install single-node k3s cluster instead of containerd

I can install with these commands on debian buster arm64 though can not on bullseye.

at first intall docker

sudo apt-get update
sudo apt-get install ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo docker run hello-world

then install k3

curl -sfL https://get.k3s.io | sh -s - --docker
systemctl status k3s

uninstall

/usr/local/bin/k3s-uninstall.sh

create deployment

create yaml file

cat <<EOF > nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx-test
        image: nginx-test:latest
        imagePullPolicy: Never
        ports:
        - containerPort: 80
EOF

create and confirm the deployment

sudo kubectl create -f nginx-deployment.yaml
sudo kubectl get deploy
sudo kubectl get pod
sudo kubectl exec -it <pod name> -- curl localhost

create service

create yaml file

cat <<EOF > nginx-service.yaml
kind: Service
apiVersion: v1
metadata:
  name: my-service
spec:
  type: NodePort
  selector:
    app: nginx
  ports:
  - protocol: TCP
    targetPort: 80
    port: 80

create and confirm the service

sudo kubectl create -f nginx-service.yaml
sudo kubectl get svc
curl x.x.x.x

modify service

sudo kubectl apply -f nginx-deployment.yaml
sudo kubectl get svc

delete srvice

sudo kubectl delete svc <service name>

delete deployment

sudo kubectl delete -f ./nginx-deployment.yaml

On debian if you want to analyze or cache the content of the ssl traffic with squid, you have to buid your own squid. This is a sample to build squid using apt source package.

build a docker container

make a dockerfile

FROM debian:buster-slim

WORKDIR /tmp/buildwork
RUN echo 'deb-src http://deb.debian.org/debian buster main' >> /etc/apt/sources.list \
&& apt-get update \
&& apt install --no-install-recommends -y dpkg-dev devscripts build-essential fakeroot libssl-dev libldap2-dev libpam0g-dev libdb-dev cdbs libsasl2-dev debhelper libcppunit-dev libkrb5-dev comerr-dev libcap2-dev libecap3-dev libexpat1-dev libxml2-dev pkg-config libnetfilter-conntrack-dev nettle-dev libgnutls28-dev dh-apparmor ed libdbi-perl libltdl-dev lsb-release libpopt0 logrotate squid-langpack \
&& apt source squid \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*

RUN sed -i.bak -e '/--with-gnutls$/ s/$/ --with-openssl --enable-ssl --enable-ssl-crtd/' squid-4.6/debian/rules \
&& squid-4.6/configure \
&& cd squid-4.6 \
&& debuild -us -uc -b \
&& dpkg -i ../squid_*.deb ../squid-common_*.deb \
&& mkdir -p /var/spool/squid /etc/squid/ssl_cert && chown proxy:proxy /var/spool/squid \
&& cd /tmp && rm -rf /tmp/buildwork

VOLUME ["/var/spool/squid"]
EXPOSE 3128

WORKDIR /var/spool/squid
COPY squid.conf /etc/squid/squid.conf
COPY server.crt /etc/squid/ssl_cert/server.crt
COPY server.key /etc/squid/ssl_cert/server.key

CMD chmod 600 /etc/squid/ssl_cert/server.key \
&& if [ ! -f /var/spool/squid/swap.state ]; then squid -z ; fi \
&& if [ ! -d /var/spool/squid/ssl_db ]; then /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 20MB ; chown -R proxy. /var/spool/squid/ssl_db ; fi \
&& squid -N

sample configure file

acl localnet src 192.168.xxx.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/server.crt key=/etc/squid/ssl_cert/server.key
ssl_bump stare all
sslproxy_cert_error allow all
sslcrtd_children 3 startup=1 idle=1
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern .               129600  33%     525600
dns_nameservers 192.168.xxx.xxx 192.168.xxx.xxx

If you don't have a CA file and private key for it, you need create them. When you already have them, I think you can use intermediate CA signed by your own CA.

$ openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=192.168.xxx.xxx" -days 3650

build an image

$ docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t squid:test .

run a container

$ sudo docker run --rm squid:test squid --version | awk -F: '$1~/options/{print $2}' | sed -e 's/ /\n/g' | grep ssl
'--with-openssl'
'--enable-ssl'
'--enable-ssl-crtd'
$ docker run --rm -p 3128:3128 -v /mnt/squid:/var/spool/squid -d squid:test

test the address and port

$ curl -D - -s http://192.168.xxx.xxx:3128/ -o /dev/null

connecting to HTTPS server

$ https_proxy=http://192.168.xxx.xxx:3128/ curl -v -k -s https://www.google.com/ -o /dev/null
* Uses proxy env variable https_proxy == 'http://192.168.xxx.xxx:3128/'
*   Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
:
:
:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
*  start date: May 10 04:04:06 2021 GMT
*  expire date: Aug  2 04:04:05 2021 GMT
*  issuer: CN=192.168.xxx.xxx
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
} [5 bytes data]
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Wed, 09 Jun 2021 00:22:42 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: 1P_JAR=2021-06-09-00; expires=Fri, 09-Jul-2021 00:22:42 GMT; path=/; domain=.google.com; Secure
< Set-Cookie: NID=216=ptf-d_HIPGOAjnEf-gbmRDmIg3JnEfjqRRnQghOkyFHrdLy5fXGOhydj5jBHonqOlP5WCzPIKX3kIkdizOXCQ13t4moqXwr-UoOWiRXgYaAkx6gyqe03hjM_hwfin5plUuG3NClONGvvFJo5Mqvar7GFYrSFYOMVCXMXvTJ0d4M; expires=Thu, 09-Dec-2021 00:22:42 GMT; path=/; domain=.google.com; HttpOnly
< Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< Accept-Ranges: none
< Vary: Accept-Encoding
< X-Cache: MISS from bd2e0fa8b95e
< X-Cache-Lookup: MISS from bd2e0fa8b95e:3128
< Transfer-Encoding: chunked
< Via: 1.1 bd2e0fa8b95e (squid/4.6)
< Connection: keep-alive
< 
{ [5 bytes data]
* Connection #0 to host 192.168.xxx.xxx left intact

sample log of other connections

1622798061.167    833 192.168.xxx.xxx NONE/200 0 CONNECT dl.fedoraproject.org:443 - HIER_DIRECT/38.145.60.22 -
1622798061.539    260 192.168.xxx.xxx TCP_MISS/200 16108 GET https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - HIER_DIRECT/38.145.60.22 application/x-rpm

1622798109.029    496 192.168.xxx.xxx NONE/200 0 CONNECT dl.fedoraproject.org:443 - HIER_DIRECT/38.145.60.22 -
1622798109.130      1 192.168.xxx.xxx TCP_MEM_HIT/200 16115 GET https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - HIER_NONE/- application/x-rpm

The squid packages of debian doesn not support sslbump. It only redirects ssl traffic. We can not analyze or cache the content of the ssl traffic.

build a docker container

make a dockerfile

FROM debian:buster-slim

RUN apt-get update \
&& apt install -y squid \
s&& apt clean \
&& rm -rf /var/lib/apt/lists/*

VOLUME ["/var/spool/squid"]
EXPOSE 3128

WORKDIR /var/spool/squid
COPY squid.conf /etc/squid/squid.conf

CMD if [ ! -f /var/spool/squid/swap.state ]; then squid -z ; sleep 2; fi \
&& squid -N

sample configure file

acl localnet src 192.168.xxx.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern .               129600  33%     525600
dns_nameservers 192.168.xxx.xxx 192.168.xxx.xxx

build an image

$ docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t squid:test .

run a container

$ docker run --rm squid:test squid --version | awk -F: '$1~/options/{print $2}' | sed -e 's/ /\n/g' | grep ssl
(result will be nothing)
$ docker run --rm -p 3128:3128 -v /mnt/squid:/var/spool/squid -d squid:test

test the address and port

$ curl -D - -s http://192.168.xxx.xxx:3128/ -o /dev/null

connecting to HTTP server

without proxy

$ curl -v -s http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme -o /dev/null
*   Trying 2001:df0:25e:e100::3...
* TCP_NODELAY set
* Connected to ftp.yz.yamagata-u.ac.jp (2001:df0:25e:e100::3) port 80 (#0)
> GET /pub/linux/centos/5.11/readme HTTP/1.1
> Host: ftp.yz.yamagata-u.ac.jp
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 07 Jun 2021 00:59:01 GMT
< Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1k
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Mon, 03 Apr 2017 11:34:28 GMT
< ETag: "14b-54c418ac05900"
< Accept-Ranges: bytes
< Content-Length: 331
<
{ [331 bytes data]
* Connection #0 to host ftp.yz.yamagata-u.ac.jp left intact

