docker Install the package.
# pacman -Syu docker
# systemctl enable docker
# systemctl restart docker
Make sure the installation is complete and the docker daemon is running.
# docker info
Hello World
Run the container for the first time. If you get the following output, you are successful.
# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:fc6a51919cfeb2e6763f62b6d9e8815acbf7cd2e476ea353743570610737b752
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
To make docker available to remote hosts, specify the port and expose the Remote API. If you customarily do not encrypt the communication, the port number is 2375.
# systemctl edit docker
config:/lib/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
# systemctl daemon-reload
# systemctl restart docker
Set the following environment variables.
% export DOCKER_HOST=a300:2375
The docker command on the client is always executed on the server.
% docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:22:34 2019
OS/Arch: darwin/amd64
Experimental: false
Server:
Engine:
Version: 19.03.6-ce
API version: 1.40 (minimum version 1.12)
Go version: go1.13.7
Git commit: 369ce74a3c
Built: Thu Feb 13 18:14:54 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.3.3.m
GitCommit: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
A certificate is required to encrypt communications with TLS. The explanation here is based on the assumption that a self-signed certificate will be created.
First, generate a certificate authority (CA) private key and public key.
# mkdir /etc/docker/certs.d
# cd /etc/docker/certs.d
# openssl genrsa -out ca-key.pem 4096
# openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:a300
Email Address []:
Create a server private key and a Certificate Signing Request (CSR).
# openssl genrsa -out server-key.pem 4096
# sudo openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
Generate a server certificate. Here, it is set to be accessible by host name or IP address.
config:/etc/docker/certs.d/extfile.cnf
subjectAltName = DNS:a300,IP:192.168.0.16,IP:127.0.0.1
extendedKeyUsage = serverAuth
# openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
# rm server.csr extfile.cnf
Set permissions so that anyone can access the certificate so that only root (Docker) can access the private key.
# chmod -v 0400 ca-key.pem server-key.pem
# chmod -v 0444 ca.pem server-cert.pem
Create a client private key and a Certificate Signing Request (CSR).
# openssl genrsa -out key.pem 4096
# sudo openssl req -subj '/CN=mbp2015' -new -key key.pem -out client.csr
Generate a client certificate.
config:/etc/docker/certs.d/extfile-client.cnf
extendedKeyUsage = clientAuth
# openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
# rm client.csr extfile-client.cnf
If you cannot ssh login to the server with root privileges, you will need to go to your home directory and change the administrator to get the client certificate and private key with scp.
# mv key.pem ~
# mv cert.pem ~
# cp ca.pem ~
# chown $USER key.pem cert.pem ca.pem
% mkdir -p ~/.docker/certs.d
% scp a300:~/key.pem ~/.docker/certs.d
% scp a300:~/cert.pem ~/.docker/certs.d
% scp a300:~/ca.pem ~/.docker/certs.d
% chmod 400 ~/.docker/certs.d/key.pem
% chmod 444 ~/.docker/certs.d/cert.pem ~/.docker/certs.d/ca.pem
Be sure to delete the client private key from the server. You can use this private key to run docker without sudo. This is the same as giving that user root privileges.
# rm ~/key.pem ~/cert.pem ~/ca.pem
To make docker available to remote hosts, specify the port and expose the Remote API. The port number for customarily encrypting communications is 2376.
# systemctl edit docker
config:/lib/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H fd:// -H tcp://0.0.0.0:2376
# systemctl daemon-reload
# systemctl restart docker
Set the following environment variables.
% export DOCKER_CERT_PATH=~/.docker/certs.d
% export DOCKER_HOST=a300:2376
% export DOCKER_TLS_VERIFY=1
The docker command on the client is always executed on the server.
% docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:22:34 2019
OS/Arch: darwin/amd64
Experimental: false
Server:
Engine:
Version: 19.03.6-ce
API version: 1.40 (minimum version 1.12)
Go version: go1.13.7
Git commit: 369ce74a3c
Built: Thu Feb 13 18:14:54 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.3.3.m
GitCommit: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
zsh
In .zshrc, specify the path of the directory where you want to put the definition file in fpath.
fpath=($ZDOTDIR/completion $fpath)
autoload -Uz compinit
compinit -i -d "$ZCACHEDIR/.zcompdump"
Get the docker and docker-compose definition files and restart the shell.
mkdir $ZDOTDIR/completion
curl -L https://raw.githubusercontent.com/docker/cli/master/contrib/completion/zsh/_docker > $ZDOTDIR/completion/_docker
curl -L https://raw.githubusercontent.com/docker/compose/master/contrib/completion/zsh/_docker-compose > $ZDOTDIR/completion/_docker-compose
exec $SHELL -l
Recommended Posts