Imagine you are heading Project X in your friend's start-up. Your team has 5 people and you sat up yesterday, night to build the application, and it's finally done and running within your docker container. Your teammates come to work today, and you want them to be able to run it too, but they seem to be running into all kinds of dependency problems. You're frustrated because this background work takes too much of your time, and the release is next week. What can you do?

You finally came up with a solution - docker-in-docker!

This is not the only situation where it helps; there are many other situations too, where you might need docker-in-docker; a few are:

• Testing: You can ensure everything works by testing your application and its dependencies within a container. Then, you can save the configuration as an image that can be used by other team members or even deployed to production.
• Running CI/CD tools like Jenkins.

Requirements:

• A running container with docker installed in it (Method-1)
• Access to host docker.sock (Method-2)
  • Attach a volume: /var/run/docker.sock:/var/run/docker.sock

Method-1 (Docker-in-Docker with Docker installed)

Step-1

Run the particular container and make sure it has docker installed. For the sake of simplicity, I am using the official Docker image here.

docker run -it --name build-container docker sh

Here,

• t allocates a tty
• i keeps it interactive

Step-2

Import your code. I am using this sample crypto price monitor react app for this post.

Source Code: https://github.com/thejungwon/docker-reactjs

git clone https://github.com/thejungwon/docker-reactjs
cd docker-reactjs
docker build -t docker-reactjs:latest .

Step-3

Once the image building finishes, you can export it as a tar file.

docker save docker-reactjs:latest > /tmp/docker-reactjs.tar

Step-4

Now exit out of the container and run the docker cp command for copying the tar image file.

exit
docker cp build-container:/tmp/docker-reactjs.tar .

Step-5

Now import the image from the tar file using docker load command.

docker load -i docker-reactjs.tar

After loading the image, you can run the container as usual.

docker run docker-reactjs:latest

Method-2 (Docker-in-Docker using Host's /var/run/docker.sock)

Step-1

Make sure you can make requests to the socket. Run the following command in the host machine to check that.

curl --unix-socket /var/run/docker.sock http://localhost/version

Here, --unix-socket helps you connect through the Unix domain socket (HTTP).

Step-2

To run docker inside docker attach the socket as a volume to the container.  For example:

docker run -v /var/run/docker.sock:/var/run/docker.sock \
    -ti docker

Here,

• -v represents volume
• t allocates a tty
• i keeps it interactive

Now you can run docker commands inside the container which will run on the host machine.

Step-3

After running the previous command, you should be inside the container. Once inside, you can run docker commands which run on host machine.

docker run hello-world

Let's try it out with a custom image. Create a Dockerfile with the following content in it.

FROM node:20-slim

LABEL maintainer="AmreshSinha <AmreshSinha@users.noreply.github.com>"

WORKDIR /usr/node
WORKDIR app

RUN pwd

# command executable and version
ENTRYPOINT ["node"]

Now build the app.

docker build -t test-image .

Conclusion

There are many more ways to go the docker-in-docker road other than the methods we discussed above. For example, dind or using another runtime like sysbox runtime for better security, etc.

We will discuss them in future posts. Till then... 👋

Ghost is a very popular open-source CMS. It is a great alternative to WordPress and Substack because its easy-to-use and also has several membership options. One can easily start a blog or a membership-based newsletter with a few clicks from the Ghost admin dashboard.

There are many managed Ghost hosting providers out there which manage the hosting, backup, SMTP and other backend stuff for you. But it may not be very budget-friendly for everyone.

In this small post, we are going to self-host our Ghost blog with Mysql in Docker and reverse proxy it using Traefik.

Prerequisites

• A domain name for your blog. Try to go with .com and make sure it's professional and suits your needs.
• (Optional) An SMTP service for setting up email and newsletter. You can try Mailgun as recommended by Ghost (Not free).
• A server with Docker and Traefik installed.

Simplify your deployment with Traefik - A comprehensive walk-through

Deploying docker containers, managing routes, generating TLS certificates, and load balancing can be a hassle sometimes. It may become more difficult to manage all the stuff if you want to run multiple docker containers on the same host!

