Skip to content

Latest commit

 

History

History
87 lines (52 loc) · 4.14 KB

docker.md

File metadata and controls

87 lines (52 loc) · 4.14 KB

Usage with docker

Requirements

See docs.docker.com - Install Docker Engine on Ubuntu

Schema

Stacks management

  • Stacks are managed with docker compose (docker compose up -d)
  • Stacks can be stopped/downed without loosing data as named volumes are used for persistence (use docker compose down --volumes to explicitly delete volumes)

Networking and service exposition

  • Applications are exposed on nice URL (ex : https://whoami.dev.localhost) with the reverse proxy traefik.
  • An environment variable DEVBOX_HOSTNAME allows to customize dev.localhost
  • An helper script is provided to generate wildcard certificates for traefik with mkcert a wildcard certificate (traefik/mkcert/generate.sh).
  • All stacks runs on the same network named devbox to simplify communication between containers/stacks.

dev.localhost is preferred to localhost as it allows wildcard certificate generation.

Port mapping

By default, service ports (ex : 5342 for PostgreSQL) are only exposed on 127.0.0.1 for security consideration :

  • My IDP enables IPV6 with no descent firewall.
  • Docker overwrites iptables or UFW rules (so that is not trivial to configure a local firewall).

Note that you can overwrite this behavior by defining DEVBOX_PORT_PREFIX before starting stacks :

export DEVBOX_PORT_PREFIX=""
cd redis
docker compose up -d

Docker configuration

  • Ensure that you have a correct docker daemon configuration (/etc/docker/daemon.json) :

    • Configure bip and default-address-pools to avoid IP overlaps on your LAN
    • Configure storage-driver to "overlay2"
    • ...
  • You may have a look at least to docker-bench-security to avoid main security issues.

Docker networking and Traefik

To ease IP whitelisting and avoid the requirement to share the same network between traefik and exposed containers, note that traefik can be installed as a systemd service.

An alternative consists in using network_mode: 'host' on traefik/docker-compose.yml.

In both cases :

  • traefik will see real client ip
  • traefik will be able to forward to any container

Note that :

  • The main limitation is that you may face problem using middlewares like thomseddon/traefik-forward-auth (when http://traefik-forward-auth:4181 is referenced in a middleware, docker internal DNS doesn't seams to be invoked to resolve traefik-forward-auth)
  • Kubernetes solves this issue with a different networking approach (by default, "A Pod can communicate with another Pod by directly addressing its IP address" without an explicit network sharing)

Resources

docs.docker.com - Reference documentation :

Ansible playbooks :