Docker - Apache, PHP and MySQL setup

Here we will be doing an installation of the development/production environment of PHP and MySQL using Docker under Ubuntu. Here is a full video on the subject:

For more information, you can check the Docker for web developers course.

First, we will install docker and docker-compose:  

sudo apt install docker docker-compose

Then we will create docker group and place our user inside(to be able to use the docker command without sudo): 

sudo groupadd docker && sudo usermod -aG docker $USER

 
Now we either exit and re-run the terminal or type: 

newgrp docker

to switch our group.

Let's check the current images we are having: from docker image ls. We can test if docker's installation is successful with: 

docker run hello-world

 
Keep in mind that we can check what images we have in our system via:  

docker image ls

and our containers via 

docker container ls

With docker 

rmi hello-world: latest

we will remove the just installed image, but only if it is empty.
 

Let's check once again  

docker container ls -a

which will list all the images: running or not. We see our image is placed inside a container.

As a rule: if we want to remove an image, first we have to remove its container.
So we look up the container name. It is usually assigned by docker and in our case is: relaxed_cray and then we type 

docker container rm relaxed_cray

Now we can remove the image with 

docker rmi hello-world:latest

Setting up the PHP development environment
We will make a directory web_dev : 

mkdir web_dev

and will go inside:  

cd web_dev

Then we will create docker-compose file with: 

nano docker-compose.yml

Inside we will place the following config:
Keep in mind that for the indentations we are using 2 spaces! 

services:
  web:
       image: php:8.1-apache
        container_name: php81
        volumes:
           - ./php:/var/www/html/
        ports:
          - 8008:80

Short explanation: under volumes: we are specifying which local directory will be connected with the container directory. So whenever we are changing something local, the container will reflect and display the changes. For the ports: when we open/browse local port 8008 (127.0.0.1:8008) docker will redirect us to the 80 port of the docker container (achieved via port forwarding).
For the PHP image, you can choose whatever image you prefer from hub.docker.com
Next run: docker-compose up. This will read the docker-compose file and create a container by loading up different parts/layers of the packages, later will create a default network for our container and will load up the already provided PHP image.
The installation is ready, but if you want to display practical information, you have to create index.php file inside the newly created local PHP directory (storing our PHP files)
First, it is good to change the ownership of the directory with:

sudo chown your_user:your_user php/ -R

Then with

sudo nano index.php

we can type inside:

<?php 

echo "Hello from docker";

?> 

Then again run docker-compose up. Also, try changing the .php file again and refresh the browser pointing to 127.0.0.0:8008

MYSQL support
let's create a new file Dockerfile, inside the PHP directory. Place inside:

FROM php:8.1-apache

RUN apt-get update && apt-get upgrade -y RUN docker-php-ext-install mysqli

EXPOSE 80

This will base our MySQL on the PHP image, that we already have, update the container system, run  specific docker extensions supporting MySQL from within PHP and expose 80-port

Next, we will customize the docker-compose.yml :
We will replace the line: image: PHP
with

buid:

  context: ./php

  dockerfile: Dockerfile 

This will read the docker file which we have set previously and create web service out of it.

Now we will be building the MySQL service:

db:

  container_name: mysql8

  image: mysql:latest

  command: --default-authentication-plugin=mysql_native_password

  restart: always

  environment:

    MYSQL_ROOT_PASSWORD: root

    MYSQL_DATABASE: test_db

    MYSQL_USER: devuser

    MYSQL_PASSWORD: devpass

   ports:

       - 6033:3306

Notes: We are using default authentication for MySQL in order to be able to login to the MySQL database, then docker is hardcoding mysql_user, mysql_password and mysql_database with: deuser, devpass, and test_db, and is exposing externally port 6033 for the MySQL service.

One last change: we would like first start the MySQL then the DB service, so we will add to the web service config:

depends_on:

  - db

To test the PHP-MySQL connection inside of our index.php file we can specify:

$host = 'db';  //the name of the mysql service inside the docker file.

$user = 'devuser';

$password = 'devpass';

$db = 'test_db';

$conn = new mysqli($host,$user,$password,$db){

 if($conn->connect_error){

  echo 'connection failed'. $conn->connect_error;

}

echo 'successfully connected to MYSQL';

}

If you experiencing problems you can remove the several images already created:

docker image ls -a 

docker rmi image ...fill here image names...

then run again docker-compose up and browse: 127.0.0.1:8008

Cheers and enjoy learning further.

