11/22/2021»»Monday

Ubuntu Install Netstat Docker

“Live boldly. Push yourself. Don’t settle.” ― Jojo Moyes, Me Before You

Contents

  • 7. Running the Docker Image
  • Conclusion

5 Best Ways to Become root user or Superuser in Linux (RHEL/CentOS/Ubuntu) How to Install PHP on RedHat/CentOS 7 with Easy Steps. 7 Easy Steps to Install PHP on RHEL 8/CentOS 8. Easy Steps to Install Java on Ubuntu 20.04. Best Steps to Install Java on RHEL 8/CentOS 8.

  1. If in shell script. If you are on Ubuntu or Debian, install libgtk2.0-dev and pkg-config, then re-run cmake or configure script in function 'cvDestroyAllWindows'. If your system is using EFI Secure Boot you may need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them.
  2. The version of ubuntu that's provided for use in containers has much less installed in it than a typical desktop installation. Netstat is still available in Ubuntu 16.04 (via the net-tools package). It's just that that package isn't installed inside docker containers by default.

1. Introduction

Docker is a very cool technology for running whole operating systems inside a process. You run a command on the host system and a whole new virtual system springs into existence, ready to operate as you have configured it. This capability offers unprecedented power and flexibility to build and throw away infrastructure as you wish. You could use this capability in test environments, running applications with differing system requirements in the same host, and a lot more.

We have previously covered installing the Nginx web server and enabling it with SSL support. We have also talked about hardening the Nginx SSL installation. These activities were performed on a new operating system build. Let us now demonstrate how to run the Nginx web server with SSL inside of a docker container. We also show you how to use this running container to take over the duties of web serving on the host. The advantage of hosting a web server inside a docker container are many; for example, you could separate the web serving part from the database, with the database also running inside a docker container. (We will demonstrate this configuration in a future article.)

2. Preparation

Let us now see what preparatory steps are required to run Nginx inside a docker container. Obviously, the first thing we want to do on a new system is to install docker. Assuming Ubuntu 16.04 host server, run the following command as the root user to install docker.

Assuming you are smart enough not to do all development as the root user, set up a non-privileged user account. In our case this account is called aurora. Pick whatever name suits you.

Now the user aurora can log in (after setting password, or enabling password-less ssh access) and run docker commands.

3. A Docker Primer

The Docker application is a server that runs on a system and is controlled by a command called docker. The docker can run instances of an image which is a complete operating system packed into a file. This running instance is known as a container, as in a container for an operating system. You can start and stop these containers are per demand. You can also completely delete containers and images from the docker system.

To get started, you can build an image from a base operating system image, and configure it to your specifications. To ease the repeated building and configuration of images, Docker uses a build file known as the Dockerfile. Here is the complete reference to the Dockerfile, and the directives it can include.

4. Preparing the Dockerfile

We will now use a Dockerfile to prepare the image to can run the Nginx web server.

First, we choose Ubuntu 16.04 as the base server image using the Dockerfile clause FROM. The MAINTAINER should list your name and email address.

Next, we run a few commands to configure the base image.

First is to update the server OS.

Ubuntu Install Netstat Docker

We obviously need to install nginx. Also require net-tools which contains the netstat command.

Add a non-privileged user for normal operation.

Next, we adjust the configuration of Nginx by removing some unneeded files.

Docker supports its own networking inside the container. By default, listen ports opened inside the running container are not accessible from outside the container. This is a security feature. Opened ports must be explicitly declared to be accessible from outside. Since Nginx opens ports 80 and 443, and we want these accessible from the outside, we need to explicitly tell Docker to expose them.

We have configured Nginx for SSL (HTTPS) and these are the files that are being used. We copy these files from the build environment to the correct path inside the image. We discuss contents of these files below. You can also refer to this article for the complete details.

The last directive in our Dockerfile is to have Nginx run in the foreground inside the container.

5. Configuring Nginx

Note, we have a detailed article describing how to configure Nginx for SSL. Below we present only the changes required to the stock Nginx installation to enable SSL.

