Let's get started
So why do I want to create my website completely based on Docker containers? Well, that's pretty easy, because a) Docker is cool and b) Docker allows me to move my containers to new providers quickly.
Let's imagine, that a new cheap & fast cloud service is brought to the web or my hosting provider gives me a chance to move to a newer/faster hardware, then it would be cool to quickly move my whole page (including all databases, apps and other services that might be running on my "old" machine) to the new appliance.
That's exactly what I need Docker for, because then my "dockerized" apps are completely portable and can run everywhere - on a cloud, on a virtual machine or on my local computer - Linux is pretty much mandatory, though.
If you still don't know what Docker is or what it does? Just read the official "What is docker" document!
Setting up Ubuntu for production useThe big advantage of using Docker is that we don't have to spend that much time creating a production-ready server. This machine will basically only act as platform for all my containers (from now on called "Docker host") and therefore only needs the minimum security configuration. But still - later - in the docker containers - you have to take care of the application security of course - but we'll get to that later.
Although Docker is supported on Ubuntu from 13.10 & up, I'm using the latest greatest Ubuntu distribution: Ubuntu 15.04 (Vivid Vervet). It comes with the latest kernel and is therefore well-prepared for my Docker installation (remember Docker requires a 64-bit installation regardless of your Ubuntu version. Additionally, your kernel must be 3.10 at minimum).
I'm going to install everything on this (small) machine to test its performance and have the opportunity to move to a faster one once everything has been set up: Hetzner vServer VX11 (Dual Core, 2GB of RAM). Let's see how this small machine performs in the real world, running nginx, nodejs and mongodb containers.
Let's start setting up the Ubuntu machine - our new Docker host.
Add a new user to the system
# adduser johndoeThis command will ask you some questions (including your password) and will then create a new user for you.
Since you want to be able to use sudo later, you need to add root privileges to that user.
Just type the following command and an editor will appear that allows you to add the user to the:
root ALL=(ALL:ALL) ALL
johndoe ALL=(ALL:ALL) ALL
Before you exit, you should also change the root password - just to make sure that no one else knows it - just enter the following command and enter your new password twice:
Secure your SSH access correctly
On a Unix based machine (e.g. Linux or OSX), you would connect to SSH like that:
# ssh firstname.lastname@example.orgNow that we're logged in as johndoe, we will secure our SSH access. So type the following command to get into the ssh daemon configuration - I will be using vi from now on - but you can also use nano as editor:
# sudo vi /etc/ssh/sshd_configNow we will change the standard SSH port, so that port sniffers will have a hard time to guess your port - for that please change the following line (in vi just press "i" to change to insert mode):
# What ports, IPs and protocols we listen forWe've now changed the port from 22 to 2233. Please write it down the port number and don't forget the value you have specified here - otherwise you won't be able to login via SSH anymore! This will not prevent hackers from trying to port scan your server, but it will prevent scripts trying to access your machine on the standard SSH port.
Now we'll tell SSH to not allow the root user to login - so we're changing the value of PermitRootLogin to "no"!
AuthenticationLoginGraceTime 120If you're the only one accessing this machine you can also add the following line to the end of the file:
AllowUsers johndoeHaving changed that, only johndoe can access this machine via SSH now.
Now just his ESC and enter ":wq" to write the changes to the file and reload the SSH daemon:
# sudo service sshd restartOk... let's test our new secured SSH service. Just exit from the machine and log in via SSH again, but this time you'll have to specify the port:
# ssh email@example.com -p 2233You can also try to login as root user, but that should not work as we've told the daemon not to allow the root user to login:
# ssh firstname.lastname@example.org -p 2233
Install & enable the Ubuntu firewall
# sudo apt-get install ufwOnce the firewall is installed, check its status:
# sudo ufw statusIt will probably tell you that it's not enabled - that's ok for now. So we'll tell it to allow incoming requests to our new port:
# sudo ufw allow 2233/tcpAnd we'll also tell it to deny all incoming and allow all outgoing requests by default:
# sudo ufw default deny incomingNow let's enable the firewall:
# sudo ufw default allow outgoing
# sudo ufw enable
# sudo ufw status
To Action From
-- ------ ----
2233/tcp ALLOW Anywhere
Ok... let's test our new more-secured SSH service. Just exit from the machine and log in via SSH again - again, you'll have to specify the new port:
# ssh email@example.com -p 2233Now you should be logged in and ready to install docker (next part of the series)!