Category: DevOps

The following Docker Compose can be used to create persistent MySQL and WordPress instances, save the compose within its own directory on your Docker host and execute the project using the command:

docker-compose up -d

The WordPress environment will be available on http://<IP address of Docker Host>:8082 – published port can be changed by modification of the compose file.

Compose file – note you will need to provide secure MySQL and WordPress DB passwords:

version: '2'

services:
 wp-mysql:
 image: mysql:latest
 volumes:
 - wp_mysql:/var/lib/mysql
 ports:
 - "3306:3306"
 restart: always
 environment:
 MYSQL_ROOT_PASSWORD: "<mysql_root_password>"
 MYSQL_DATABASE: wordpress
 MYSQL_USER: wordpress
 MYSQL_PASSWORD: "<wordpressdb_password>"

wp-wordpress:
 depends_on:
 - wp-mysql
 image: wordpress:latest
 volumes:
 - wp_data:/var/www/html/wp-content
 ports:
 - "8082:80"
 restart: always
 environment:
 WORDPRESS_DB_HOST: wp-mysql:3306
 WORDPRESS_DB_USER: wordpress
 WORDPRESS_DB_PASSWORD: "<wordpressdb_password_as_above>"

volumes:
 wp_mysql:
 wp_data:

To stop the containers brought up by compose relating to this project:

docker-compose down

To stop the containers and cleanup volumes (thus losing data contained within them):

docker-compose down --volumes

Use the commands below to install Docker CE and enable “br_netfilter” (bridge netfilter module) to ensure that ICC functions as expected on Ubuntu 16.04.3 LTS and 17.10:

# Install and configure Docker CE
sudo apt-get update
sudo apt-get install \
 linux-image-extra-$(uname -r) \
 linux-image-extra-virtual

sudo apt-get install \
 apt-transport-https \
 ca-certificates \
 curl \
 software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo add-apt-repository \
 "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
 $(lsb_release -cs) \
 stable"

sudo apt-get update
sudo apt-get install docker-ce
sudo systemctl enable docker


# Enable br_netfilter/ iptables filtering on Docker bridge interfaces
sudo vi /etc/modules-load.d/bridge.conf:

   br_netfilter

sudo vi /etc/sysctl.d/bridge.conf:

   net.bridge.bridge-nf-call-ip6tables = 1
   net.bridge.bridge-nf-call-iptables = 1
   net.bridge.bridge-nf-call-arptables = 1

sudo sysctl net.bridge.bridge-nf-call-iptables=1
sudo sysctl net.bridge.bridge-nf-call-ip6tables=1
sudo sysctl net.bridge.bridge-nf-call-arptables=1

sudo systemctl restart docker

TL:DR: when testing Docker with “–icc=false” on Ubuntu Server 16.04.3 I found that br_netfilter was required but not configured by default. Even when enabled, I found that the Docker Host physical network was not protected against container breakout. Testing with IP Masquerade disabled addressed Docker Host physical network  security, however, with ICC and IP Masquerade disabled it was just as “easy” to manage the environment with “–iptables=false” and a firewall script.

I recently ran through an exercise where I was testing Docker Container Network Isolation in a lab environment – this involved reviewing the impact of disabling ICC, IP Masquerade and Docker’s interaction with IP tables itself. The scenarios I was trying to provide isolation for are as follows:

• Docker Container access to Docker Containers within the same Docker network
• Docker Container access to other Docker Containers in different Docker network
• Docker Container access to Docker host
• Docker Container access to Docker host physical network/ other hosts

Whilst not exhaustive (a difficult task in the world of DevOps tools), I came across this really useful interactive info-graphic on DevOps tools: https://xebialabs.com/periodic-table-of-devops-tools