my first docker article

content/post/docker.md

@@ -0,0 +1,203 @@
+---
+title: "Docker"
+date: 2021-11-13
+---
+
+# deploy docker container
+
+## systemd service file
+Generic systemd service file starting docker container using `docker compose`
+```
+[Unit]
+Description=%N service with docker compose
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/etc/docker-compose/%N
+
+# Remove old containers, images and volumes and update it
+ExecStartPre=/usr/bin/docker compose down -v
+ExecStartPre=/usr/bin/docker compose rm -fv
+ExecStartPre=/usr/bin/docker compose pull
+
+# Compose up
+ExecStart=/usr/bin/docker compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker compose down -v
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Create a folder /etc/docker-compose/<service-name> and place your docker-compose.yml there.
+Then symlink or copy the systemd service file to /etc/systemd/system/<service-name>.service.
+
+You can start the container using
+```
+systemctl start <service-name>
+```
+
+To automatically start the container when your server is booting enable the systemd service like any other service on your machine
+```
+systemctl enable <service-name>
+```
+
+## docker-compose examples
+### portainer
+[Portainer](https://portainer.io) is a nice looking and easy to use web based frontend for managing all your docker containers.
+```
+version: '3'
+
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    container_name: portainer
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/portainer:/data
+    ports:
+      - 9000:9000
+```
+
+### watchtower
+[Watchtower](https://containrrr.dev/watchtower/) keeps all your docker container up to date.
+The following compose file uses `WATCHTOWER_SCHEDULE` to configure execution time of the updates.
+```
+version: '3'
+
+services:
+  watchtower:
+    image: containrrr/watchtower
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+    - WATCHTOWER_CLEANUP=true
+    - WATCHTOWER_INCLUDE_RESTARTING=true
+    - WATCHTOWER_SCHEDULE=0 0 23 * * *
+    ports:
+      - 8002:8080
+```
+
+### monit
+["Your faithful employee, Monit"](https://mmonit.com/monit/) ;-)
+A simple and easy to use monitoring solution for all of your services.
+```
+version: '3'
+
+services:
+  monit:
+    image: maltyxx/monit:latest
+    container_name: monit
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/docker/monit/etc:/etc/monit
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - 2812:2812
+    environment:
+      - "MONIT_USERNAME=admin"
+      - "MONIT_PASSWORD=someSecretPassword"
+```
+
+### smokeping
+[Smokeping](https://oss.oetiker.ch/smokeping/) is a great way to blame your ISP. 
+"My services die when my roundtrip time to <random target server on the other side end of the world> exceeds 20ms".
+And best of all, it is written in perl.
+```
+version: '3'
+
+services:
+  smokeping:
+    image: linuxserver/smokeping:latest
+    container_name: smokeping
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/docker/smokeping/config:/config
+      - /opt/docker/smokeping/data:/data
+    ports:
+      - 8001:80
+```
+
+### ipv6nat
+A little tweak for dockers "great" IPv6 support :-/
+```
+version: '3'
+
+services:
+  ipv6nat:
+    image: robbertkl/ipv6nat:latest
+    container_name: ipv6nat
+    restart: always
+    privileged: true
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /usr/lib/modules:/lib/modules:ro
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: "host"
+```
+
+### atlas-probe
+A software probe for the [RIPE ATLAS](https://atlas.ripe.net/) project. 
+One of the more advanced examples I use.
+
+The file creates a new network with IPv6 ULA addresses. 
+Yes I know ... but docker seem to lack such bleeding edge technology (aka prober IPv6 support).
+It limits resource usage (CPU, RAM) of the docker container as well. 
+```
+version: '3'
+
+services:
+  atlas-probe:
+    image: jamesits/ripe-atlas:latest
+    container_name: atlas-probe
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/docker/atlas-probe/etc:/var/atlas-probe/etc
+      - /opt/docker/atlas-probe/status:/var/atlas-probe/status
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
+      - DAC_OVERRIDE
+      - NET_RAW
+    environment:
+      - RXTXRPT=yes
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: "64M"
+        reservations:
+          memory: "64M"
+    networks:
+      - ripe-atlas-network
+networks:
+  ripe-atlas-network:
+    name: ripe-atlas-network
+    enable_ipv6: true
+    ipam:
+      config:
+        - subnet: fd00:a1a3::/48
+```