---
title: "Docker"
menu:
  main:
    parent: Container
---

# deploy docker container

## systemd service file
Generic systemd service file starting docker container using `docker compose`
```
[Unit]
Description=%N service with docker compose
Requires=docker.service
After=docker.service

[Service]
Restart=always
TimeoutStartSec=1200

WorkingDirectory=/etc/docker-compose/%N

# Remove old containers, images and volumes and update it
ExecStartPre=/usr/bin/docker compose down -v
ExecStartPre=/usr/bin/docker compose rm -fv
ExecStartPre=/usr/bin/docker compose pull

# Compose up
ExecStart=/usr/bin/docker compose up

# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker compose down -v

[Install]
WantedBy=multi-user.target
```

Create a folder /etc/docker-compose/*service-name* and place your `docker-compose.yml` there.
Then symlink or copy the systemd service file to /etc/systemd/system/*service-name*.service.

You can start the container using
```
systemctl start <service-name>
```

To automatically start the container when your server is booting enable the systemd service like any other service on your machine
```
systemctl enable <service-name>
```

## docker-compose examples
### portainer
[Portainer](https://portainer.io) is a nice looking and easy to use web based frontend for managing all your docker containers.
```
version: '3'

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/portainer:/data
    ports:
      - 9000:9000
```

### watchtower
[Watchtower](https://containrrr.dev/watchtower/) keeps all your docker container up to date.
The following compose file uses `WATCHTOWER_SCHEDULE` to configure execution time of the updates.
```
version: '3'

services:
  watchtower:
    image: containrrr/watchtower
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
    - WATCHTOWER_CLEANUP=true
    - WATCHTOWER_INCLUDE_RESTARTING=true
    - WATCHTOWER_SCHEDULE=0 0 23 * * *
    ports:
      - 8002:8080
```

### monit
["Your faithful employee, Monit"](https://mmonit.com/monit/) ;-)
A simple and easy to use monitoring solution for all of your services.
```
version: '3'

services:
  monit:
    image: maltyxx/monit:latest
    container_name: monit
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/monit/etc:/etc/monit
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 2812:2812
    environment:
      - "MONIT_USERNAME=admin"
      - "MONIT_PASSWORD=someSecretPassword"
```

### smokeping
[Smokeping](https://oss.oetiker.ch/smokeping/) is a great way to blame your ISP. 
"My services die when my roundtrip time to <random target server on the other side end of the world> exceeds 20ms".
And best of all, it is written in perl.
```
version: '3'

services:
  smokeping:
    image: linuxserver/smokeping:latest
    container_name: smokeping
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/smokeping/config:/config
      - /opt/docker/smokeping/data:/data
    ports:
      - 8001:80
```

### ipv6nat
A little tweak for dockers "great" IPv6 support :-/
```
version: '3'

services:
  ipv6nat:
    image: robbertkl/ipv6nat:latest
    container_name: ipv6nat
    restart: always
    privileged: true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /usr/lib/modules:/lib/modules:ro
    cap_drop:
      - ALL
    cap_add:
      - NET_RAW
      - NET_ADMIN
      - SYS_MODULE
    network_mode: "host"
```

### atlas-probe
A software probe for the [RIPE ATLAS](https://atlas.ripe.net/) project. 
One of the more advanced examples I use.

The file creates a new network with IPv6 ULA addresses. 
Yes I know ... but docker seem to lack such bleeding edge technology (aka prober IPv6 support).
It limits resource usage (CPU, RAM) of the docker container as well. 
```
version: '3'

services:
  atlas-probe:
    image: jamesits/ripe-atlas:latest
    container_name: atlas-probe
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/atlas-probe/etc:/var/atlas-probe/etc
      - /opt/docker/atlas-probe/status:/var/atlas-probe/status
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
      - NET_RAW
    environment:
      - RXTXRPT=yes
    deploy:
      resources:
        limits:
          cpus: "1.0"
          memory: "64M"
        reservations:
          memory: "64M"
    networks:
      - ripe-atlas-network
networks:
  ripe-atlas-network:
    name: ripe-atlas-network
    enable_ipv6: true
    ipam:
      config:
        - subnet: fd00:a1a3::/48
```