This is an old revision of the document!
Table of Contents
Docker
Docker is similar to LXC, however it is geared to running a single application within its jailed system rather than being a lightweight VM. It's like having a chroot management system enhanced with networking. One side effect of not having an init process is zombie processes can accumulate in the container.
Docker has a lot of pre-built applications, and due to this the docker ecosystem is a security nightmare and cannot really be recommended unless you skip this and create your own builds from base O/S images such as Alpine Linux.
On this page are demos of using Docker on Linux. One container is an install of Laravel and another is Alpine Linux. The installation of Laravel should demonstrate the security issues when using pre-built docker images.
Alpine Linux is further configured for PHP8, composer and Symfony. This is not for production, just for development and not fully configured here, yet.
Later a build is investigated containing WordPress using Alpine Linux and accessed via a proxy with nginx.
Environment
VirtualBox virtual machine manager or Xen virtual machine.
Operating System
Devuan Chimaera on VirtualBox or Debian Bullseye on Xen.
Docker
Install
apt-get install apparmor apt-get install docker.io apt-get install docker-compose
User
Add your login user to the docker group with vigr and vigr -s and relog.
Run
/etc/init.d/docker start
Laravel
wget "https://laravel.build/example-app" -O example-app.sh sh ./example-app.sh cd example-app ./vendor/bin/sail up
Alpine Linux
Alpine Linux is a lightweight Linux ideal for running inside a container.
Install
Fetch the image and create the container.
docker pull alpine:latest docker create -t -i --name alpine_linux alpine:latest
Start
Start Alpine Linux.
docker start alpine_linux
Shell
Connect to a shell within Alpine Linux.
docker exec -it alpine_linux /bin/sh
Stop
Stop Alpine Linux
docker stop alpine_linux
Delete
How do delete Alpine Linux if necessary.
docker rm alpine_linux
PHP8
Install
docker exec -it alpine_linux /bin/sh apk update apk upgrade apk add php8 php8-fpm php8-opcache php8-cli php8-ctype php8-iconv php8-session php8-simplexml php8-tokenizer php8-openssl php8-phar ln -sf /usr/bin/php8 /usr/local/bin/php exit
Composer
Git
docker exec -it alpine_linux apk add git
Install
Visit the composer downloads page to find the composer installer script.
Save the script as composer-installer.sh
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" php -r "if (hash_file('sha384', 'composer-setup.php') === '55ce33d7678c5a611085589f1f3ddf8b3c52d662cd01d4ba75c0ee0459970c2200a51f492d557530c71c15d8dba01eae') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" php composer-setup.php php -r "unlink('composer-setup.php');"
Run the saved script.
sh composer-installer.sh Installer verified All settings correct for using Composer Downloading... Composer (version 2.3.5) successfully installed to: /root/composer.phar Use it: php composer.phar
Move the blob into your path.
mv composer.phar /usr/local/bin/
Symfony
Install
Fetch the symfony blob.
wget "https://github.com/symfony-cli/symfony-cli/releases/download/v5.4.8/symfony-cli_linux_amd64.tar.gz" tar zxvf symfony-cli_linux_amd64.tar.gz
Move the blob into your path.
mv symfony /usr/local/bin/
Application
Create a symfony application.
symfony new --webapp my_project
Fixed IP address
Bridge
Create a network bridge using docker.
docker network create --subnet=10.44.0.0/24 vlan
Run
Create and run the container. The option d starts the container in the background and t assigns a pseudo tty.
docker pull alpine:latest docker run -d -t --net vlan --ip 10.44.0.10 --name alpine_linux alpine
Command
Run a command in the container
docker exec -it alpine_linux /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr:10.44.0.10 Bcast:10.44.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:876 (876.0 B) TX bytes:0 (0.0 B)
Stop
Stop container
docker stop alpine_linux
Restart
Restart container
docker start alpine_linux
WordPress
Proxy
Install nginx in the main host.
apt install nginx-full php php-cli php-fpm
Use proxy_pass to direct a https URL to the container.
Eg.
location / { proxy_pass http://x.x.x.x:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_buffering off; }
Apache2
Install apache2 in the container.
