This documentation provides a comprehensive understanding of the project, demonstrating the application of containerization concepts, created by izahr.
"Docker is an open platform for developing, shipping, and running applications, which enables you to separate your applications from your infrastructure so you can deliver software quickly..."ΒΉ
Containers are the core aspect of this technology. Rather than using a virtual machine with a complete OS installationβwhich can lead to resource exhaustion and time consumptionβcontainers already use the kernel of the host machine and only require the necessary dependencies and libraries to function.
No more "it works on my machine" problems. Docker containers run consistently across different environments.
- Lower Resource Usage: Containers share the host OS kernel
- Faster Startup: Boot in seconds instead of minutes
- Lightweight: Significantly smaller footprint than VMs
Docker uses advanced techniques to isolate containers, even when they share the same memory space. Through kernel namespaces:
"...Namespaces provide the first and most straightforward form of isolation. Processes running within a container cannot see, and even less affect, processes running in another container, or in the host system..."Β²
Perfect for microservices architecture, where a failing service doesn't compromise the entire application.
"...A Dockerfile is a text file containing instructions for building your source code..."Β³
It provides automation to create a Docker Imageβa layered product designed to set up and ensure the service works correctly within the container.
In simple terms, Docker Compose is responsible for the communication and management of multiple Docker containers. It implements:
- Networking: Creates networks for inter-container communication
- Volumes: Persistent data storage
- Service orchestration: Manages service dependencies and startup order
Allows container networking. Since containers are isolated in memory, a network is needed for communication using defined ports.
- DNS Resolution: Containers can reach each other by name
- Isolation: Separated from default bridge network
- Security: No direct host network access
- Control: Custom subnet and gateway configuration
| Network Mode | Description | Use Case | Isolation |
|---|---|---|---|
| Bridge (default) | Isolated internal network with NAT | Default for containers | β Full |
| Host | Shares host's network stack | Performance-critical apps | β None |
| Custom Bridge | User-defined isolated network | Multi-container apps | β Full |
| None | No networking | Completely isolated tasks | β Maximum |
"Volumes are persistent data stores for containers, created and managed by Docker..."β΄
Volumes provide a means to preserve data from being erased, ranging from user uploads to themes and preferences. Multiple implementation options are available for data storage.
| Feature | Docker Volumes | Bind Mounts |
|---|---|---|
| Management | Managed by Docker | Direct host path |
| Location | /var/lib/docker/volumes/ |
Anywhere on host |
| Portability | High (Docker handles paths) | Low (hardcoded paths) |
| Performance | Optimized | Depends on host FS |
| Backup | Easy with Docker tools | Manual process |
| Security | Docker-controlled permissions | Host filesystem permissions |
Despite container isolation, there are multiple potential security vulnerabilities, ranging from HTTP protocol penetration to password leakage through environment variables.
Docker implements Docker Secrets, which requires passwords to be stored in a single file, then provided to the /run/secrets/ directory with maximum security, instead of being in an environment file that gets served to each container.
| Feature | Docker Secrets | Environment Variables |
|---|---|---|
| Security | Encrypted at rest and in transit | Visible in docker inspect |
| Storage | In-memory tmpfs only | Stored in container config |
| Visibility | Only to authorized services | Visible to all processes |
| Best For | Passwords, API keys, certificates | Configuration, non-sensitive data |
| Example | Database passwords | Domain names, ports |
Since NGINX is the web server responsible for HTTPS requests, and given the history of cyber threats, TLS (Transport Layer Security) was developed to secure communications.
| TLS Version | Year | Status | Key Features | Security | Browser Support | Deprecated |
|---|---|---|---|---|---|---|
| SSL 3.0 | 1996 | β DEAD | First widely used, flawed design | β Broken | None | YES (2015) |
| TLS 1.0 | 1999 | β DEPRECATED | SSL 3.0 upgrade, RC4, MD5 hash | β Vulnerable | Disabled by default | YES (2021) |
| TLS 1.1 | 2006 | β DEPRECATED | Protection against CBC attacks | Disabled by default | YES (2021) | |
| TLS 1.2 | 2008 | β SECURE | AEAD ciphers, SHA-256, GCM mode | β Strong | 99.9% | NO |
| TLS 1.3 | 2018 | β RECOMMENDED | 0-RTT, modern ciphers only, forward secrecy | β Strongest | 98%+ | NO |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HOST SYSTEM β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββ IPC/TCP βββββββββββββββββββββββββββ β
β β Docker CLI ββββββββββββββββββββββββΆβ Docker Daemon β β
β β (Client) β (JSON/REST) β (Server - dockerd) β β
β β β β β β
β β β’ Go binary β β β’ Persistent process β β
β β β’ Commands: β β β’ Manages: β β
β β docker run β β - Containers β β
β β docker ps β β - Images β β
β β docker build β β - Networks β β
β β β β - Volumes β β
β ββββββββββ¬ββββββββββ βββββββββββββ¬ββββββββββββββ β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β βΌ βΌ β
β βββββββββββββββββββ β
β β Communication β β
β β Channel: β β
β β β β
β β Option 1: β Option 2: β
β β ββββββββββββ β ββββββββββββ β
β β β Unix β β β TCP β β
β β β Socket β β β Socket β β
β β β /var/run/β β β 0.0.0.0: β β
β β β docker. β β β 2375 β β
β β β sock β β β β β
β β ββββββββββββ β ββββββββββββ β
β β β β
β βββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The Docker CLI (Command-Line Interface) is where users interact with Docker using commands to start and stop services, inspect volumes, debug, and more. It communicates with the Docker Daemon using either a UNIX socket or a TCP connection.