  • nginx/ssl: This is a directory containing the SSL certificate (bundled) and the private key used to sign the CSR.
  • nginx/snippets: This is a directory which includes a single file called ssl.conf. We have discussed here how the various clauses which enhance the SSL setup of your Nginx web server.It looks like this:
  • nginx/sites-available: This contains a single file called default which provides the configuration for the default site. For our case, we have added these lines for configuring SSL.

6. Building the Docker Image

Now that we have a Dockefile, we can build our image from it using the following command. It tells docker to build the image called mynginx with the tag latest and replace any old images with the freshly built one. The last argument tells docker to pick up relative file names from the current directory. Specifically, the directory contains an nginx directory with the above listed files.

After you run this command, docker goes through the process of downloading the base Ubuntu 16.04 image and configuring it. After it is done, it shows something like:

You can check that the image has been added to Docker using the command:

To discard the image (for re-building):

For a complete cleanup of all intermediate images, use the following command:

7. Running the Docker Image

Now that we have built our Docker Nginx image, we try to run it.

This command run the mynginx image with the latest tag, and maps the exposed ports as follows: port 80 from the container is mapped to port 80 on the host, and likewise for port 443.

When this command completes successfully, you will see that the host is listening on ports 80 and 443. The requests are routed automatically to Nginx running inside the docker container.

At this point, you can visit your site using a browser and it should just work. Check both HTTP and HTTPS.

7.1. Stopping the Container

To stop a container, you need the container id. Look it up by listing the containers.

You can stop the docker container using:

7.3. Removing the Container

Remove the container from docker using the following command. Again you can lookup the container id if needed.

8. The Dockerfile

For reference, here is the complete Dockerfile.

Conclusion

In this article, we learned how to install the Nginx web server in a Docker container and run it to turn the host into a web server. We have also made changes to Nginx configuration to SSL-enable it.

Estimated reading time: 15 minutes

This section contains optional procedures for configuring Linux hosts to workbetter with Docker.

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By defaultthat Unix socket is owned by the user root and other users can only access itusing sudo. The docker daemon always runs as the root user.

If you don’t want to use sudo when you use the docker command, create a Unixgroup called docker and add users to it. When the docker daemon starts, itmakes the ownership of the Unix socket read/writable by the docker group.

Warning:The docker group grants privileges equivalent to the rootuser. For details on how this impacts security in your system, seeDocker Daemon Attack Surface.

To create the docker group and add your user:

  1. Create the docker group.

  2. Add your user to the docker group.

  3. Log out and log back in so that your group membership is re-evaluated.

    If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

    On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

  4. Verify that you can run docker commands without sudo.

    This command downloads a test image and runs it in a container. When thecontainer runs, it prints an informational message and exits.

    If you initially ran Docker CLI commands using sudo before addingyour user to the docker group, you may see the following error,which indicates that your ~/.docker/ directory was created withincorrect permissions due to the sudo commands.

    To fix this problem, either remove the ~/.docker/ directory(it is recreated automatically, but any custom settingsare lost), or change its ownership and permissions using thefollowing commands:

Configure Docker to start on boot

Most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher)use systemd to manage which services start when the system boots.Ubuntu 14.10 and below use upstart.

systemd

To disable this behavior, use disable instead.

If you need to add an HTTP Proxy, set a different directory or partition for theDocker runtime files, or make other customizations, seecustomize your systemd Docker daemon options.

upstart

Docker is automatically configured to start on boot usingupstart. To disable this behavior, use the following command:

chkconfig

Use a different storage engine

For information about the different storage engines, seeStorage drivers.The default storage engine and the list of supported storage engines depend onyour host’s Linux distribution and available kernel drivers.

Configure where the Docker daemon listens for connections

By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients. It is possible to allow Docker to accept requests from remote hosts by configuring it to listen on an IP address and port as well as the UNIX socket. For more detailed information on this configuration option take a look at “Bind Docker to another host/port or a unix socket” section of the Docker CLI Reference article.