Install
docker exec -it alpine_linux sh apk update apk upgrade apk add php8 php8-apache2 php8-mysqli php8-mysqlnd php8-opcache php8-cli php8-ctype php8-iconv php8-session php8-simplexml php8-tokenizer php8-openssl php8-phar php8-curl php8-dom php8-exif php8-fileinfo php8-pecl-imagick php8-mbstring php8-zip php8-gb php-intl ln -sf /usr/bin/php8 /usr/local/bin/php exit
Config
At the least edit the Listen and ServerName directives in /etc/apache2/httpd.conf
Listen *:80 ServerName WordPress ServerAdmin root ServerTokens Prod ServerSignature Off
Logging
Use mod remoteip resolve client ip address.
Newer apache2
RemoteIPProxyProtocol On RemoteIPProxyProtocolExceptions 127.0.0.1 X.X.X.X/24 RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy X.X.X.X
Older apache2
RemoteIPHeader X-Real-IP RemoteIPTrustedProxy X.X.X.X LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
Run
Start apache2 in the container.
docker exec -it alpine_linux /usr/sbin/httpd -DFOREGROUND
To keep this process up, start it from RUNIT or similar in the main docker host.
run
/usr/bin/docker start alpine_linux exec /usr/bin/docker exec -e TZ=UTC -e PHP_INI_SCAN_DIR=/etc/php8/conf.d -t alpine_linux /usr/sbin/httpd -DFOREGROUND
finish
/usr/bin/docker stop alpine_linux
WordPress
Install WordPress in the container.
docker exec -it alpine_linux sh cd /var/www/localhost wget "https://wordpress.org/latest.zip" -d htdocs unzip latest.zip chown -R apache:apache htdocs/wordpress exit
The URL will become https://example.com/wordpress/ and the setup URL will be https://example.com/wordpress/wp-admin/setup-config.php
If a MySQL server is not available then MySQL must be started in another container in the same network.
Add custom config values to support proxy.
define('FORCE_SSL_ADMIN', true); // in some setups HTTP_X_FORWARDED_PROTO might contain // a comma-separated list e.g. http,https // so check for https existence if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) $_SERVER['HTTPS']='on'; define('FS_METHOD','direct');
Miscellaneous
Copy file
docker cp .vimrc alpine_linux:/root/.vimrc
Apache log rotation
#! /bin/sh # Apache log rotation. # # Dmb May 1999 - Jun 2022. # Alpine Linux: # # apk add apache2-utils webalizer # # 0 1 * * * /usr/bin/docker exec alpine_linux /root/rotatelog 1>/dev/null 2>/dev/null umask 022 LOGDIR="/var/log/apache2" WEBLOG="access.log" LOGFILES="$WEBLOG error.log" STATDIR="stats" cd $LOGDIR for f in $LOGFILES do if test -f $f; then test -f $f.6.gz && mv $f.6.gz $f.7.gz test -f $f.5.gz && mv $f.5.gz $f.6.gz test -f $f.4.gz && mv $f.4.gz $f.5.gz test -f $f.3.gz && mv $f.3.gz $f.4.gz test -f $f.2.gz && mv $f.2.gz $f.3.gz test -f $f.1.gz && mv $f.1.gz $f.2.gz test -f $f.0 && mv $f.0 $f.1 && gzip $f.1 cp -p $f $f.0 cat /dev/null >$f fi done if test -f $WEBLOG.0; then TMPLOG=`mktemp /tmp/logresolve.XXXXXXXXXX` logresolve < $WEBLOG.0 > $TMPLOG mkdir -p $STATDIR webalizer -Q -p -n"localhost" -o$STATDIR $TMPLOG rm -f $TMPLOG fi exit 0
Clone
First stop the container to commit any changes
The commit creates a tagged version of the container which has any changes made since installation.
docker stop alpine_lunux docker commit alpine_linux wordpress:v1
Container can be restarted now
docker start alpine_linux
Save the docker container as an image
This saves the container at the specified commit tag for import elsewhere.
docker save -o wordpress_v1.tar wordpress:v1
Container image can now be used elsewhere.