Using Docker for Enhanced Application Deployment

Docker provides a robust platform for deploying applications within isolated containers. This powerful technology allows for the seamless utilization of specialized software, such as Redis or MongoDB, or specific software versions, even if they are not natively supported by your operating system or require complex compilation. Through a dedicated extension, comprehensive management of containers based on various Docker images is possible, enabling their deployment on both local and remote servers. This guide will walk you through the process of creating, configuring, and managing Docker containers, alongside instructions for controlling remote Docker hosts.

Requirements and Limitations

Warning: The Docker extension downloads images from Docker Hub as they are and does not preconfigure them in any way. Some Docker containers or software within them are intended for trusted environments only and can require additional security setup. Before launching these downloaded images, you must enhance their security yourself. For specific instructions, refer to the documentation of the container or software vendor. For example, consult the security section in the Redis documentation.

• Docker is supported on the following operating systems: CentOS 7, Red Hat Enterprise Linux 7, Debian 10, Debian 11, Debian 12, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, AlmaLinux 8.x, AlmaLinux 9.x, Rocky Linux 8.x, and Virtuozzo 7 with Update 1 Hotfix 1 (7.0.1-686) or later.
• On Windows systems, Docker can be effectively utilized when installed on a remote machine.
• You cannot use Docker in an environment that is itself deployed within a Docker container.
• Docker operates exclusively on x64 systems.
• Docker containers cannot be migrated or backed up directly. However, it is possible to back up data used by containers (refer to the Volume Mapping section below), or download snapshots.
• Virtuozzo 7 with Update 1 Hotfix 1 (7.0.1-686) or later is supported. It's important to note that with this update, new containers based on CentOS 7 are configured with a firewall enabled by default for enhanced security. System administrators must manually configure the firewall to ensure that all essential ports for application operation are open.

Prerequisites

Before leveraging Docker capabilities, ensure that the Docker extension is properly installed on your server environment. If you are the administrator, you can typically install this extension from the platform's extensions catalog. Alternatively, if you are a user, your hosting provider can assist with the installation. Upon successful installation, the Docker management option will become visible in the system's navigation interface, signifying readiness for use.

Containers

Access to a vast array of images from Docker Hub is available within the Run Container catalog (typically found by navigating to the container management interface and selecting 'Run Container').

To access the catalog:

• If you have not previously installed a container, navigate to the container management interface and click Run Container.
• If you have previously installed a container, in the container management interface, click the plus icon .

To view available images, utilize the search box.

Specify the image name, the repository, or both.

These repositories are available for searching:

• Local repository - contains images that have already been downloaded and are stored on the server where Docker is running. For further details, refer to the Managing Local Images section later in this guide.
• Docker Hub.

Multiple versions may be available for each application. You can run a specific version by selecting the appropriate tag, as illustrated below:

To run a container:

1. Navigate to the container management interface and select Run Container.
2. Use the search box to locate desired images in the catalog. If an image is stored locally, (local) will appear after its version.
3. To view the image description and documentation on Docker Hub, click the more info icon . This functionality does not apply to local images.
4. Click the image card.

   • To run a specific version, select the desired image version from the Image version drop-down menu and click Next.
   • To run the latest version of the selected application, simply click Next.

   The system then initiates the creation of a container, prompting you to define its specific settings, including environment variables, before launching it. You have the option to cancel this process at the 'Settings' stage. Comprehensive details regarding these settings are provided in the 'Container Settings' section.

5. After adjusting the settings, click Run. The newly created container will appear in the list within the Containers tab.

Review the Console Log to ascertain if the container is operating without issues.

Container Settings

Note: Modifying container settings does not necessitate stopping the container; upon saving new configurations, the system automatically recreates it with the updated parameters.

To edit container settings, navigate to the Containers tab and click the settings icon adjacent to the container you wish to modify.

Limiting Memory

By default, RAM usage within a Docker container is unrestricted. To impose a memory limit, select the Memory limit checkbox and input the desired limit value in megabytes into the MB field.

Note: CPU and Disk usage limitations for Docker containers are not currently supported.

Note: Docker containers are administrator-level objects and are not governed by subscription-level cgroup limits (CPU, RAM, Disk usage).

Automatic Start

If the option Automatic start after system reboot is not selected, websites utilizing this container might become unavailable after a system reboot, requiring manual container startup.

Port Mapping

By default, Automatic port mapping is enabled, which maps the container’s internal port to a randomly assigned port on the host system (e.g., 32768).

To modify the port on the host system, deselect Automatic port mapping and specify a different external port under Manual mapping. If Manual mapping does not appear after deselection, it indicates that the container does not expose any ports.

When employing manual mapping, Docker typically binds only to the specified port on the host system’s localhost interface (127.0.0.1). This configuration ensures the port is inaccessible from the Internet, thereby protecting the application within the container from external attacks. To enable Docker to bind to the specified port on all network interfaces of the host system, deselect Make the port inaccessible from the Internet. Be aware that doing so will make the application inside the container accessible from the Internet via the specified port on any of the host system’s IP addresses.

