Using Docker

Docker is a powerful platform designed for running applications within isolated environments called containers. This technology allows developers and system administrators to package applications with all their dependencies, ensuring consistency across various environments. It enables the use of specialized software, such as Redis or MongoDB, or specific software versions that might not be natively supported by your operating system or require complex compilation processes. Through a dedicated extension, you can effectively manage containers based on specific Docker images, both on local systems and remote servers. This guide will walk you through the process of creating, configuring, and managing Docker containers, along with instructions for controlling remote Docker hosts.

Requirements and Limitations

Warning: The Docker extension downloads images from Docker Hub as they are and does not preconfigure them in any way. Some Docker containers or software within them are intended for trusted environments only and can require additional security setup. Before launching these downloaded images, you need to enhance their security yourself. For specific instructions, refer to the documentation of the container or software vendor. For example, see the security section in relevant documentation.

• Docker is supported on the following operating systems: CentOS 7, Red Hat Enterprise Linux 7, Debian 10, Debian 11, Debian 12, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, AlmaLinux 8.x, AlmaLinux 9.x, Rocky Linux 8.x, and Virtuozzo 7 with Update 1 Hotfix 1 (7.0.1-686) or later.
• On Windows systems, it is possible to leverage Docker installed on a remote machine.
• Docker cannot be used within an environment that is itself deployed in a Docker container.
• Docker runs only on x64 systems.
• Docker containers cannot be directly migrated or backed up. However, data utilized by containers can be backed up through volume mapping, or by downloading container snapshots.
• For Virtuozzo 7 environments with Update 1 Hotfix 1 (7.0.1-686) or later, new containers based on CentOS 7 are created with the firewall enabled by default, enhancing security. Administrators must manually configure the firewall to ensure necessary ports are open for application operation.

Prerequisites

Before you can begin utilizing Docker, a dedicated Docker extension must be installed on your server:

• If you possess administrative privileges, install the extension from the Extensions Catalog.
• Otherwise, contact your hosting provider and ask them to install the extension for you.

Once the extension is successfully installed, you are ready to proceed. The Docker option will become visible in the Navigation Pane, indicating its availability.

Containers

Images from Docker Hub can be accessed via the Run Container catalog (Docker > Containers > Run Container).

To access the image catalog:

• If you have not previously installed a container, in Docker > Containers, click Run Container.
• If you have previously installed a container, in Docker > Containers, click the plus icon .

To view available images, use the search box.

Specify the image name, the repository, or both.

These repositories are available to search:

• Local repository - contains local images. These are images that have already been downloaded and are now stored on the server with Docker. For details, see Managing Local Images further in this section.
• Docker Hub.

For each application, multiple versions may be available. You can deploy a specific version by selecting the corresponding tag, as illustrated below:

To initiate a container:

1. Go to Docker > Containers > Run Container.
2. Utilize the search box to locate images within the catalog. If an image is stored locally, the label (local) will appear alongside its version.
3. To access the image description and comprehensive documentation, click the more info icon . This functionality is not applicable to locally stored images.
4. Click the image card.

   • To run a specific version, select the image version you want to run from the Image version drop-down and click Next.
   • To run the latest version of the selected application, click Next.

   The system will then create a container and prompt you to define its settings, including environment variables, before initiating its operation. You can abort this process by clicking Cancel on the Settings screen. For more detailed information regarding these settings, refer to the Container Settings section within this guide.
5. Once the settings have been adjusted to your requirements, click Run. The newly created container will then be displayed in the list of containers under the Containers tab.

Consult the Console Log to verify that the container is operating without any reported issues.

Container Settings

Note: If you want to change container settings, you do not need to stop the container: When new settings are saved, the container is automatically recreated to apply these changes.

To modify a container's settings, navigate to the Containers tab and click the settings icon located beside the desired container.

Limiting Memory

By default, Docker containers can utilize an unlimited amount of RAM. To impose a memory constraint, select the Memory limit checkbox and specify the desired limit in megabytes within the MB field.

Note: Currently, CPU and disk usage cannot be explicitly limited for Docker containers.

Note: Docker containers are managed as administrator-level objects and are not subject to subscription-level cgroup limits (e.g., CPU, RAM, disk usage).

Automatic Start

If the Automatic start after system reboot option is not enabled, any websites relying on this container may become inaccessible after a system reboot, requiring you to manually initiate the container.

Port Mapping

By default, Automatic port mapping is activated, which maps the container's internal port to a randomly assigned port on the host system (e.g., 32768).

To customize the port on the host system, deselect Automatic port mapping and then define a different external port under Manual mapping. If the Manual mapping option is not visible upon deselection, it indicates that the container does not expose any ports.

With manual mapping, Docker typically binds to the specified port exclusively on the host system's localhost interface (127.0.0.1). This default configuration ensures the port remains inaccessible from the internet, safeguarding the application within the container from external attacks. To allow Docker to bind to the specified port on all network interfaces of the host system, deselect Make the port inaccessible from the Internet. Enabling this option will make the application inside the container reachable from the internet, accessible via the specified port on any of the host system's IP addresses.