FossianAmresh Sinha

Step 1: Creating Config files for Ghost

Create a directory for storing our docker-compose.yml file and create a sub-directory blog for storing Ghost configuration file as well as a directory content under blog for storing images and logging info.

mkdir -p ghost-blog/blog/content && \
  cd ghost-blog && \
  touch ./blog/config.production.json && \
  nano ./docker-compose.yml

This should be the final tree:

├── ghost-blog
│   ├── docker-compose.yml
│   └── blog
│       ├── config.production.json
│       └── content
 

version: '3.7'

services:
  ghost:
    image: ghost:5.2.3
    restart: always
    depends_on:
      - db
    environment:
      NODE_ENV: production
    networks:
      - default
      - web
    volumes:
      - ./blog/content:/var/lib/ghost/content
      - ./blog/config.production.json:/var/lib/ghost/config.production.json
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=web"
      - "traefik.http.routers.ghost-secure.entrypoints=websecure"
      - "traefik.http.routers.ghost-secure.rule=Host(`fossian.com`)"
      - "traefik.http.routers.ghost-secure.service=ghost-service"
      - "traefik.http.services.ghost-service.loadbalancer.server.port=2368"

  db:
    image: mysql:oracle
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: your_mysql_root_password
      MYSQL_USER: ghost
      MYSQL_PASSWORD: ghostdbpass
      MYSQL_DATABASE: ghostdb
    networks:
      - default
    volumes:
      - ./data:/var/lib/mysql
      
networks:
  web:
    external: true

Don't forget to change fossian.com to your domain on line 21. Also, change the database user and passwords under db service (line 29 - 32).

Now edit the main Ghost configuration file config.production.json.

nano ./blog/config.production.json

 {
  "url": "https://fossian.com",
  "server": {
    "port": 2368,
    "host": "0.0.0.0"
  },
  "database": {
    "client": "mysql",
    "connection": {
      "host": "db",
      "port": 3306,
      "user": "ghost",
      "password": "ghostdbpass",
      "database": "ghostdb"
    }
  },
  "mail": {
    "transport": "SMTP",
    "options": {
      "service": "Mailgun",
      "auth": {
      	"user": "postmaster@example.mailgun.org",
      	"pass": "1234567890"
      }
    }
  },
  "logging": {
    "path": "/var/lib/ghost/content/logs/",
    "level": "info",
    "rotation": {
      "enabled": true,
      "count": 15,
      "period": "1d"
    },
    "transports": ["stdout", "file"]
  },
  "paths": {
    "contentPath": "/var/lib/ghost/content"
  }
}

• Change the URL on line 2 to your Ghost blog URL.
• Change the database credentials according to what you filled in docker-compose.yml (line 12 - 14).
• If you want to enable Membership and Newsletter functionality then make sure you have an SMTP server. I recommend using mailgun as it supports the bulk transfer feature. Change the SMTP credentials on lines 18 to 25 to yours.
  If you don't want to enable it then simply change it as shown below.

"mail": {
    "transport": "Direct",
},

You can check out Ghost's official Configuration page for more info.

Step 2: Deploying

After setting up everything, simply use docker-compose  to deploy your Ghost blog.

docker-compose up -d

That's it! You have a fully functional Ghost blog running in Docker and proxying with Traefik. Make sure to log in to your admin dashboard at https://yourdomain.tld/ghost.

Feel free to comment below if you have any issues regarding the installation!

Deploying docker containers, managing routes, generating TLS certificates, and load balancing can be a hassle sometimes. It may become more difficult to manage all of this if you want to run multiple docker containers on the same host!

Solution? For running multiple services on the same host you can use a reverse proxy. A reverse proxy is a service running on your host machine which maps each public request to its corresponding backend service running on the same host. There are many reverse proxies out there. One of which is Traefik!

Traefik

Traefik is an open-source router which takes care of reverse proxying requests, load balancing, TLS certificate generation (let's encrypt), etc. It supports HTTP, HTTP/2, TCP, UDP, Websockets, and gRPC protocols. It also has a clean and modern dashboard for monitoring. And adding to all these, it is way easier to use as compared to Nginx!

For more details: https://traefik.io/traefik/

In this post, I will guide you through setting up Traefik 2 and running a simple example Node.js app.

