Recently, I’ve been trying out Let’s Encrypt which is a great new service offering SSL certificates and some automated tools to get them for free! I wanted to see how easy it would be to get going with Let’s Encrypt for a dockerized web application. However, to try that out I realised I’d need a Docker host – with a DNS name that I control – running somewhere. So I’ve written the following guide and some scripts to get that setup. Stay tuned for the next post in which I’ll tell you how to get up and running with Let’s Encrypt.
Docker machine basics
Docker machine is awesomesauce for getting a docker instance running out on the internet. The included driver amazonec2 allows you to create a docker daemon with one command:
docker-machine create \ --driver amazonec2 \ --amazonec2-region "$AWS_REGION" \ --amazonec2-instance-type "t2.micro" \ --amazonec2-access-key "$AWS_ACCESS_KEY_ID" \ --amazonec2-secret-key "$AWS_SECRET_ACCESS_KEY" \ --amazonec2-vpc-id "$AWS_VPC_ID" \ --amazonec2-zone c \ my-lovely-docker-server
Docker machine is installed along with the docker toolbox.
The docker client works just the same as when it’s connected to your local daemon. To view your running docker daemons, type:
$ docker-machine ls NAME ACTIVE DRIVER STATE URL SWARM default - virtualbox Saved my-lovely-docker-server - amazonec2 Stopped tcp://220.127.116.11:2376
The output of that command shows that default is the name of my local docker daemon, running on virtualbox, and that my-lovely-docker-server is the one running on aws.
To switch your client between docker servers, eval the output from
docker-machine env <machine name>
# e.g. eval "$(docker-machine env my-lovely-docker-server)" # or eval "$(docker-machine env default)"
Automatic DNS entry with Elastic IP and Route53
If you want other humans or robots to easily use the services you run on your aws docker machine, you’ll need a static IP and DNS entry.
Prerequisites – Amazon
Before running the script you’ll need to set up three things:-
- An AWS user with the correct rights (incl. its secret key and access key id);
- A VPC with a public subnet;
- A Route53 hosted zone.
Set up a new user in AWS. Save the secret key and access key, and attach the AmazonEC2FullAccess and AmazonRoute53FullAccess policies to the new user.
If you dont already have a VPC to use, go to the VPC wizard, and select the option for ‘VPC with a single public subnet’.
Name your VPC and leave the rest of the options as they are.
Register a domain and set up a hosted zone for it on Route53.
Prerequisites – Your machine
You need to have these three pieces of software installed on your machine for the script to work:-
- docker-machine: https://www.docker.com/docker-toolbox
- aws cli: https://aws.amazon.com/cli/
- jq: https://stedolan.github.io/jq/
Now, you’ve done the hard part you can run the following to get started.
git clone firstname.lastname@example.org:automationlogic/docker-machine-on-aws.git cd docker-machine-on-aws export AWS_SECRET_ACCESS_KEY=your-secret-access-key export AWS_ACCESS_KEY_ID=your-access-key-id export AWS_REGION=your-region-id (I use eu-west-1) export AWS_DEFAULT_REGION=$AWS_REGION export AWS_VPC_ID=your-vpc-id ./createDockerInstance.sh www yourdomain.com
You’ll notice in your aws console:-
- A new instance get created by docker-machine
- A new elastic IP
- Ports 80 and 443 will be added to the docker-machine security group
- A resource record for www will be created in the hosted zone yourdomain.com
docker run a dockerised web app now, it will be available on www.yourdomain.com.