Install Docker on Ubuntu 19.04 and 19.10

Here is how you can install Docker on Ubuntu 19.04

(part of the Docker course)


Video of the installation:

Steps:
1. Update the latest version of your repository and install additional packages for the secure transport of apt

sudo apt update && sudo apt install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common

2. Fetch and add docker's gpg key

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

3. Add the docker's repository (specific for our Ubuntu version) to our local repository

sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable"

Note: if you are running an unsupported Ubuntu release you can replace the string: $(lsb_release -cs) with the supported versions such as: disco


4. update again the local repository and install the latest docker version (community edition)

sudo apt update  && sudo apt install docker-ce docker-ce-cli containerd.io

5. Test the installation by fetching and running test image:

sudo docker run hello-world

For more information, you can visit: https://docs.docker.com/install/linux/docker-ce/ubuntu/

Notes:
1. when having problems with the socket docker binds on you can allow your user to be owner of the socket: sudo chown $USER:docker /var/run/docker.sock

2. If you want to run docker without sudo, just add docker group to the users with: usermod -aG docker $USER

and change the current running group with: newgrp docker
or su ${USER}

3. If you get: ERROR: Couldn't connect to Docker daemon at http+docker://localhost - is it running?
check out the docker service status: sudo systemctl status docker
if it is stopped and masked: Loaded: masked (Reason: Unit docker.service is masked.) then you need to unmask the service: sudo systemctl unmask docker
then again start the docker service: sudo systemctl start docker 
until you see sudo systemctl status docker: Active: active (running)

Congratulations, and you can further explore the Docker for web developers course.

Ubuntu 19.04 & 19.10 firewall examples

In order to offer more than one service from a single IP address, Linux uses the notion of PORTS. For example, 80 is the common name of port for HTTP, 21 - FTP, 443 - ssh. Users can connect to services by typing the service IP address and its specific port number. Firewalls help us to open and close ports for specific IP addresses or whole network subnets. This is suitable when we want certain IP addresses to have access to our server while its default access to stay restricted.
For video information on firewalls, you can check this course.

In ubuntu, the firewall wrapper is named uncomplicated firewall or in short "ufw". It is installed in Ubuntu by default but is not active. We can check the status of ufw with: "status". If we want to completely isolate access to our machine we could use: "default deny incoming", while: "default allow outgoing" will allow packets to exit our machine. Keep in mind that in order for them to work, we have to activate those rules by typing: "enable". Next, we can explicitly: "reject out ssh" and then "delete reject out ssh".
Hint: If we are unsure of our actions we can always type: "reset" to empty the firewall rules. To deactivate the firewall please use "disable".

Since we are already connected with SSH, if we enable the firewall we will lose our connection so let's allow the forwarded port 22/tcp by typing: sudo ufw allow 22/tcp and run: sudo ufw enable.
We can actually show rules with numbers: status numbered, and to delete a rule we use: "delete rule_number". In order to insert a rule at a particular place, we use: "insert 1 your_rule".

Here are some commonly used service names: secure shell: ssh, mail: smtp, web server: http, https, SAMBA/File sharing: 139/tcp, 445/tcp. Not common service names are hard to remember, so here is a trick: ufw reads from /etc/services. When certain service is installed in order to communicate with the outside word it could modify the firewall rules by adding its own rules. In such cases with "app list" we can see all the installed service /application profiles and "app info 'SSH'" will dig us deeper into what ports certain application profile allows.

Lets' see the following examples on practical usage of the firewall:

//deny all incoming connections from 10.0.0.1 to interface eth0
deny in on eth0 from 10.0.0.1

// limit ssh access of specific IP address
deny proto tcp from 10.0.0.1 to any port 22

// limit a whole subnet
allow from 10.0.0.0/24 to any port 22

// allow ssh access only to IP: 10.0.0.1
allow proto tcp from any to 10.0.0.1 port 22

// deny outgoing SMTP traffic
deny out 25

// allow connections on eth1 interface to MySQL
allow in on eth1 to any port 3306

If we want to use filtering my mac address we can add: -A ufw-before-input -m mac –mac-source 00:00:00:00:00:AA -j DROP in /etc/ufw/before.rules
(these are rules who are read and act before the firewall rules)

To monitor the usage of the firewall we can use: sudo tail -f /var/log/ufw.log, but just if the "ufw logging" is enabled.
While experimenting with the firewall you can use an external network scanner such as Nmap (sudo apt install nmap) to check which ports are open on the machine.

More useful examples you can find with: man ufw
as well as on the ubuntu firewall page: https://help.ubuntu.com/lts/serverguide/firewall.html More information, you can find in this course.