Discopter Pi Guide

Chapter 11: Using Docker Containers on the Pi

“Containerization” is a big trend in the software development world right now. A container in this context is a sort of halfway point between a traditional application and a virtual machine. Like a virtual machine, it has many OS-like features, including a separate file system. Unlike a virtual machine, a container uses the same kernel resources as the host machine creating much less overhead and allowing for easier communication between a host and container, and between other containers, so long as they are properly networked. That networking is under your control far more so than with traditional applications. As a result, although it adds to the complexity of our setup, it has benefits to the overall security.

The main benefit of a container, from a software development standpoint, is it makes software extremely portable. Rather than worry about the particulars of an infinite variety of computer builds and configurations, a developer can create a container with all software and OS dependencies built in as part of the application.

For a Raspberry Pi user, this can be very good indeed. Although Raspberry Pi OS is Linux-based and runs on ARM infrastructure, it's still a single board computer not generally at the top of the list for most developers when ensuring compatibility. Some software, like Pi Hole and PiVPN, is written specifically for a Raspberry Pi, but most software is not. Through a container, we can take an application written for a more general specification and run it on our Pi with no concerns for compatibility. When grabbing containers though, make sure its compiled for ARM architecture or it won't work.

Docker didn't invent containerization, but it popularized the concept to the point where it's become almost synonymous. In the same way you might ask for a Kleenex or to use a Xerox, you might say “a Docker” to refer to a software container even if that's not technically correct usage.

Step 1: Installing Docker

  1. Run the following command:
    curl -sSL https://get.docker.com | bash
  2. As part of the script, Docker created a system user account and group called docker. Only users that are part of the docker group can interact with Docker. This means by default, you'll have to run all Docker commands as root with sudo. Run the following command to change this:
    sudo usermod -aG docker <username>
  3. Here's the breakdown of that command:
    • usermod modifies the user's group affiliation.
    • -aG appends the user to a group, rather than overwriting all existing members.
    • docker in this case refers to the user group created by the installations script.
    • <username> is replaced by your username, or the $USER variable for the current logged in account, and adds that user to the docker group.
  4. Reboot the Pi to ensure the changes took effect.
    sudo reboot now
  5. Once booted back up and logged in, test the docker installation and file permissions. You should not need to run the below as root.
    docker run hello-world
  6. If you get a friendly message from Docker, your installation is correct.

Docker itself is useless without containers. Installing containers can be done multiple ways. Here are three to consider.

Method 1: Command Line

The included docker run command can be used by itself to fully build and run a container. All container parameters are included in the run command as options and arguments. As a result, you can wind up with some very long and verbose commands. This is a completely viable option if you're comfortable with this approach, but it is not the method that will be employed by this guide.

Method 2: docker-compose

is still a CLI-based method but it uses configuration files rather than a purely command line argument. The container parameters are saved in a YML (Yet Another Markup Language) format as docker-compose.yml in your chosen directory. You create and edit the .yml file and then call docker-compose up -d to build the container. This is the method we will be using as it introduces only a small additional factor to our use of Docker while allowing for more granular and easily organized configurations.

Method 3: GUI

GUI options exist for managing Docker containers. Portainer is one of the most popular. It itself runs as a Docker container. To use Portainer, you would build it using one of the above methods. Additional containers can be added or managed using a web interface. This isn't a wrong approach, especially if you're not familiar with Docker and appreciate the ease-of-use of GUIs, but it is also not what we will be doing in this guide. Having installed Raspberry Pi OS Lite and working exclusively with SSH, introducing an unnecessary web interface can actually add to the complexity of our setup.

Step 2: Installing docker-compose

  1. You can try just:
    sudo apt install docker-compose
  2. If it doesn't work, try running:
    sudo apt --fix-broken install
  3. If that doesn't work, we need to deal with some dependencies. The docker-compose application is run as a Python script and installed using the Python pip package installer. Run the following commands to ensure that Python and pip are present on your Pi:
    sudo apt-get install libffi-dev libssl-dev
    sudo apt install python3-dev
    sudo apt-get install -y python3 python3-pip
  4. With pip installed, now we can download docker-compose.
    sudo pip3 install docker-compose
  5. We'll want docker-compose to run as a service at startup. This means as soon as the Pi gets booted up, docker-compose will launch containers with a specified relaunch parameter in the docker-compose.yml file. Run the following command:
    sudo systemctl enable docker

With Docker and docker-compose installed, we're now ready to install our first container, in this case a password manager called Vaultwarden. Once we install Vaultwarden, we're going to put it behind a reverse proxy and ensure that only HTTPS connections are allowed.