br0tkasten.de
br0tkasten.de

Docker

deploy docker container

systemd service file

Generic systemd service file starting docker container using docker compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

[Unit]
Description=%N service with docker compose
Requires=docker.service
After=docker.service

[Service]
Restart=always
TimeoutStartSec=1200

WorkingDirectory=/etc/docker-compose/%N

# Remove old containers, images and volumes and update it
ExecStartPre=/usr/bin/docker compose down -v
ExecStartPre=/usr/bin/docker compose rm -fv
ExecStartPre=/usr/bin/docker compose pull

# Compose up
ExecStart=/usr/bin/docker compose up

# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker compose down -v

[Install]
WantedBy=multi-user.target

Create a folder /etc/docker-compose/service-name and place your docker-compose.yml there. Then symlink or copy the systemd service file to /etc/systemd/system/service-name.service.

You can start the container using

1

systemctl start <service-name>

To automatically start the container when your server is booting enable the systemd service like any other service on your machine

1

systemctl enable <service-name>

docker-compose examples

portainer

Portainer is a nice looking and easy to use web based frontend for managing all your docker containers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

version: '3'

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/portainer:/data
    ports:
      - 9000:9000

watchtower

Watchtower keeps all your docker container up to date. The following compose file uses WATCHTOWER_SCHEDULE to configure execution time of the updates.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: '3'

services:
  watchtower:
    image: containrrr/watchtower
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
    - WATCHTOWER_CLEANUP=true
    - WATCHTOWER_INCLUDE_RESTARTING=true
    - WATCHTOWER_SCHEDULE=0 0 23 * * *
    ports:
      - 8002:8080

monit

“Your faithful employee, Monit” ;-) A simple and easy to use monitoring solution for all of your services.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: '3'

services:
  monit:
    image: maltyxx/monit:latest
    container_name: monit
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/monit/etc:/etc/monit
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 2812:2812
    environment:
      - "MONIT_USERNAME=admin"
      - "MONIT_PASSWORD=someSecretPassword"

smokeping

Smokeping is a great way to blame your ISP. “My services die when my roundtrip time to exceeds 20ms”. And best of all, it is written in perl.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

version: '3'

services:
  smokeping:
    image: linuxserver/smokeping:latest
    container_name: smokeping
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/smokeping/config:/config
      - /opt/docker/smokeping/data:/data
    ports:
      - 8001:80

ipv6nat

A little tweak for dockers “great” IPv6 support :-/

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

version: '3'

services:
  ipv6nat:
    image: robbertkl/ipv6nat:latest
    container_name: ipv6nat
    restart: always
    privileged: true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /usr/lib/modules:/lib/modules:ro
    cap_drop:
      - ALL
    cap_add:
      - NET_RAW
      - NET_ADMIN
      - SYS_MODULE
    network_mode: "host"

atlas-probe

A software probe for the RIPE ATLAS project. One of the more advanced examples I use.

The file creates a new network with IPv6 ULA addresses. Yes I know … but docker seem to lack such bleeding edge technology (aka prober IPv6 support). It limits resource usage (CPU, RAM) of the docker container as well.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

version: '3'

services:
  atlas-probe:
    image: jamesits/ripe-atlas:latest
    container_name: atlas-probe
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/atlas-probe/etc:/var/atlas-probe/etc
      - /opt/docker/atlas-probe/status:/var/atlas-probe/status
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
      - NET_RAW
    environment:
      - RXTXRPT=yes
    deploy:
      resources:
        limits:
          cpus: "1.0"
          memory: "64M"
        reservations:
          memory: "64M"
    networks:
      - ripe-atlas-network
networks:
  ripe-atlas-network:
    name: ripe-atlas-network
    enable_ipv6: true
    ipam:
      config:
        - subnet: fd00:a1a3::/48
0%