- Written in Go
- Sends commands via JSON/REST API
- Primary interface for Docker operations
Key features:
- Written in Go
- Sends commands via JSON/REST API
- Primary interface for Docker operations
The Docker Daemon (dockerd) is the persistent background service that:
- Listens for Docker API requests
- Manages Docker objects (containers, images, networks, volumes)
- Handles container lifecycle
- Communicates with container runtime (containerd)
Communication methods:
- Unix Socket (
/var/run/docker.sock): Default, local-only access - TCP Socket (port 2375/2376): Remote access (requires proper security)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β USER EXECUTES COMMAND β
β $ docker run nginx β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Docker CLI β
β β
β β’ Parses command β
β β’ Sends API request to daemon β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Docker Daemon (dockerd) β
β β
β 1. Pulls image if not present β
β 2. Creates container configuration β
β 3. Sets up networking β
β 4. Prepares volumes β
β 5. Calls containerd β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β containerd β
β (Container Supervisor) β
β β
β β’ Manages container lifecycle β
β β’ Handles image transfer from daemon β
β β’ Supervises runc β
β β’ Manages container snapshots β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β containerd-shim β
β β
β β’ Keeps container running if containerd restarts β
β β’ Reports exit status β
β β’ Manages STDIO streams β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β runc β
β (OCI Runtime) β
β β
β 1. Creates namespaces β
β 2. Sets up cgroups (resource limits) β
β 3. Configures root filesystem (overlay/bind mounts) β
β 4. Applies security profiles (AppArmor/SELinux) β
β 5. Executes container process β
β 6. Exits (shim takes over) β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RUNNING CONTAINER β
β β
β βββββββββββββββββββββββββββββββββββββββββββββ β
β β Isolated Process with: β β
β β β’ Own PID namespace β β
β β β’ Own network stack β β
β β β’ Own filesystem view β β
β β β’ Resource limits (CPU, memory) β β
β β β’ Security constraints β β
β βββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
This infrastructure consists of the following services:
- NGINX - Secure web server (HTTPS only, TLSv1.2/1.3)
- WordPress - Content management system with PHP-FPM
- MariaDB - Database server for WordPress data
- Redis - Cache service for improved performance
- FTP Server - File upload/download service
- Adminer - Database management interface
- Static Website - Custom landing page
- cAdvisor - Container performance monitoring
INTERNET
β
β HTTPS (443)
β TLS 1.2/1.3
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HOST SYSTEM β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Docker Bridge Network β β
β β (inception-net) β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β NGINX β β β
β β β (Reverse Proxy) β β β
β β β β β β
β β β β’ Port 443 (HTTPS) β β β
β β β β’ SSL/TLS Termination β β β
β β β β’ Routes requests to backend services β β β
β β ββββββββββββββββ¬βββββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββ β β
β β β β β β β
β β β β β β β
β β ββββββββββββΌβββββββ ββββββββΌβββββββ βββββΌββββββββββββ β β
β β β WordPress β β Adminer β β Static Site β β β
β β β (PHP-FPM) β β β β β β β
β β β β β Port 8080 β β Port 80 β β β
β β β β’ Port 9000 β β β β β β β
β β β β’ FastCGI β β Database β β HTML/CSS/JS β β β
β β ββββββ¬ββββββ¬βββββββ β Manager β β β β β
β β β β ββββββββ¬βββββββ βββββββββββββββββ β β
β β β β β β β
β β β β β β β
β β β ββββββββββββββββββΌββββββββββββββββββ β β
β β β β β β β
β β β β β β β
β β ββββββΌβββββββββββ ββββββΌββββββββββ ββββββΌββββββββββ β β
β β β Redis β β MariaDB β β FTP Server β β β
β β β (Cache) β β (Database) β β β β β
β β β β β β β Port 21 β β β
β β β Port 6379 β β Port 3306 β β Port 21000 β β β
β β β β----->β β β β β β
β β β β’ Object β β β’ WordPress β β β’ FTPS β β β
β β β Caching β β Data β β β’ Upload/ β β β
β β β β’ Session β β β’ Users β β Download β β β
β β β Storage β β β’ Posts β β β β β
β β βββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β cAdvisor β β β
β β β (Monitoring Service) β β β
β β β β β β
β β β β’ Port 8081 β β β
β β β β’ Monitors all containers β β β
β β β β’ Resource usage metrics β β β
β β β β’ Performance analytics β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Docker Volumes β β
β β β β
β β β’ wordpress-data β /var/www/html (WordPress files) β β
β β β’ mariadb-data β /var/lib/mysql (Database files) β β
β β β’ nginx-certs β /etc/nginx/ssl (SSL certificates) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- (https://docs.docker.com/get-started/docker-overview/)
- (https://docs.docker.com/engine/security/#kernel-namespaces)
- (https://docs.docker.com/build/concepts/dockerfile/)
- (https://docs.docker.com/engine/storage/volumes/)
- Docker Deep Dive: Zero to Docker in a single book
by Nigel Poulton
- containerd - Container Runtime
- NGINX - Configuring HTTPS Servers
- PHP-FPM Installation Guide
- Redis Developer Tools