Docker CE and Shipyard on a VPS with Debian 9

What is it? questionmark

For a long time I wanted to run my own Docker server. My first attempt was running it on a virtual box setup on my Windows machine. Next try I wanted to run this on a server environment. I tried Windows server 2016 with the container service, but I didn’t feel like paying the license required for the Windows hosting environment when my goal was soarly to run Docker containers.

In this post I discribe how I setup an environment that has the following setup:

  • Debian 9 as hosting OS
  • DirectAdmin
  • Docker CE
  • Shipyard

So much info on Docker: https://github.com/veggiemonk/awesome-docker

Table of contents

  1. The host (VPS on the transip network)
  2. Installing DirectAdmin
  3. Install Docker CE
  4. Securing the docker deamon
  5. Install Shipyard
  6. Configure shipyard with nginx and Apache

1. The host (VPS on the transip network)

For this environment I picked a host that is offering an already virtualized envornment (VPS). After doing some research I noticed that it is possible on Debian 9 to host Docker on an already virtualized host.
TransIP, a Dutch company, offers a range of VPS that are suitable for this project.

For this server I picked the X4 configuration

The X4 has enough resources for this project and has with a price of 20 euro per month (excluding VAT) gotten my blessing to serve me.

After around 5 minutes it is accessible from the control panel

After going through the ordering process, the control panel of the new VPS gives me all the options to modify the VPS as suited.
The Debian 9 installation is started automatically after the setup of the VPS has completed, via an interactive web shell I could setup the Debian 9 installation as I found necessary.

2. Installing DirectAdmin

I choose to install a web hosting administration panel called DirectAdmin. As I used it before it will benefit me with some basic details as easaly creating users, setting quota’s and monitoring metrics.

The steps to install DirectAdmin are quite easy, I followed these steps:

After the DirectAdmin setup has completed, I created a dedicated user for the Docker environment. This user will host domain names for Shipyard and any of the domain names that are used to connect to Docker containers itself.

3. Install Docker CE

I installed the Docker CE (Community Edition) via the steps described here: https://docs.docker.com/engine/installation/linux/docker-ce/debian it was as easy as copy pasting the right commands.
The executed commands are

apt-get update
apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
apt-key fingerprint 0EBFCD88
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt-get update
apt-get install docker-ce
docker run hello-world

After the installation was complete, the hello-world example demonstrates that the Docker environment is up and running.

The hello world example

4. Securing the docker deamon

By default, Docker runs via a non-networked Unix socket. It can also optionally communicate using an HTTP socket.

If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.

In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.

In order to secure the Docker deamon the following manual gives an excellent guide how to set this up: https://docs.docker.com/engine/security/https

When the certificates are generated, the Docker deamon has to be instructed to use them upon starting, I did follow the instructions to export some parameters, but I ended up editing the startup configuration of via systemctl:

systemctl edit –full docker

ExecStart=/usr/bin/dockerd -H fd:// –tlsverify –tlscacert=/home/dockervps3/keystore/ca.pem –tlscert=/home/dockervps3/keystore/server-cert.pem –tlskey=/home/dockervps3/keystore/server-key.pem -H=0.0.0.0:2376

To verify that the Docker deamon is secured we can check this with the tlsverify command

docker –tlsverify –tlscacert=ca.pem –tlscert=cert.pem –tlskey=key.pem -H=inexpro-vps3.inexpro.nl:2376 version

5. Install shipyard

Following the deploy for manual actions, I modified the commands so that the ports are bound to my lo only. Later I will use nginx and apache to create a reverse proxy to get to the shipyard webpage.

The followed manual: https://shipyard-project.com/docs/deploy/manual/

The Shipyard port 8080 is bound to the localhost 8083. This makes it only possible for the localhost to connect to the webpage. In the next part a reverse proxy will be configured to connect securely to the Shipyard webpage.

6. Configure shipyard with nginx and Apache

The last step is to configure the Shipyard controller webpage to be opened by the big bad internet itself. For this I executed the following steps:

  1. Create subdomainname in DirectAdmin
  2. Request TLS certificate via LetsEncrypt
  3. Configure nginx to forward everything to https
  4. Configure apache as a reverse proxy