with proxy

$ http_proxy=http://192.168.xxx.xxx:3128/ curl -v -s http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme -o /dev/null
* Uses proxy env variable http_proxy == 'http://192.168.xxx.xxx:3128/'
*   Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 3128 (#0)
> GET http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme HTTP/1.1
> Host: ftp.yz.yamagata-u.ac.jp
> User-Agent: curl/7.64.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Mon, 07 Jun 2021 00:58:26 GMT
< Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1k
< Last-Modified: Mon, 03 Apr 2017 11:34:28 GMT
< ETag: "14b-54c418ac05900"
< Accept-Ranges: bytes
< Content-Length: 331
< X-Cache: MISS from e3b21f81fdd2
< X-Cache-Lookup: MISS from e3b21f81fdd2:3128
< Via: 1.1 e3b21f81fdd2 (squid/4.6)
< Connection: keep-alive
<
{ [331 bytes data]
* Connection #0 to host 192.168.xxx.xxx left intact

when cache hit

< Age: 358
< X-Cache: HIT from e3b21f81fdd2
< X-Cache-Lookup: HIT from e3b21f81fdd2:3128

squid log

$ docker exec xxxxxxxxxxxx tail /var/log/squid/access.log
:
1623026732.001    265 192.168.xxx.xxx TCP_MISS/200 685 GET http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme - HIER_DIRECT/133.24.248.17 -
1623027089.025      0 192.168.xxx.xxx TCP_MEM_HIT/200 693 GET http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme - HIER_NONE/- -

connecting to HTTPS server

without proxy

$ curl -v -k -s https://www.google.com/ -o /dev/null 
*   Trying 142.250.196.132...
* TCP_NODELAY set
* Connected to www.google.com (142.250.196.132) port 443 (#0)
:

with proxy

$ https_proxy=http://192.168.xxx.xxx:3128/ curl -v -k -s https://www.google.com/ -o /dev/null 
* Uses proxy env variable https_proxy == 'http://192.168.xxx.xxx:3128/'
*   Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port xxxxx (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
:

squid log. The ssl connection is just tunneled.

$ sudo docker exec xxxxxxxxxxxx tail /var/log/squid/access.log
:
1622950724.481    170 192.168.xxx.xxx TCP_TUNNEL/200 18439 CONNECT www.google.com:443 - HIER_DIRECT/172.217.175.4 -

devpi-server is a server for private package indexes and PyPI caching.

build a docker container

make a dockerfile

FROM debian:buster-slim

ENV DEBIAN_FRONTEND noninteractive
RUN apt update && \
    apt install --no-install-recommends -y \
    python3-pip python3-pip python3-setuptools python3-dev build-essential libffi-dev && \
    pip3 install devpi-server

EXPOSE 3141
VOLUME ["/var/cache/devpi"]

CMD chmod 777 /var/cache/devpi && \
    devpi-server \
        --serverdir /var/cache/devpi \
        --host 0.0.0.0 --port 3141

build an image

$ sudo docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t devpi-server:buster-slim .
$ sudo docker tag devpi-server:buster-slim devpi-server:latest

run a container

$ sudo docker run --rm -d -p 3141:3141 -v /mnt/devpi:/var/cache/devpi devpi-server:latest

test the address and port

$ curl http://192.168.xxx.xxx:3141/

how to use devpi-server

specify it in a command line

$ pip3 install --trusted-host 192.168.xxx.xxx --index-url http://192.168.xxx.xxx:3141/root/pypi matplotlib

or

$ PIP_TRUSTED_HOST=192.168.xxx.xxx PIP_INDEX_URL=http://192.168.xxx.xxx:3141/root/pypi pip3 install matplotlib

for docker build, write below in a Dockerfile

ARG PIP_TRUSTED_HOST
ARG PIP_INDEX_URL

then specify devpi-server at build-arg parameter in docker run command line.

$ docker build --build-arg PIP_TRUSTED_HOST=192.168.xxx.xxx --build-arg PIP_INDEX_URL=http://192.168.xxx.xxx:3141/root/pypi -t imagename .

Install docker on Raspberry Pi OS (64bit) beta test version We can download the iso images from https://downloads.raspberrypi.org/raspios_arm64/images/

Also we can use torrent to download them

make a script to stop transmission when download finished (in this case, the script name is stop_torrent.sh)

sleep 10
kill $(ps -ef | grep transmission | grep -v grep | awk '{print $2}')

then start download

transmissIon-cli --download-dir (fullpath) --uplimit (kbps) --downlimit (kbps) --encryption-required --finish (fullpath)/stop_torrent.sh https://(fqdn)/(path)/(filename).torrent

How to install

$ curl -fsSL https://get.docker.com -o get-docker.sh
$ sudo sh get-docker.sh --dry-run
$ sudo sh get-docker.sh
$ systemctl is-active docker
$ systemctl is-enabled docker
$ sudo docker version

change the docker root directory where we store the images and containers.