Warning: It is important to note that Docker assumes authentication is handled by the application itself. However, this is not always the case (for instance, certain databases might not permit anonymous access by default, while other services might). Exposing an application within a container to the internet without proper authentication and security measures can significantly increase its vulnerability to malicious attacks.

Volume Mapping

Docker volumes represent directories on your server that are mounted to a Docker container, providing persistent storage accessible from your host system. Crucially, data stored within Docker volumes is retained even when a container is stopped or deleted.

Warning: It is important to note that data residing in Docker volumes is not automatically included in standard backup procedures. To mitigate potential data loss, ensure that any critical data stored in a volume is backed up using a robust third-party backup solution.

For more information about data in containers, refer to the Docker documentation.

To establish a volume mapping, provide the following details:

• In the Host field: Enter the absolute path to the directory on the server that you intend to mount within the container.
• In the Container field: Provide the absolute path to a directory within the container.

To configure additional directory mappings, click Add one more.

Setting Environment Variables

Environment variables are crucial for the application operating within a container. You may need to define additional variables or modify existing ones. The system supports adding an unlimited number of variables as per your application's requirements.

Operations with Containers

The following operations can be performed on containers:

• Stop (Stop), start (Start), or restart (Restart) a container. In each of these actions, the container will be recreated using its current configuration settings.

  Note: It is important to note that if data has not been saved to mounted volumes, it will be lost upon these operations. Refer to the Volume Mapping section for more details.

• Click the arrow icon adjacent to the container to access its logs and monitor resource consumption.
• Click the settings icon beside the container to modify its settings, including environment variables or volume mapping (Settings).
• Rename a container by navigating to Settings > Container name.

To perform additional actions, click the more options icon next to the container. These actions include:

• Recreate a container, choosing to use either the current or an alternative version of its image (Recreate).
• Generate a new image from an existing container, incorporating your custom settings (Save as Image).
• Capture a snapshot of a container's current state (Download Snapshot).
• Delete a container (Remove).

Recreating a Container

Recreating a container is often necessary when updating an application to a newer version. However, it is possible to rebuild a container using any application version available in the catalog, not exclusively newer ones.

Custom settings configured for the container are preserved during this recreation process. To safeguard data utilized by the application within a container, it is crucial to establish volume mapping before initiating recreation. Volume mapping facilitates access to directories employed inside a container, ensuring data persistence.

To recreate a container:

1. Navigate to Docker and click the more options icon adjacent to the container you wish to recreate.
2. From the container settings, click Recreate and then specify both the desired image version and whether to utilize default environment variables.

Using Remote Docker

By default, Docker operates as a locally installed service. However, the platform allows for the integration of one or more Docker services installed externally. It's important to note that only one service can be active at any given time. The currently active server can be identified in the Environments tab of the Docker settings page.

Note: Managing remote Docker services typically requires an additional license key. Without this add-on, management capabilities are limited to the local Docker service running on the server.

Configuring Remote Services

To integrate a remote server running Docker, configure it according to best practices for remote Docker operation.

Managing Remote Services

A connection can be established between your server, equipped with the Docker extension, and a remote node hosting a Docker service.

The subsequent steps are relevant for both Linux and Windows environments.

These steps must be performed on the remote host:

1. Create the /etc/docker/daemon.json configuration file for Docker with the following content:

   {
     "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
     "tls": true,
     "tlsverify": true,
     "tlscacert": "/root/ca.pem",
     "tlscert": "/root/server-cert.pem",
     "tlskey": "/root/server-key.pem"
   }

2. Prepare .pem files. You can use the following example. Replace the IP on line 4 with the IP address of your remote node and run each command:

   openssl genrsa -aes256 -out ca-key.pem 4096
   openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
   openssl genrsa -out server-key.pem 4096
   openssl req -subj "/CN=192.0.2.1" -new -key server-key.pem -out server.csr
   openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
   openssl genrsa -out key.pem 4096
   openssl req -subj '/CN=client' -new -key key.pem -out client.csr
   openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem
   chmod 0400 ca-key.pem server-key.pem key.pem
   chmod 0444 ca.pem server-cert.pem cert.pem

3. Run the following commands to modify the current Docker service so it starts after host configuration:

   cp /lib/systemd/system/docker.service /etc/systemd/system/
   sed -i 's/\ -H\ fd:\/\///g' /etc/systemd/system/docker.service
   systemctl daemon-reload
   systemctl restart docker

4. Save the outputs of the following files on your local machine for use by the client to connect remotely:

   cat key.pem
   cat cert.pem
   cat ca.pem

On the local server, configure the Docker remote host:

1. Go to Docker > Environments.
2. Click Add Server and provide the necessary settings for the remote Docker server.
3. To activate this Docker service for immediate use, ensure Set active remains selected.

The Docker link will subsequently appear in the Navigation Pane.

To switch between Docker services:

1. Go to Docker > Environments.
2. From the list of available servers, select the Docker node you intend to use and click Set Active.

Alternatively, you can set the Docker node as active while editing its settings.