Prerequisites

For the sake of this post, I am going to use a VM instance from Oracle Cloud free tier (2 vCPU arm64, 8GB ram, Ubuntu 22.04). You are free to use whatever host you want.

Requirements:

• A Linux server with Docker installed. Having at least 2 GB of RAM will be better for running multiple containers. Though you can run it on an even smaller server.
• docker-compose should also be installed.
• A domain name with a wildcard record pointing towards your server IP
  Here is a sample DNS record which you can use to set up for your domain.

This will make *.example.com available for Traefik. This means you can route your apps and services with names like blog.example.com, forum.example.com, dashboard.example.com, etc.

If you don't want to make a wildcard record for the main domain name but instead for a subdomain then you can change the value under Name to *.subdomain . This will result in names like xyz.subdomain.example.com, dashboard.subdomain.example.com, etc.

Step-1

Before going any further we need to update our system.

sudo apt-get update

Now, you can install docker and docker-compose.

sudo apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release && \
    sudo mkdir -p /etc/apt/keyrings && \
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
    echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
    $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && \
    sudo apt-get update && \
    sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-compose && \
    sudo groupadd docker || sudo usermod -aG docker $USER && \
    newgrp docker && \
    sudo systemctl enable docker.service && sudo systemctl enable containerd.service

(I have munched up all the commands in one single just to save some time. It even includes some post-installation steps)

Verify your docker installation by running the famous hello-world image

docker run hello-world

Step-2

Let's start with Traefik. Create a data folder for storing Traefik configuration file traefik.yml, acme.json for storing certificates and a configurations folder for storing dynamic configurations file dynamic.yml.

mkdir -p data/configurations && \
  touch data/traefik.yml && \
  touch data/acme.json && \
  touch data/configurations/dynamic.yml && \
  chmod 600 data/acme.json

Now create a docker-compose.yml for Traefik.

nano docker-compose.yml

and add the following lines to docker-compose.yml

Replace traefik.yourdomain on line 25 with your dashboard URL.
Example: traefik.fossian.com or dash.fossian.com

version: '3.7'

services:
  traefik:
    image: traefik:v2.7
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/configurations:/configurations
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=web"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  web:
    external: true

There's a lot of stuff going on here so let's understand some part of it.

We have passed no-new-privileges as true to avoid container processes from gaining additional privileges.

We have added docker.sock file in volumes so that Traefik can listen to all the changes happening to the containers. We have also added our configuration file traefik.yml and acme.json. We also added the path to our dynamic configuration file.

We have also set the network to web.

Then comes the labels. We have defined traefik.docker.network to web. We have defined entrypoint to websecure which listens on port 443. Then we have defined a rule for our Traefik dashboard.

Now let's edit Traefik configuration file traefik.yml.

nano ./data/traefik.yml

and add the following to it

Replace admin@yourdomain on lines 34 and 42 with your personal or website email. It will be used by Let's Encrypt to notify you regarding the expiration of TLS certificates. Nonetheless, you don't have to worry about regenerating certificates as Traefik will do it for you automatically.

api:
  dashboard: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
        - nofloc@file
      tls:
        certResolver: letsencrypt

pilot:
  dashboard: false

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@yourdomain
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web

  buypass:
    acme:
      email: admin@yourdomain
      storage: acme.json
      caServer: https://api.buypass.com/acme/directory
      keyType: EC256
      httpChallenge:
        entryPoint: web

Now edit dynamic.yml

nano ./data/configurations/dynamic.yml

and add the following to it

http:
  middlewares:
    nofloc:
      headers:
        customResponseHeaders:
          Permissions-Policy: "interest-cohort=()"
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000   
        
    # Generate yours using htpasswd
    # UserName : admin
    # Password : fossian    
    user-auth:
      basicAuth:
        users:
          # Generate using "htpasswd -nb admin secure_password"
          - "admin:$apr1$B5scLRiX$ivpndRS3XuqZ05oaDgHql0"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

To change the password install htpasswd which is a part of apache2-utils package.

sudo apt-get install apache2-utils

Then run this (make sure you replace secure_password with your password)

htpasswd -nb admin secure_password

This will return you something like this: admin:$apr1$L0VB4It1$Yx4tfFO26W68ikz/6VZOG1

You can now replace the old one (line 22) with your newly generated one.