$ sudo docker info | grep Root
$ sudo systemctl stop docker
$ sudo mv /var/lib/docker /path/to/
$ sudo ln -s /path/to/docker /var/lib/docker
$ sudo systemctl start docker
$ sudo docker run --rm hello-world

confirm the result

$ sudo docker run --rm -it alpine
/ #
/ # uptime
 03:17:44 up 1 day,  2:47,  load average: 0.02, 0.05, 0.01
/ #
/ # uname -a
Linux 4db177a44a14 5.4.42-v8+ #1319 SMP PREEMPT Wed May 20 14:18:56 BST 2020 aarch64 Linux
/ #
/ # free -m
              total        used        free      shared  buff/cache   available
Mem:           7816         315        6339           2        1161        7460
Swap:          8191           0        8191

install docker-compose

$ http_proxy=http://192.168.xxx.xxx:3142/ sudo -E apt install libffi-dev libssl-dev
$ sudo pip3 install docker-compose
$ pip3 show docker-compose
$ docker-compose version

commands of docker-compose

config # Validate and view the Compose file
ps # List containers
images # List images
build # (Re)Build services
create # Create services
up # Create and start containers
start # Start services
stop # Stop services
rm -f # Remove stopped containers
down # Stop and remove containers
version # Show version information
help # Show help messages

When update docker-compose.yml, no need to rebuild the image.

docker-compose up -d

When update Dockerfile or edit any source codes, need to rebuild the image.

docker-compose build
docker-compose up -d

Dockerfile

From centos:centos8

ARG VERSION=0.12.25
RUN yum install -y unzip python2-pip openssh-clients && \
    yum clean all && \
    curl -s https://releases.hashicorp.com/terraform/${VERSION}/terraform_${VERSION}_linux_amd64.zip -o terraform.zip && \
    unzip terraform.zip && \
    rm terraform.zip && \
    mv terraform /usr/local/bin && \
    pip2 install ansible boto boto3 awscli && \
    ln -s /usr/bin/python2.7 /usr/bin/python && \
    mkdir /tmp/terraform && \
    useradd -m docker

VOLUME ["/tmp/terraform"]
USER "docker"
WORKDIR "/tmp/terraform"
CMD ["/bin/bash"]

build an image

$ sudo docker build --build-arg VERSION=0.12.25 -t terraform:0.12.25 .
$ sudo docker tag terraform:0.12.25 terraform:latest

test the image

$ sudo docker run -v /mylocal/terraform:/tmp/terraform --rm -it terraform:latest terraform --version
$ sudo docker run -v /mylocal/terraform:/tmp/terraform --rm -it terraform:latest ansible --version
$ sudo docker run -v /mylocal/terraform:/tmp/terraform --rm -it terraform:latest bash

create variable file /mydir/credentials

AWS_ACCESS_KEY_ID=xxxx
AWS_SECRET_ACCESS_KEY=xxxx
AWS_DEFAULT_REGION=xxxx

create wrapper script infradeploy.sh

docker run -v /mylocal/terraform:/tmp/terraform --env-file /mydir/credentials --rm -it terraform:latest $*

test terraform and ansible work

$ sudo sh infradeploy.sh terraform show
$ sudo sh infradeploy.sh ./ec2.py --list
$ sudo sh infradeploy.sh ansible -i ec2.py -u admin ec2 -m ping --private-key id_rsa.mykey
$ sudo sh infradeploy.sh ansible-playbook --check -e @extravars.json playbook.yml

As described at this site we can use ec2.py and ec2.ini(optional) for dynamic inventory When I ran ec2.py I got ImportError: No module named ansible.module_utils in the case I installed ansible from ubuntu repository. It seems ansible should be installed with pip if you want to use ec2.py

playbook sample

- name: test playbook
  hosts: tag_Name_tagname
  remote_user: admin
  become: yes
  vars:
    ansible_ssh_private_key_file: "./id_rsa.mykey"
  tasks:
    - name: install some packages
      apt:
        name: ['make','screen']
        state: present
        install_recommends: no
      when: ansible_pkg_mgr == 'apt'
      tags: packages

