Configuring Docker containers in the OwnCloud cloud

Forwarding Ports for Access via the Network

The command docker run supplemented with the -p switch, starts the image with a network connection in the container. The following example enables forwarding of the host port 13306 to the container port 3306 (i.e., the MySQL server):

docker run -d -p 13306:3306 mysql

Docker implements the routing by means of a simple iptables NAT rule on the host system. If you additionally want to bind the forwarding port to an IP address, you need to type the IP address, followed by a colon, and the port number. For the loopback address, the parameter value would be 127.0.0.1:13306:3306. If you leave out the 13306, as in 127.0.0.1::3306, Docker randomly selects a forwarding port from the range 49000 through 49900.

In the configuration file, the EXPOSE keyword defines which network ports to provide in the container. The parameter value for EXPOSE is a space-delimited list of single ports. A configuration line might look like:

EXPOSE 3306

This line tells Docker to use the container port 3306. If you use the EXPOSE setting in the Dockerfile to stipulate all open ports in the container, you can enable them all at the same time with the -P switch when starting the container. Docker takes care of dynamic port assignment on the host, an assignment using the -p switch is no longer possible in this case. An example on the host might look like:

docker run -d -P mysql

If you set both the -p option and the -P option; values with the lowercase p take priority.

You can list the current redirects with two commands: The docker ps command provides information about the network, but also run-time data for the image; the required data can be found in the PORTS column. If there an arrow (->), this is a redirect, but if you only see a port number, the port is open, and other containers are allowed to use it:

docker ps
... PORTS
... 0.0.0.0:5556->3306/tcp

The docker port command additionally requires the name or ID of the started container and replies with the addressable port numbers in the container. The command

docker port mysql 3306
0.0.0.0:13306

addresses a container named mysql.

Connecting Containers

The linking mechanism connects containers securely on the network, without opening ports to the outside world. This connection occurs via a network bridge (Figure 2), which is managed by Docker and to which each container is connected. If you want to use the connection to the mysql database container shown in the example, you additionally need to stipulate the --link mysql:db option on starting the web container. Docker requires the name of the linked container, mysql, and an arbitrary alias – db in this case (Listing 6).

Listing 6

Linking to the mysql Container

 

Figure 2: Schematic representation of the link between the containers via a network bridge and the interfaces. Thanks to automatic port forwarding, port 80 of the OwnCloud container is accessible from the outside.

You can use this alias within the current web container to keep the connection data for the MySQL database. Docker provides the data in the form of environment variables, indicated by env, starting with the alias of the first process started.

In addition to the existing environment variables, the communication partner receives an entry in its /etc/hosts file; in this case, the IP address associated with the selected alias, which was automatically assigned by Docker. Direct access to the database container is thus possible via the hostname db. Since linked containers enter a kind of parent-child relationship, it is quite easy to start multiple child containers. Several web containers can thus communicate with a database container.

Persistent Volumes

An advantage of containers and images is that the admin can always start from a defined state. Any change that occurs in the current container is discarded as soon as the container is stopped and deleted. This lack of permanence is a disadvantage if the containers store useful data that you need to keep persistently. Volumes are the answer: A volume is a directory on the host system that you can mount at any point in the container's filesystem (Listing 7).

Listing 7

Creating a Volume

 

The -v /tmp/test:/foo parameter ensures that the /tmp/test directory is available as /foo in the container. In the case of the database server for OwnCloud, the following call makes sense:

docker run -d -v /data/mysql:/var/lib/mysql

Docker automatically creates the specified directory structure on the host if it does not exist. You might need to modify the filesystem permissions, say, so that a service container that runs in an unprivileged user context can also access the directory.

You will also want to make sure only one database container accesses one volume. Unfortunately, associating a container with a volume compromises flexibility, since you no longer simply migrate an image for a service to another computer  – when planning your configuration, take care also to install a separate mechanism for distributing the user data.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Docker

    Docker is an economical alternative to conventional virtualization. Because each Docker container shares the underlying operating system, it enjoys the resource isolation and allocation benefits of VMs but is much more portable and efficient.

  • Ansible Container Auto Deploy

    Streamline software deployment with Ansible and Docker containers.

  • Perl: Testing Modules with Docker

    If you want to distribute your programs across multiple platforms, you need to prepare them to run in foreign environments from the start. Linux container technology and the resource-conserving Docker project let you test your own Perl modules on several Linux distributions in one fell swoop.

  • Honeypots

    Use Cowrie as a honeypot to capture attack data and learn more about your attacker's methods.

  • Container Security

    A recent flurry of activity in the container space raises several interesting questions about security among a number of operational aspects in the enterprise environment.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News