For a long time I wanted to run my own Docker server. My first attempt was running it on a virtual box setup on my Windows machine. Next try I wanted to run this on a server environment. I tried Windows server 2016 with the container service, but I didn’t feel like paying the license required for the Windows hosting environment when my goal was soarly to run Docker containers.
In this post I discribe how I setup an environment that has the following setup:
- Debian 9 as hosting OS
- Docker CE
So much info on Docker: https://github.com/veggiemonk/awesome-docker
Table of contents
- The host (VPS on the transip network)
- Installing DirectAdmin
- Install Docker CE
- Securing the docker deamon
- Install Shipyard
- Configure shipyard with nginx and Apache
1. The host (VPS on the transip network)
For this environment I picked a host that is offering an already virtualized envornment (VPS). After doing some research I noticed that it is possible on Debian 9 to host Docker on an already virtualized host.
TransIP, a Dutch company, offers a range of VPS that are suitable for this project.
The X4 has enough resources for this project and has with a price of 20 euro per month (excluding VAT) gotten my blessing to serve me.
After going through the ordering process, the control panel of the new VPS gives me all the options to modify the VPS as suited.
The Debian 9 installation is started automatically after the setup of the VPS has completed, via an interactive web shell I could setup the Debian 9 installation as I found necessary.
2. Installing DirectAdmin
I choose to install a web hosting administration panel called DirectAdmin. As I used it before it will benefit me with some basic details as easaly creating users, setting quota’s and monitoring metrics.
The steps to install DirectAdmin are quite easy, I followed these steps:
- Install the prerequired stuff https://help.directadmin.com/item.php?id=354
- Install directadmin with default options https://www.directadmin.com/installguide.html
- Update admin password to something from my local keepass
- Install LetsEncrypt https://help.directadmin.com/item.php?id=648
- Then setup the LetsEncrypt certificate for the hostname https://help.directadmin.com/item.php?id=629
- Fix the quotas https://help.directadmin.com/item.php?id=42
After the DirectAdmin setup has completed, I created a dedicated user for the Docker environment. This user will host domain names for Shipyard and any of the domain names that are used to connect to Docker containers itself.
3. Install Docker CE
I installed the Docker CE (Community Edition) via the steps described here: https://docs.docker.com/engine/installation/linux/docker-ce/debian it was as easy as copy pasting the right commands.
The executed commands are
apt-get update apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - apt-key fingerprint 0EBFCD88 add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" apt-get update apt-get install docker-ce docker run hello-world
After the installation was complete, the hello-world example demonstrates that the Docker environment is up and running.
4. Securing the docker deamon
By default, Docker runs via a non-networked Unix socket. It can also optionally communicate using an HTTP socket.
If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the
tlsverifyflag and pointing Docker’s
tlscacertflag to a trusted CA certificate.
In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.
In order to secure the Docker deamon the following manual gives an excellent guide how to set this up: https://docs.docker.com/engine/security/https
When the certificates are generated, the Docker deamon has to be instructed to use them upon starting, I did follow the instructions to export some parameters, but I ended up editing the startup configuration of via systemctl:
systemctl edit –full docker
To verify that the Docker deamon is secured we can check this with the tlsverify command
5. Install shipyard
Following the deploy for manual actions, I modified the commands so that the ports are bound to my lo only. Later I will use nginx and apache to create a reverse proxy to get to the shipyard webpage.
The followed manual: https://shipyard-project.com/docs/deploy/manual/
The Shipyard port 8080 is bound to the localhost 8083. This makes it only possible for the localhost to connect to the webpage. In the next part a reverse proxy will be configured to connect securely to the Shipyard webpage.
6. Configure shipyard with nginx and Apache
The last step is to configure the Shipyard controller webpage to be opened by the big bad internet itself. For this I executed the following steps:
- Create subdomainname in DirectAdmin
- Request TLS certificate via LetsEncrypt
- Configure nginx to forward everything to https
- Configure apache as a reverse proxy