====== Docker ======

[[https://www.docker.io/|Docker, The Linux container engine]] is an open source project to pack, ship and run any application as a lightweight container.

Have look at Docker [[https://docs.docker.com/linux/|getting started]].


===== Prerequisites =====

  - [[packages:kernel]] with ''USER_NS'', ''USER_NET'', etc.
  - vserver patch disabled (''docker exec'' will fail otherwise):
    - https://groups.google.com/forum/#!topic/docker-user/U3j7ykSceNg
    - http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2014-January/023786.html

===== PLD Linux Base images =====

Minimal PLD Linux base images are built every Friday and published in GitLab:

  * https://gitlab.com/pld-linux/pld#pld-linux-base-docker-images

There's also available base images from Th snapshots:
  * https://gitlab.com/pld-linux/pld/blob/master/README.md#snapshot-images

<code>
$ docker run --rm -it registry.gitlab.com/pld-linux/pld echo hello pld linux
hello pld linux
</code>

To build your own base image, you can use [[https://github.com/moby/moby/blob/master/contrib/mkimage-pld.sh|contrib/mkimage-pld.sh]] as base.


Additionally PHP base images are provided:
  * https://gitlab.com/pld-linux/php

==== Setup Cgroups ====

Easiest way is to install [[package>libcgroup]] package and enable all cgroup types:

<code>
# install libcgroup and enable mounts
poldek -u --noask libcgroup
sed -i -e '/^#mount/,$ s/^#//' /etc/cgconfig.conf
service cgconfig start 
</code>
===== Network Configuration ===== 

IPv4 packet forwarding is disabled by default in PLD Linux, so internet access from inside
the container will not work unless ''net.ipv4.ip_forward'' is enabled:

   WARNING: IPv4 forwarding is disabled.

To fix, run:

   sudo sysctl -w net.ipv4.ip_forward=1


Or, to enable it more permanently, enable it on the host's **/etc/sysctl.conf**:

   net.ipv4.ip_forward=1


===== Rights =====

Don't run docker as ''root''. Add your user to ''docker'' group in host to be able to run from your own user.

<note tip>
By adding yourself to the docker group you are effectively granting yourself full root permissions. For more information please read [[https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful|On Docker security: docker group considered harmful]].
</note>

Whoever, we still consider that more secure approach than just running as root. Accidental damage to Host system is minimized this way.
===== How To ===== 

==== Maintenance ====

Getting rid of stopped containers

<code>
docker ps -f status=exited
docker ps -q -f status=exited | xargs -r docker rm
</code>

Getting rid of unused images

<code>
docker images --filter dangling=true
docker images --filter dangling=true --quiet | xargs -r docker rmi
</code>

Getting rid of unused volumes
<code>
docker volume ls -f dangling=true
docker volume ls -qf dangling=true | xargs -r docker volume rm
</code>

For Docker < 1.9, see [[https://github.com/chadoe/docker-cleanup-volumes|docker-cleanup-volumes]] tool.

For Docker >= 1.13 use ''docker {container,image,volume,network} prune'' subcommands.

===== Vagrant =====

To play around inside [[vagrant]], create ''Vagrantfile'' and run ''vagrant up'' followed by ''vagrant ssh'':

<code bash>
mkdir test
cd test
# use curl or wget
curl -sS > Vagrantfile https://www.pld-linux.org/_export/code/packages/docker?codeblock=4 || \
wget -q -O Vagrantfile https://www.pld-linux.org/_export/code/packages/docker?codeblock=4
vagrant up
vagrant ssh
</code>

<code ruby Vagrantfile>
# -*- mode: ruby -*-
# vi: set ft=ruby :

BOX_NAME = ENV['BOX_NAME'] || "pld64"
BOX_URI = ENV['BOX_URI'] || "ftp://ftp.pld-linux.org/people/glen/vm/pld64.box"

hostname = File.basename(File.dirname(__FILE__))
print "\033k#{hostname}\033\\"

Vagrant::Config.run do |config|
  # Setup virtual machine box. This VM configuration code is always executed.
  config.vm.box = BOX_NAME
  config.vm.box_url = BOX_URI

  # Provision docker and new kernel if deployment was not done
  if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
    pkg_cmd = "set -xe; "

    # install libcgroup and enable mounts
    pkg_cmd << "poldek -u --noask libcgroup; "
    pkg_cmd << "sed -i -e '/^#mount/,$ s/^#//' /etc/cgconfig.conf; "
    pkg_cmd << "service cgconfig start; "

    # ensure ip forward is enabled
    pkg_cmd << "sed -i -e '/^net.ipv4.ip_forward/ s/0/1/' /etc/sysctl.conf; "
    pkg_cmd << "sysctl -p; "

    # Add docker package and start it
    pkg_cmd << "poldek -u --noask lxc-docker; "
    pkg_cmd << "service lxc-docker start; "
    pkg_cmd << "usermod -A docker vagrant; "

    # Add glibc locales
    pkg_cmd << "poldek -u glibc-localedb-all; "

    # Make some more space for containers
    pkg_cmd << "poldek -u xfsprogs; ldconfig; "
    pkg_cmd << "lvextend --size=+3G /dev/sys/rootfs; xfs_growfs /; "

    config.vm.provision :shell, :inline => pkg_cmd
  end
end


# Providers were added on Vagrant >= 1.1.0
Vagrant::VERSION >= "1.1.0" and Vagrant.configure("2") do |config|
  config.vm.provider :virtualbox do |vb|
    config.vm.box = BOX_NAME
    config.vm.box_url = BOX_URI

    # ssh agent forwarding can be useful
    #config.ssh.forward_agent = true

    # Make VM accessible outside VM itself, and use eth1 device
    #config.vm.network :public_network, { bridge: 'eth1', auto_config: true }
  end
end 
</code>