Warning: Docker assumes that authentication is handled by the application itself; however, this is not always the case (for instance, MySQL/MariaDB disallows anonymous access by default, whereas Redis does not). Making the application within a container accessible from the Internet without proper authentication can expose it to malicious actors.

Volume Mapping

Docker volumes represent directories on your server that are mounted to a Docker container. This mechanism provides persistent storage that can be accessed from your host system. Data residing in Docker volumes is preserved even when a container is stopped or deleted.

Warning: It is crucial to understand that data residing within Docker volumes will not be encompassed by standard platform backup procedures. To safeguard against potential data loss, it is highly recommended to implement a third-party backup solution for any essential data stored in these volumes.

For more detailed information concerning data management in containers, consult the Docker documentation.

To establish a volume mapping, specify the following:

• In the Host field - the absolute path to the directory on the server that you intend to mount within the container.
• In the Container field - the absolute path to a directory located inside the container.

To map additional directories, click Add one more.

Setting Environment Variables

Environment variables are utilized by the application running within a container. You may need to add new variables or modify existing ones. The system allows for the addition of as many variables as required.

Operations with Containers

The following operations can be performed on containers:

• Stop, start, or restart a container using the respective Stop, Start, or Restart actions. In each case, the container will be recreated with its current settings.

  Note: If data was not saved to mounted volumes (as detailed in the Volume Mapping section), it will be lost.

• Click the arrow next to the container to access logs and monitor resource consumption.
• Click the settings icon next to the container to adjust settings such as environment variables or volume mapping.
• Rename a container via its settings by modifying the Container name field.

Click the more options icon next to the container to execute one or more of the following actions:

• Recreate a container using the same or an alternative version of the image (Recreate).
• Generate an image based on a container with your customized settings (Save as Image).
• Capture a snapshot of a container (Download Snapshot).
• Delete a container (Remove).

Recreating a Container

Container recreation is often necessary when updating an application to a newer version. In practice, you can rebuild a container using any application version available in the catalog, not just the latest. Custom settings are retained during the recreation process. To preserve data utilized by the application within a container, it is essential to configure volume mapping prior to recreation, which grants access to directories used inside a container (as described in the container settings under Volume Mapping).

To recreate a container:

1. Navigate to the Docker management interface and click the more options icon adjacent to the container you wish to recreate.
2. Select Recreate from the container settings, then specify the desired image version and whether to employ default environment variables.

Using Remote Docker

Typically, Docker operates as a local service. However, it is possible to utilize one or more Docker services installed on remote machines. Note that only one service can be active at any given time. The currently active server can be identified in the Environments tab of the Docker settings page.

Configuring Remote Services

To use a remote server running Docker, it must be configured as described in the Docker documentation for remote server operation.

Managing Remote Services

A connection can be established between a server equipped with the Docker extension and a remote node hosting the Docker service.

The following steps are applicable to both Linux and Windows environments.

These steps must be performed on the remote host:

1. Create the /etc/docker/daemon.json configuration file for Docker with the following content:

   {
       "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
       "tls": true,
       "tlsverify": true,
       "tlscacert": "/root/ca.pem",
       "tlscert": "/root/server-cert.pem",
       "tlskey": "/root/server-key.pem"
   }
   

2. Prepare .pem files. You can use the following example. Replace the IP on line 4 with the IP address of your remote node and execute each command:

   openssl genrsa -aes256 -out ca-key.pem 4096
   openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
   openssl genrsa -out server-key.pem 4096
   openssl req -subj "/CN=192.0.2.1" -new -key server-key.pem -out server.csr
   openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
   openssl genrsa -out key.pem 4096
   openssl req -subj '/CN=client' -new -key key.pem -out client.csr
   openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem
   chmod 0400 ca-key.pem server-key.pem key.pem
   chmod 0444 ca.pem server-cert.pem cert.pem
   

3. Execute the following commands to modify the current Docker service, ensuring it starts automatically after host configuration:

   cp /lib/systemd/system/docker.service /etc/systemd/system/
   sed -i 's/\\ -H\\ fd:\/\\///g' /etc/systemd/system/docker.service
   systemctl daemon-reload
   systemctl restart docker
   

4. Save the contents of the following files from your remote machine to your local machine; these are required for the client to establish a remote connection:

   The content of key.pem

   The content of cert.pem

   The content of ca.pem

To configure a remote Docker host from your local server:

1. Access the Environments section within the Docker management interface.
2. Select Add Server and input the configuration details for your remote Docker server.
3. To immediately activate this Docker service for use, ensure the Set active option remains selected.

The link to Docker will then appear in the Navigation Pane.

To switch between Docker services:

1. Navigate to the Environments section.
2. From the list of servers, select the desired Docker node you intend to use and click Set Active.

Alternatively, a Docker node can be set as active while editing its settings.