    - name: create a directory
      file:
        path: /my/direcoty
        state: directory
        owner: admin
        mode: '0755'

$ sudo sh infradeploy.sh ansible-playbook --check --diff -i ec2.py playbook.yml
$ sudo sh infradeploy.sh ansible-playbook --diff -i ec2.py playbook.yml

make a dockerfile

$ cat Dockerfile
FROM debian:buster

RUN apt-get update \
&& apt-get install -y --no-install-recommends apt-cacher-ng \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

VOLUME ["/var/cache/apt-cacher-ng"]
EXPOSE 3142

CMD chmod 777 /var/cache/apt-cacher-ng \
&& /etc/init.d/apt-cacher-ng start \
&& tail -f /var/log/apt-cacher-ng/*

build an image

$ sudo docker build -t apt-cacher-ng:buster . | tee build.log
$ sudo docker tag apt-cacher-ng:buster apt-cacher-ng:latest

run a container

$ sudo docker run --rm -d -p 3142:3142 -v /mnt/apt-cacher-ng:/var/cache/apt-cacher-ng apt-cacher-ng:latest

test the address and port

$ curl 192.168.xxx.xxx:3142

how to use the cache server

specify it in a config file

$ cat << END | sudo tee /etc/apt/apt.conf.d/01proxy
> Acquire::http::Proxy "http://192.168.xxx.xxx:3142/";
> END

specify it in command line

$ http_proxy=http://192.168.xxx.xxx:3142/ sudo -E apt-get install xxxx

or

$ sudo su -
# http_proxy=http://192.168.xxx.xxx:3142/ apt-get install xxxx

for docker build

$ sudo docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t imagename:tagname . | tee build.log

ライフサイクルをざっと。

dockerデーモンの起動と動作確認。ubuntuの場合。

$ sudo service docker status
$ sudo service docker start
$ sudo docker run --rm hello-world

リポジトリに登録されているイメージを取得する。

$ sudo docker pull debian:latest
Pulling repository debian
6845b83c79fb: Download complete
575489a51992: Download complete
Status: Downloaded newer image for debian:latest
$ 
$ sudo docker images debian
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
debian              latest              6845b83c79fb        13 days ago         125.1 MB
$

コンテナを作成して実行。コンソール接続してbashを実行する例。

$ sudo docker run -it debian:latest /bin/bash
root@06e1a850e923:/# 
root@06e1a850e923:/# w
 22:20:47 up 29 days, 14:32,  0 users,  load average: 0.36, 0.29, 0.24
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root@06e1a850e923:/#
root@06e1a850e923:/# uname -a
Linux 06e1a850e923 3.13.0-63-generic #103-Ubuntu SMP Fri Aug 14 21:42:59 UTC 2015 x86_64 GNU/Linux
root@06e1a850e923:/#
root@06e1a850e923:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="https://bugs.debian.org/"
root@06e1a850e923:/#

コンソール接続したコンテナから一旦切断する例。

root@xxxxxxxxxxxx:/# [Ctl+p]-[Ctl+q]
$ 
$ sudo docker ps | grep debian
xxxxxxxxxxxx        debian:latest       "/bin/bash"         About a minute ago   Up About a minute                       berserk_mayer
$

再接続する例。

$ sudo docker attach xxxxxxxxxxxx
root@xxxxxxxxxxxx:/#

コンテナを終了する例。

root@06e1a850e923:/# exit
exit
$

終了したコンテナを再起動する例。

$ sudo docker ps -a | grep debian
xxxxxxxxxxxx        debian:latest            "/bin/bash"            13 minutes ago      Exited (0) 13 seconds ago                                          berserk_mayer
$
$ sudo docker start -i xxxxxxxxxxxx
root@xxxxxxxxxxxx:/# 
root@xxxxxxxxxxxx:/# exit
exit
$

コンテナの状態確認。

$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
$ 
$ sudo docker ps -a | grep debian
06e1a850e923        debian:latest            "/bin/bash"            2 minutes ago       Exited (0) 47 seconds ago                                      evil_kowalevski

$

copy file from/to docker container

$ sudo docker cp xxxxxxxxxxxx:/dirname/filename destination
$ sudo docker cp source xxxxxxxxxxxx:/dirname/filename

コンテナの削除。

$ sudo docker rm 06e1a850e923
06e1a850e923
$ 
$ sudo docker ps -a | grep debian
$

イメージの削除。

$ sudo docker rmi debian:latest
Untagged: debian:latest
Deleted: 6845b83c79fb642ed6af06cceaca042e155717ca8eb0b5cffa9c43f1f7f70348
Deleted: 575489a51992d5d30976ff5ba7f7eabdc134acfb51c79ff48883089009594e64
$
$ sudo docker images debian
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
$

dockerイメージの作成

$ mkdir project && cd project
$ 
$ vi Dockerfile
$ 
$ sudo docker build -t imagename:tagname . | tee build.log
$ 
$ sudo docker images imagename
$

When you want to use proxy, use --build-arg option like bellow

$ sudo docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t imagename:tagname . | tee build.log

When new image name is , then rename it as below

$ sudo docker tag xxxxxxxxxxxx imagename:tagname
$ 
$ sudo docker images imagename

不要なイメージの一括削除

sudo docker images | awk '$1~/<none>/ {print}'
sudo docker images | awk '$1~/<none>/ {print $3}' | xargs sudo docker rmi

使用するdockerfileの簡単な例。

From debian:latest
RUN apt-get update && apt-get install -y \
    screen \
    openssl \
    vim \
   make \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

2019/10追記

2020/1/31でのサービス終了が発表されました。すでに新規アカウントの申し込みは終了しています。 無料で使える範囲での活用方法を自分の中で見いだしたところでしたので、とても残念です。 大手サービスプロバイダなのに、2018/03 から始まったサービスが 2020/01 で終了してしまうというのは、あまりに早すぎると感じます。利用者が相当少なかったのでしょうか。

2018/04追記

2018/03下旬からサービスインとなっています。βテストの時との違いや気づいた点を記載します。

• 利用するには、アカウント作成(招待制)とクレジット情報の登録が必要です。 (無料のプランしか使う予定が無くてもクレジット情報が必要なようです。)
• 転送量は無料。当初の予告どおり、無料で使えるFreeプランもあります。 (Freeプランでは0.1vcpu、メインメモリ128MB、同時に作成しておけるコンテナは一つだけ、実行できるのも一つだけ。)
• ドメイン名にtokyoと入っていますが、自分が試したときはIPアドレスは大阪方面のものと判定されました。 (βを使い始めた頃は東京方面のアドレスと判定されましたが、以後どうなったのか確認してません)
• コントロールパネルのコンテナ作成画面は、利用するプランの選択肢がある以外は、βの時と同じに見えます。

自分にとって「東京(のアドレス)で(無料で)使えるサーバ」というのが、非常に価値が大きかったので、ちょっと残念な感じもあります。 いずれにせよ無料で使えるプランがあるのはありがたいですので、 いろいろ制限がある中、どんなことがどこまでできるのか、試してみたいと思ってます。

2017/08追記

2017/07末をもってβテストが終わりました。そのまま正式サービスに移行するのではなく、一旦サービスを止めたようです。 正式サービスの開始時期は今のところ未定とのことです。

追記ここまで。

arukasは、コンテナ技術のdockerを利用したホスティングサービスです。

逆から読むと、sakura。さくらのVPSでおなじみの、さくらインターネットのサービスです。 無料で利用することができるオープンβテストが4月末ごろから9月末までの予定で行われており、間もなく正式リリースとなるものと思われます。 正式リリースした後も無料で利用できるプランが設定されるようです。

arukasでは、Docker Hubのパブリックレポジトリにアップロードされたコンテナを登録して、起動することができます。 Docker Hubには沢山のレポジトリが登録されていますが、自分で作成・登録することもできます。 無いものは自分で作ってしまえばいいので、実際には、どんなコンテナでも動かすことができます。

dockerの利点は、コンテナの作成・起動・終了・削除が迅速にできることで、これはそのままarukasにも当てはまります。 ベータテストのためなのか、以下の制限があります。

• データ永続化の仕組みがないので、再起動するとデータが消える。
• 定期的(週に一度くらい?)に再起動される。

そのため永続的に使いたいデータは、外部に置く必要があります。 正式リリース後には変更される可能性もあるかもしれません。

URLとポートを指定すれば、起動したコンテナに外部から接続することができます。この場合は通信プロトコルはhttp(s)に限りません。

同じ内容のものを複数のコンテナで動かすことができますが、この場合、エンドポイントという与えられたurlにhttps接続することで、各コンテナにロードバランスして接続させることができます。(バランスさせるアルゴリズムなどは公開されていないようです。) この時、tlsにより通信内容は暗号化されます。自分で証明書を準備する必要がありません。ただし、プロトコルはhttpに限られます。