Docker EE customers

Docker EE customers can get remote CLI access to UCP with the UCP client bundle. A UCP Client Bundle is generated by UCP and secured by mutual TLS. See the document on CLI access for UCP for more information.

Secure your connection

Before configuring Docker to accept connections from remote hosts it is critically important that youunderstand the security implications of opening docker to the network. If steps are not taken to secure the connection, it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check this article on how to protect the Docker daemon socket.

Configuring Docker to accept remote connections can be done with the docker.service systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the daemon.json file which is recommended for Linux distributions that do not use systemd.

systemd vs daemon.json

Configuring docker to listen for connections using both the systemd unit file and the daemon.json file causes a conflict that prevents Docker from starting.

Configuring remote access with systemd unit file

  1. Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.

  2. Add or modify the following lines, substituting your own values.

  3. Save the file.

  4. Reload the systemctl configuration.

  5. Restart Docker.

  6. Check to see whether the change was honored by reviewing the output of netstat to confirm dockerd is listening on the configured port.

Configuring remote access with daemon.json

  1. Set the hosts array in the /etc/docker/daemon.json to connect to the UNIX socket and an IP address, as follows:

  2. Restart Docker.

  3. Check to see whether the change was honored by reviewing the output of netstat to confirm dockerd is listening on the configured port.

Enable IPv6 on the Docker daemon

To enable IPv6 on the Docker daemon, seeEnable IPv6 support.

Troubleshooting

Kernel compatibility

Docker cannot run correctly if your kernel is older than version 3.10 or if itis missing some modules. To check kernel compatibility, you can download andrun the check-config.shscript.

The script only works on Linux, not macOS.

Cannot connect to the Docker daemon

If you see an error such as the following, your Docker client may be configuredto connect to a Docker daemon on a different host, and that host may not bereachable.

To see which host your client is configured to connect to, check the value ofthe DOCKER_HOST variable in your environment.

If this command returns a value, the Docker client is set to connect to aDocker daemon running on that host. If it is unset, the Docker client is set toconnect to the Docker daemon running on the local host. If it is set in error,use the following command to unset it:

You may need to edit your environment in files such as ~/.bashrc or~/.profile to prevent the DOCKER_HOST variable from being seterroneously.

If DOCKER_HOST is set as intended, verify that the Docker daemon is runningon the remote host and that a firewall or network outage is not preventing youfrom connecting.

IP forwarding problems

If you manually configure your network using systemd-network with systemdversion 219 or higher, Docker containers may not be able to access your network.Beginning with systemd version 220, the forwarding setting for a given network(net.ipv4.conf.<interface>.forwarding) defaults to off. This settingprevents IP forwarding. It also conflicts with Docker’s behavior of enablingthe net.ipv4.conf.all.forwarding setting within containers.

To work around this on RHEL, CentOS, or Fedora, edit the <interface>.networkfile in /usr/lib/systemd/network/ on your Docker host(ex: /usr/lib/systemd/network/80-container-host0.network) and add thefollowing block within the [Network] section.

This configuration allows IP forwarding from the container as expected.

DNS resolver found in resolv.conf and containers can't use it

Linux systems which use a GUI often have a network manager running, which uses adnsmasq instance running on a loopback address such as 127.0.0.1 or127.0.1.1 to cache DNS requests, and adds this entry to/etc/resolv.conf. The dnsmasq service speeds upDNS look-ups and also provides DHCP services. This configuration does not workwithin a Docker container which has its own network namespace, becausethe Docker container resolves loopback addresses such as 127.0.0.1 toitself, and it is very unlikely to be running a DNS server on its ownloopback address.

If Docker detects that no DNS server referenced in /etc/resolv.conf is a fullyfunctional DNS server, the following warning occurs and Docker uses the publicDNS servers provided by Google at 8.8.8.8 and 8.8.4.4 for DNS resolution.

