Getting Started with Docker using Cockpit (Fedora 26)

Introduction

For ages, I've been wanting to get into Docker, especially how it's now the next big thing. In this tutorial, we will see how Docker works, it's basic commands, what you can do with it and also touch upon Docker security, such as isolation.

So what is Docker?
Docker is a platform used to deploy applications in a convenient way. It's kinda like virtual machines, but not quite. It's exploded in popularity because it makes system administration a lot more efficient and better.

Installing stuff, especially web applications is annoying, compiling stuff, dependencies breaking, extraneous files left everything, then you need to set up the database. The beauty of Docker is that this process can be encapsulated.

Running servers can get messy, especially if you're running a lot of services on it, e.g. running Postfix, Apache, MySQL, Node all one a single box would not only be massively bad for security, it would just be a mess of packages, and be nasty to maintain. On Docker, you can add your mail server in a single command (assuming you have an image), so no more apt-get hell.

Security

Because the attack surface on containers (the app is 'jailed' so even if a bad guy compromises your webapp or whatever, they would have far more limited capabilities to do systemic damage than on a real server). Although Docker isn't a panacea to security, the fact that everything is so modular, lightweight, and isolated means the Docker ecosystem is in general more security conscious then your average box, particularly in terms of principles of segregation of duties and least Privilege.

Docker images are also quite small in storage size because a docker image is typically the minimal environment needed for the app to run. Since they are easy

Installing Docker + Cockpit

I'm a Fedora fan, so we'll be installing it on the newly released Fedora 26.We'll also be installing Cockpit, a pretty sweet web interface for doing simple admin tasks, including controlling docker.

$ sudo dnf update
$ sudo dnf install cockpit docker

A good but optional thing to do now is to bind Cockpit to 127.0.0.1 so its only running as a local service. All you need to do is the following (or just sudo nano cockpit.socket)

$ sudo bash -c 'cat <<<"
[Unit]
Description=Cockpit Web Service Socket
Documentation=man:cockpit-ws(8)

[Socket]
ListenStream=127.0.0.1:9090

[Install]
WantedBy=sockets.target
"> /usr/lib/systemd/system/cockpit.socket'

Creating Our First Container through Cockpit

We access cockpit via http://127.0.0.1:9090, after logging in, we click 'Containers'.
If you cannot access 127.0.0.1:9090 you may need to start cockpit, do so with this command

$ sudo systemctl start cockpit.service

size=60%

We create pull new image, and pull the latest image for ghost.

size=60%

Once it's downloaded, we click on docker.io/ghost:latest and create our first container instance of the ghost image. We set the following options:

  • Container Name: a canonical name of the container.
    By default, Docker picks a adjective+surname pair e,g, "aggrieved_stallman" This is mutable; it is best to pick a meaningful Name

  • Command: The command the container runs when started
    With terminal, whether the container has an accessible tty (generally you want this)

  • Expose container ports - whether the container has accessible ports.
    The port on the left is the port accessible via the containers ip address on docker0, if a port on the right is set, then traffic sent to the host on that port will be natted to the container

  • Volumes - Define data volumes for the container
    Docker images are designed to be immutable and relatively disposable.
    When we have static, runtime specific data, we do not put it in the containers main file system, instead we have an overlay file system mounted inside the container which points either to a resource on the host, or is created when we start the container for the first time.

    Committing the container does not preserve the contents of volumes
    For things like websites, it's best to point to a host paTh

    If you have permission issues, try running
    sudo chcon -Rt svirt_sandbox_file_t /path/to/vol

We then proceed to 172.17.0.2 and check its working
size=60%