Creating Images with Custom Settings

To generate a new image that incorporates modifications made to an existing container, utilize the Save as Image command. This action captures a snapshot of your container, which then appears as a distinct new image within the image catalog. This method is invaluable for creating images with specific custom settings, including tailored environment variables.

To create an image from one of your containers:

Navigate to Docker > Containers, then click the more options icon next to the desired container and select Save as Image. In the Save <container name> as Image side panel, you will need to specify:

• Image name.
• An optional Tag, which allows you to specify the image version. By default, the version will be designated as “latest”.

The newly created image will be listed in the Images tab and clearly marked as a Local image.

Managing Local Images

Local images are Docker images that are stored directly on your local disk, eliminating the need to download them repeatedly from the online Image Catalog.

An image is classified as local under the following circumstances:

• When you select any version (tag) of an image and the download process begins. The image is saved locally whether you subsequently run a container or cancel the operation (from the Settings screen).
• You upload an image directly (Upload image in the Docker Images tab).
• You have generated a custom image from an existing container.
• You have built an image using the command line interface.

To download an alternative version of an image from the online catalog, click the Pull icon , select the desired version from the drop-down menu, and then click Pull.

If at least one version of an image has been downloaded, that image will be marked as a Local image in the catalog. The system also indicates the number of local images available for a specific product.

To manage local images, including viewing and removing outdated ones:

1. Go to Docker > Images.
2. To locate a particular local image, utilize the Search bar.
3. To display all local images associated with a specific product, click the link beneath the product name. This will reveal all local images' tags and the disk space they occupy.

4. Select the image(s) you wish to remove and click Remove.

Setting up Nginx to Proxy Requests from Domains to a Container

Many Docker containers expose specific ports to allow applications running within them to be accessible.

When integrating a Docker container application with your website, it can be impractical to consistently specify non-standard ports in its URL. To streamline access, you can configure nginx to proxy requests from your domains to the container's port. This allows domains to utilize standard ports (e.g., 80), eliminating the need for explicit port specification in the URL.

Requirements

• nginx must be actively running on your server.
• The port inside a container must be manually mapped to a specific port on the host system (e.g., 32768).

To map the port inside a container:

1. Navigate to Docker > Containers and click the settings icon beside the container you intend to modify.
2. Turn off Automatic port mapping.
3. Manually map the port inside the container to a designated port on your system (e.g., 32768). You have the option to configure this port to be inaccessible from the Internet.

By configuring nginx to proxy requests from domains to this port, domains can leverage a standard nginx port (e.g., 80). To enable this, a specific rule for nginx must be added within the domain settings.

To add a rule for nginx in the domain settings:

Navigate to Websites & Domains > your domain > Docker Proxy Rules > Add Rule, then specify the following details:

• URL: Define the URL of the website that utilizes an application operating within a container. This can be the main website or a specific section of it.
• Container: Choose the application that is running as a Docker container.
• Port: Select one of the port mappings previously defined in the container settings (a port inside the container mapped to a port on your system). Nginx will then proxy requests to this specified port on the system.

Proxy rules are integrated into the web server configuration, typically within the website’s nginx.conf file (located in /var/www/vhosts/system/$domain/conf/):

#extension docker begin
location ~ ^/.* {
    proxy_pass http://0.0.0.0:9080;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
}
#extension docker end

These proxy rules are designed to function effectively on servers operating behind Network Address Translation (NAT).

Note: Docker containers linked to a website via Proxy Rules are generally not included in the subscription’s disk space usage calculation. However, an exception occurs when a website directory is mounted to a Docker container as a volume; in such cases, all files within the container will contribute to the website's overall disk space usage.

Deploying Docker Compose YAML files

Docker Compose YAML files can be deployed using various methods: an online text editor, uploading a file from your local storage, or by referencing a Docker Compose file already located within a website’s Home directory. Standard operations on these Docker stacks are fully supported, including up (which encompasses pull and force-recreate), stop, and down. Furthermore, you have the flexibility to modify and update your deployed stacks even after their initial creation.

Note: It is important to note that this section is not intended for deploying Dockerfiles or other application-specific configuration files.

To deploy a Docker Compose file:

1. Go to Docker > Stacks > Add Stack.
2. Provide a project name and then select one of the following methods for deploying your Docker Compose file:

   • Editor: Directly define or paste the content of your Compose file.
   • Upload: Upload a Compose file from your local storage.
   • Webspace: Select a Compose file that is already stored within a domain’s Home directory. For Webspace, specify the domain where the file resides. For Compose File, browse to the precise location of the Compose file.

The system allows you to declare and build custom containers. Any artifacts generated during the build process will be automatically stored within the website’s Home directory.

For more information about the Compose file format, refer to the Docker documentation.

Deploying Portainer containers in Docker

Portainer is a comprehensive container management software designed to simplify the deployment of containers and stacks, provide detailed insights into container status and logs, facilitate user and team creation, and enhance the security of your environments, among other capabilities.

To install Portainer, navigate to Docker > Install Portainer. Once the installation is finished, you can manage Portainer containers within Docker by going to Docker > Go to Portainer.

Note: Portainer is currently a beta feature.

For more information about Portainer, refer to the Portainer documentation.