Creating Images with Custom Settings

If you wish to create a new image based on modifications made to an existing container, utilize the Save as Image command. This action captures a snapshot of your container, which then appears as a new image in the image catalog. This method is invaluable for generating images with personalized configurations, such as specific environment variables.

To create an image from one of your containers:

Navigate to the Containers section, click the more options icon next to the container, and then click Save as Image. In the Save as Image side panel, specify:

• The desired Image name.
• An optional Tag. This can be used to specify the image version; by default, the version will be “latest”.

The newly created image will appear in the Images tab and will be designated as a Local image.

Managing Local Images

Local images are those stored by Docker on a local disk, eliminating the need to download them from the Image Catalog for subsequent use.

An image attains local status under the following circumstances:

• You have selected any version (tag) of an image, and the image has begun downloading. Whether you subsequently run a container or cancel the operation (on the Settings screen), the image will be saved locally.
• You upload an image via the Upload image option in the Docker Images tab.
• You have created a custom image from a container (as discussed in the Creating Images with Custom Settings section).
• You have built an image using the command line interface.

To download an alternative version of an image from the online catalog, click the Pull icon , select the desired version from the drop-down menu, and click Pull.

If Docker contains at least one downloaded version of an image, it will be designated as a Local image within the catalog. The system will also indicate the total count of local images available for a given product.

To view and remove outdated local images:

1. Navigate to the Images section.
2. To find a specific local image, use the Search bar.
3. To view all local images of a particular product, click the link situated beneath the product name. This will display all local images’ tags and their occupied disk space.

4. Select the specific image(s) you wish to remove and click Remove.

Setting up Nginx to Proxy Requests from Domains to a Container

Certain Docker containers expose ports to enable applications within them to be accessible via those ports. When using an application in a Docker container with your website, explicitly specifying a non-standard port in its URL can be inconvenient. To mitigate this, you can configure Nginx to proxy requests from your domains to that port, allowing domains to utilize a standard port (such as 80) without the need to explicitly define the port in the URL.

Requirements

• Nginx must be operational.
• You must manually map the port inside a container to a port on the host system (e.g., 32768).

To manually map the port inside a container:

1. Navigate to the Containers section and click the settings icon next to the container you wish to modify.
2. Deactivate Automatic port mapping.
3. Manually map the port inside the container to a specific port on your system (e.g., 32768). This port can optionally be made inaccessible from the Internet.

To enable Nginx to proxy requests from domains to this port, allowing domains to use a standard port on Nginx (e.g., 80), add a rule in the domain settings.

To add a rule for Nginx in the domain settings:

Navigate to your domain's settings, locate Docker Proxy Rules, and then select Add Rule. Here, you will specify the following parameters:

• URL: Define the URL of the website that utilizes an application running in a container. This can be either the primary website or a specific segment of it.
• Container: Select the application running as a Docker container.
• Port: Choose one of the mappings that was configured in the container settings (a port inside a container mapped to a port on your system). Nginx will then proxy requests to this specified port on the system.

Proxy rules are implemented within the web server configuration, for example, in the website’s nginx.conf file (typically found in /var/www/vhosts/system/$domain/conf/):

#extension docker begin
location ~ ^/.* {
    proxy_pass http://0.0.0.0:9080;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
}
#extension docker end

Proxy rules should function effectively on servers situated behind NAT.

Note: Docker containers connected via Proxy Rules to a website are not counted towards the subscription’s disk space usage. An exception to this would be when a website directory is mounted to a Docker container as a volume, as in this case all files located in the container will be counted towards the disk space usage of the website.

Deploying Docker Compose YAML files

Docker Compose YAML files can be deployed using an online text editor, by uploading a file from local storage, or by referencing a Docker Compose file stored within a website’s Home directory. Standard operations on stacks are fully supported, including up (which encompasses pull and force-recreate), stop, and down. Stacks can be modified and updated even after their initial creation.

Note: This section does not support the deployment of Dockerfiles or any other files required by an application.

To deploy a Docker Compose file:

1. Navigate to the Stacks section and select Add Stack.
2. Provide a project name and choose one of the following methods for deploying the Docker Compose file:

   • Editor: Define or paste the content of your Compose file directly.
   • Upload: Upload a Compose file from your local storage.
   • Webspace: Select a Compose file that is already stored in a domain’s Home directory. For this option, choose the domain where the file is located and browse to the Compose file's path.

You have the flexibility to declare and build custom containers. Any artifacts generated during the build process will be placed within the website’s Home directory.

For more comprehensive information regarding the Compose file format, please refer to the Docker documentation.

Deploying Portainer Containers in Docker

Portainer is a robust container management software designed to streamline the deployment of containers and stacks, facilitate the viewing of container statuses and logs, enable user and team creation, and enhance the security of your environments, among other capabilities.

To install Portainer, navigate to the Docker interface and select Install Portainer. Once the installation is complete, you can manage Portainer containers by going to the Docker interface and clicking Go to Portainer.

Note: Portainer is currently a beta feature.

For more extensive information about Portainer, consult the Portainer documentation.