Step-3

Now all the things are set. Just one more thing to do before running your shiny Traefik container, i.e., Creating the docker network web which we provided in the docker-compose.yml.

First, check if the network web is there or not.

docker network ls

If there is a network named web then you can skip the below command otherwise run it to make one.

docker network create web

When we will run other containers we can add them to this network so that Traefik can proxy them.

Now everything is set.

Run the Traefik container using docker-compose

docker-compose up -d

If everything goes well you can access your Traefik dashboard at traefik.yourdomain or the URL which you added in place of that.

There you have your own reverse proxy setup and running.

After setting Traefik, adding new docker containers is easy. You just have to define some labels and you are good to go.

Step-4: Hosting a node.js express webapp

We are going to deploy a simple node.js express web app.
Github: https://github.com/fossian-com/sample-webapp-nodejs

First, clone it to your server.

git clone https://github.com/fossian-com/sample-webapp-nodejs

Now, cd into the directory sample-webapp-nodejs and create a docker-compose.yml file.

cd sample-webapp-nodejs && nano docker-compose.yml

and add the following

Make sure you replace nodeapp.yourdomain at line 21 with the URL you want.
Example: nodeapp.fossian.com or express.fossian.com

version: '3'

services:
  nodejsapp:
    # image: image-name:tag
    build: .
    container_name: sample-webapp-nodejs
    environment:
      PORT: 8080
    networks:
      - web
    restart: always
    labels:
      # Allow Traefik to access the container
      - "traefik.enable=true"
      # Tells Traefik to look in web to find the internal IP of the container
      - "traefik.docker.network=web"
      # Entrypoints to websecure i.e., port 443
      - "traefik.http.routers.ghost-secure.entrypoints=websecure"
      # Rule for the url for webapp container
      - "traefik.http.routers.ghost-secure.rule=Host(`nodeapp.yourdomain`)"

networks:
  web:
    external: true

Now simply run

docker-compose up -d

and after successful deployment access your app at nodeapp.yourdomain or the URL which you provided.

You can also see on your Traefik dashboard that a new route has been added.

If you plan to run a full-fledge Nodejs app with database support then make sure you add a db service in docker-compose under the same network with the Nodejs app.

For example:

version: '3'

services:
  db:
    image: mariadb
    container_name: webapp-db
    volumes:
      - db-data:/var/lib/mysql
    networks:
      # For accepting communication from the webapp
      - default
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: rootpassword
      MYSQL_DATABASE: db
      MYSQL_USER: dbuser
      MYSQL_PASSWORD: dbpassword

  nodejsapp:
    depends_on:
      - db
    # image: image-name:tag
    build: .
    container_name: sample-webapp-nodejs
    environment:
      PORT: 8080
      DB_HOST: db:3306
      DB_NAME: db
      DB_USER: dbuser
      DB_PASSWORD: dbpassword
    networks:
      # For communicating with the db
      - default
      - web
    restart: always
    labels:
      # Allow Traefik to access the container
      - "traefik.enable=true"
      # Tells Traefik to look in web to find the internal IP of the container
      - "traefik.docker.network=web"
      # Entrypoints to websecure i.e., port 443
      - "traefik.http.routers.ghost-secure.entrypoints=websecure"
      # Rule for the url for webapp container
      - "traefik.http.routers.ghost-secure.rule=Host(`nodeapp.yourdomain`)"

volumes:
  db-data:
    # Naming the database volume
    name: nodejs-webapp-db-data
networks:
  web:
    external: true

Conclusion

In this tutorial, we installed Traefik, ran a simple web app container and learnt how to reverse proxy it with Traefik using a few lines of code.

You could have done the same with Nginx but it wouldn't be this easy! Traefik handles everything on its own and you don't have to restart it every time you deploy or make any changes to any running container. With just a few lines in docker-compose.yml, we were able to reverse proxy the web app and even secure it with a TLS certificate.

You can learn more about Traefik here: Traefik Proxy Documentation.