Thank you for contacting us. We will get back to you shortly.
February 19, 2015 - by Casey Bisson
As a developer, Dockerizing an app is a convenient way of ensuring the software runs the same way everywhere it's used. People who are already using Docker need no introduction, but for those not familiar with Docker, let me say that it's a great way to run software without worrying about the complexity of installing it or the frustrations of how it works in different environments. It's especially convenient on a laptop with Boot2docker.
Our customers have been running Docker containers on VMs in the Joyent cloud since Docker's earliest days, but to make it even easier we launched our turnkey Docker container service in late 2014. To experience the ease and power of running Docker containers on the Joyent cloud, simply follow the steps below.
Update: we introduced the Triton Elastic Container Service, our high-performance, container-native Docker offering in March. This post is specific to our first-generation offering and there are a number of differences between the two.
Docker hosts launched in the Joyent cloud are preconfigured for secure remote access to the Docker API. If you haven't already created a Docker host, please do so, as the following all assume you've got one or more.
dockercommand in client mode to connect to the remote docker host.
Joyent generates the keys and securely stores them in Manta, the Joyent object store. I'm showing three different ways to get the keys to demonstrate different ways of using the Manta CLI tools:
mget -O ~~/stor/.joyent/docker/ca.pem mget -O ~~/stor/.joyent/docker/cert.pem mget -O ~~/stor/.joyent/docker/key.pem
*.pemkeys at once
mfind -t o -n '.pem$' ~~/stor/.joyent/docker | xargs -L 1 mget -O
The problem with this method is that it downloads three keys we need and three keys we don't.
mfind -t o -n '^(ca|cert|key)\.pem$' ~~/stor/.joyent/docker | xargs -L 1 mget -O
The Manta CLI utilities reference is the place to look for more background of the
mfind commands used above.
export DOCKER_CERT_PATH=. unset DOCKER_TLS_VERIFY
Those variables will temporarily replace any existing environment variables set by
boot2docker or in your
Again, there are a few ways of doing this. The following three introduce both the portal GUI and the API CLI tools.
The public IP for each Docker host is shown in the Joyent client portal.
sdc-listmachines -u https://us-east-1.api.joyentcloud.com --tag JPC_tag=DockerHost
-u https://us-east-1.api.joyentcloud.com with the URL to the (datacenter|availability zone) with one or more Docker hosts.
sdc-listmachines's output to
json will give us just the information we need in a more human-readable form.
sdc-listmachines -u https://us-east-1.api.joyentcloud.com --tag JPC_tag=DockerHost | json -a id name primaryIp
The CloudAPI docs explain the whole range of API methods available.
Let's test what we've got so far.
docker -H tcp://220.127.116.11:4243 --tls info docker -H tcp://18.104.22.168:4243 --tls ps -a
Replace the IP number in
-H tcp://22.214.171.124:4243 with the IP of your Docker host. Joyent runs the daemon on port
docker -H tcp://126.96.36.199:4243 --tls run busybox echo "Ahoy Matey"
If you get the following error when trying to connect to the Docker daemon, you'll need to upgrade the Docker host.
FATA Error response from daemon: client and server don't have same version (client : 1.16, server: 1.15)
You can destroy the Docker host and create a new one, or upgrade using the following commands.
First, ssh into the Docker host
Once logged in, let's upgrade:
sudo apt-get install lxc-docker-1.4.1
With that done you can carry on with the tests outlined above.
Docker containers aren't all test and no production. One of my favorites is OpenVPN, containerized and originally documented by Docker's own Jérôme Petazzoni.
OpenVPN is a good solution for securely tunneling communications through unknown and possibly insecure networks. Take a look at the Wikipedia entry for more details about the software and JÃ©rÃ´me's for more details of how he containerized it.
The following command will start the container and set the container ID in a variable.
DCID=$(docker -H tcp://188.8.131.52:4243 --tls run -d --privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn)
Eagle-eyed readers will spot the
$DCID var in the next command.
Rather than document how to construct a client configuration file, the container includes a feature to generate the file. Use the following
docker run command as the first step:
CCID=$(docker -H tcp://184.108.40.206:4243 --tls run -p 8080:8080 --volumes-from $DCID jpetazzo/openvpn serveconfig)
The above command will echo out a URL. Visit that URL in a web browser or use
curl to download the configuration, then use that with client app to improve network security when surfing from coffee shops.
Once you've downloaded the client config file, be sure to kill and remove the container you used to generate it:
docker -H tcp://220.127.116.11:4243 --tls rm -f $CCID
If you don't delete that container, others could find the URL, download the config, and use your shiny new VPN or VPN keys. That's probably not the security you're looking for.
The VPN doesn't do much until you connect a client to it. I'm an especially big fan of the iOS app, which I run pretty much constantly as a prophylactic against shady WiFi and snooping by the access provider. The little VPN badge in my phone's status bar makes me happy: