container without problems.
However sometimes when two containers try to communicate using a public name (e.g. service.example.org), the firewall blocks the communication, even though the destination container exposes the port.

A solution is to explicitly open the port in the firewall, e.g. for https iptables -A INPUT -p tcp --dport 443 -j ACCEPT.

Backing up docker volumes

Creating an archive of the volume

• touch {arhive file (e.g. backup.tar.gz)}
• docker run --rm -v {volume name}:/to_backup:ro -v $(realpath {archive file (e.g. backup.tar.gz)}):/backup.tar.gz busybox tar czf /backup.tar.gz -C /to_backup ./.
• Check your archive content with tar tvf backup.tar.gz | less

Restoring a volume form an archive

• (optional) If the volume already exists, empty it with docker volume rm {volume name}.
• docker run --rm -v {volume name}:/to_fill -v {abs path to the archive}:/backup.tar.gz:ro busybox tar xzf /backup.tar.gz -C /to_fill

Bug: docker won't remove containers

Based on this github comment.

If when you try to remove a container it fails with error: driver "aufs" failed to remove root filesystem for [...] device or resource busy, you can fix it like this.

• Edit /lib/systemd/system/docker.service
  • In the [Service] section, add or set option MountFlags=private
• systemctl daemon-reload
• systemctl restart docker
• Verify that all previously running containers are started again. This should be the case if they are set to restart=always or restart=unless-stopped

Useful images

Busybox

Docker hub page

Very minimalist linux container, useful for troubleshooting docker setups.

If you want to start the container and leave it running (e.g. in order to attach to it afterwards), you can run a command like sh -c 'tail -f /dev/null', which will never end.

Nginx

Docker hub page

Web server. Easy to use in order to create a container serving web content. The content to serve must be in the /usr/share/nginx/html folder in the container.

Glances

Docker hub page

Monitoring application that can also monitor docker containers.

• docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host -it nicolargo/glances

If the display gets broken press h to access the help and then press h again to get back, this refreshes the display.

Run GUI applications with VNC

Since containers typically do not have access to a screen, gui applications can usually not be run in them. A solution to this is to create a virtual display and expose it with vnc.

On a debian container/system you would do the following steps:

• Install the virtual display and a vnc server: apt update && apt install xvfb x11vnc
• Start the virtual display: Xvfb :0 -screen 0 {width}x{height}x{colordepth (e.g. 16)} &
• Start the vnc server: x11vnc -display :0 -forever
• export DISPLAY=:0 to set default display for application to the one we just created.
• (optional) expose port 5900 of the container

On the system from which you intend to connect:

• apt install gvncviewer
• gvncviewer {hostname}:0