If you see this warning, first check to see if you use dnsmasq:

If your container needs to resolve hosts which are internal to your network, thepublic nameservers are not adequate. You have two choices:

Ubuntu Install Netstat Docker Linux

  • You can specify a DNS server for Docker to use, or
  • You can disable dnsmasq in NetworkManager. If you do this, NetworkManageradds your true DNS nameserver to /etc/resolv.conf, but you lose thepossible benefits of dnsmasq.

You only need to use one of these methods.

Specify DNS servers for Docker

The default location of the configuration file is /etc/docker/daemon.json. Youcan change the location of the configuration file using the --config-filedaemon flag. The documentation below assumes the configuration file is locatedat /etc/docker/daemon.json.

  1. Create or edit the Docker daemon configuration file, which defaults to/etc/docker/daemon.json file, which controls the Docker daemonconfiguration.

  2. Add a dns key with one or more IP addresses as values. If the file hasexisting contents, you only need to add or edit the dns line.

    If your internal DNS server cannot resolve public IP addresses, include atleast one DNS server which can, so that you can connect to Docker Hub and sothat your containers can resolve internet domain names.

    Save and close the file.

  3. Restart the Docker daemon.

  4. Verify that Docker can resolve external IP addresses by trying to pull animage:

  5. If necessary, verify that Docker containers can resolve an internal hostnameby pinging it.

Disable dnsmasq

Ubuntu

If you prefer not to change the Docker daemon’s configuration to use a specificIP address, follow these instructions to disable dnsmasq in NetworkManager.

  1. Edit the /etc/NetworkManager/NetworkManager.conf file.

  2. Comment out the dns=dnsmasq line by adding a # character to the beginningof the line.

    Save and close the file.

  3. Restart both NetworkManager and Docker. As an alternative, you can rebootyour system.

RHEL, CentOS, or Fedora

To disable dnsmasq on RHEL, CentOS, or Fedora:

  1. Disable the dnsmasq service:

  2. Configure the DNS servers manually using theRed Hat documentation.

Allow access to the remote API through a firewall

If you run a firewall on the same host as you run Docker and you want to accessthe Docker Remote API from another host and remote access is enabled, you needto configure your firewall to allow incoming connections on the Docker port,which defaults to 2376 if TLS encrypted transport is enabled or 2375otherwise.

Two common firewall daemons areUFW (Uncomplicated Firewall) (oftenused for Ubuntu systems) and firewalld (often usedfor RPM-based systems). Consult the documentation for your OS and firewall, butthe following information might help you get started. These options are fairlypermissive and you may want to use a different configuration that locks yoursystem down more.

  • UFW: Set DEFAULT_FORWARD_POLICY='ACCEPT' in your configuration.

  • firewalld: Add rules similar to the following to your policy (one forincoming requests and one for outgoing requests). Be sure the interface namesand chain names are correct.

Your kernel does not support cgroup swap limit capabilities

On Ubuntu or Debian hosts, You may see messages similar to the following whenworking with an image.

This warning does not occur on RPM-based systems, which enable thesecapabilities by default.

If you don’t need these capabilities, you can ignore the warning. You can enablethese capabilities on Ubuntu or Debian by following these instructions. Memoryand swap accounting incur an overhead of about 1% of the total available memoryand a 10% overall performance degradation, even if Docker is not running.

  1. Log into the Ubuntu or Debian host as a user with sudo privileges.

  2. Edit the /etc/default/grub file. Add or edit the GRUB_CMDLINE_LINUX lineto add the following two key-value pairs:

    Save and close the file.

  3. Update GRUB.

    If your GRUB configuration file has incorrect syntax, an error occurs.In this case, repeat steps 3 and 4.

    The changes take effect when the system is rebooted.

Next steps

Ubuntu Install Netstat Docker

Ubuntu Install Netstat Docker Free

  • Continue with the User Guide.

How To Install Netstat In Docker Container

Docker, Docker documentation, requirements, apt, installation, ubuntu, install, uninstall, upgrade, update

Most Viewed Posts