Docker-Compose

このページは Docker および Docker Compose を使って、コンテナによるサーバアプリケーションの構築手順についてまとめたものである。内容としては docker-compose.yml ファイルの記述をメインにしているため、細かい設定の説明などは端折っています。

docker コマンドを一般ユーザで実行可能にする

docker コマンドはデフォルトだと root ユーザでしか実行できません。そのため、一般ユーザでも実行できるように設定する必要があります。

docker グループに起動ユーザを追加

例えば、起動ユーザが qurataro で、/home/qurataro に環境を構築すると仮定した場合、 /etc/group に qurataro を追加します。

docker:x:117:qurataro

Confluence

docker-compose.yml

version: '2'
services:
  confluence:
    build: .
    container_name: confluence
    hostname: confluence
    restart: always
    volumes:
      - ./confluence_home:/var/atlassian/confluence
      - ./index_home/index:/var/atlassian/confluence/index
      - /tmp:/tmp
    ports:
      - 8090:8090
      - 8091:8091
    environment:
      - ENABLE_CROWD=0
      - JVM_MAXIMUM_MEMORY=8g
      - APPLICATION_NAME=confluence
      - APPLICATION_PASSWORD=confluence
      - APPLICATION_LOGIN_URL=https://wiki.example.com/confluence/
#      - CROWD_SERVER_URL=https://wiki.happyelements.mydns.jp/crowd/services/
#      - CROWD_BASE_URL=https://wiki.happyelements.mydns.jp/crowd/
      - X_PROXY_NAME=wiki.example.com
      - X_PROXY_PORT=443
      - X_PROXY_SCHEME=https
      - X_PATH=/confluence
      - CATALINA_OPTS=-Dsynchrony.proxy.enabled=true
      - LD_LIBRARY_PATH=/lib64
    external_links:
      - mysql
    networks:
      - default
      - mysql_default
#      - crowd_default
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
​
volumes:
  tmp:
  confluence_data:
​
networks:
  mysql_default:
    external: true
#  crowd_default:
#    external: true

JIRA

JIRA

docker-compose.yml

version: '2'
services:
  jira:
    image: cptactionhank/atlassian-jira
    container_name: jira
    hostname: jira
    restart: always
    volumes:
      - ./jira_home:/var/atlassian/jira
    ports:
      - 1080:8080
    environment:
​
#      - JVM_MAXIMUM_MEMORY=2g
​
      - X_PROXY_NAME=example.com
      - X_PROXY_PORT=80
      - X_PROXY_SCHEME=http
      - X_PATH=/
​
#      - LD_LIBRARY_PATH=/lib64
​
    external_links:
      - mysql
    networks:
      - default
      - mysql_default
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
​
volumes:
  jira_data:
​
networks:
  mysql_default:
    external: true
​
​
MySQL
​
do
​
version: '3.1'
​
services:
  mysql:
    image: mysql:5.7
    restart: always
    tty: true
    environment:
      MYSQL_ROOT_PASSWORD: example
    volumes:
​
   - ./mysql:/var/lib/mysql
     ./docker.cnf:/etc/mysql/conf.d/docker.cnf
        - ./backup:/backup
          gging:
                driver: "json-file"
                options:
          max-size: "1m"
          max-file: "1"

docker.cnf

[mysqld]
character-set-server=utf8
collation-server=utf8_bin
default-storage-engine=INNODB
max_allowed_packet=1GB
innodb_log_file_size=2GB
transaction-isolation=READ-COMMITTED
binlog_format=row
​
skip-host-cache
skip-name-resolve
​
# innodb_force_recovery=1

nginx

docker-compose.yml

version: '2'
​
services:
  nginx:
    image: nginx
    restart: always
​
#    container_name: nginx
​
    privileged: true
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./conf.d:/etc/nginx/conf.d
      - ./ssl.d:/etc/nginx/ssl.d
      - ./.htpasswd:/var/www/.htpasswd
    network_mode: host
​
#    networks:
#      - default
#      - crowi_default
#      - gitlab_default
#      - jenkins_default
​
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
​
​

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
​
events {
        worker_connections 768;
        # multi_accept on;
}
​
http {
​
        ##
        # Basic Settings
        ##
    
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
    
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
    
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
    
        ##
        # SSL Settings
        ##
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
    
        ##
        # Logging Settings
        ##
    
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
    
        ##
        # Gzip Settings
        ##
    
        gzip on;
        gzip_disable "msie6";
    
        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    
        ##
        # Virtual Host Configs
        ##
    
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
​
}
​
​

conf.d/server.conf

xxxxxxxxxx
server {
    listen 80;
    server_name jira.example.com;
​
    location / {
        proxy_pass http://127.0.0.1:1080;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 10M;
    }
​
}

Jenkins

jenkins

docker-compose.yml

version: "2"
services:
  master:
    container_name: master
    image: jenkins/jenkins:2.186
    ports:
      - 8080:8080
      - 50000:50000
    volumes:
      - ./jenkins_home:/var/jenkins_home

nginx

docker-compose.yml

version: '3'
​
services:
  nginx:
    image: nginx
    restart: always
    privileged: true
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./conf.d:/etc/nginx/conf.d
      - ./ssl.d:/etc/nginx/ssl.d
      - ./.htpasswd:/var/www/.htpasswd
    network_mode: host
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
​
events {
        worker_connections 768;
        # multi_accept on;
}
​
http {
​
        ##
        # Basic Settings
        ##
​
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
​
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
​
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
​
        ##
        # SSL Settings
        ##
​
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
​
        ##
        # Logging Settings
        ##
​
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
​
        ##
        # Gzip Settings
        ##
​
        gzip on;
        gzip_disable "msie6";
​
        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
​
        ##
        # Virtual Host Configs
        ##
​
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

conf.d/server.conf

xxxxxxxxxx
server {
    listen 80;
    server_name jenkins.example.com;
​
    location / {
      proxy_set_header        Host $host:$server_port;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
​
      # Fix the "It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://jenkins.example.com:8080;
      #proxy_pass          http://127.0.0.1:8080;
      proxy_read_timeout  90;
​
      #proxy_redirect      http://127.0.0.1:8080 https://jenkins.example.com;
​
      # Required for new HTTP-based CLI
      proxy_http_version 1.1;
      proxy_request_buffering off;
      # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
      add_header 'X-SSH-Endpoint' 'jenkins.example.com:50022' always;
    }
}
​
server {
    listen 443 ssl http2;
    server_name jenkins.example.com;
​
    ssl_certificate /etc/nginx/ssl.d/server.pem;
    ssl_certificate_key /etc/nginx/ssl.d/private.key;
​
    return 301 http://$host$request_uri;
}

Gitlab

gitlab

docker-compose.yml

xxxxxxxxxx
version: '3'
​
services:
  redis:
    restart: always
    image: sameersbn/redis:4.0.9-2
    command: --loglevel warning
    volumes:
      - redis-data:/var/lib/redis:Z
    privileged: true
​
  postgresql:
    restart: always
    image: sameersbn/postgresql:10-2
    volumes:
      - postgresql-data:/var/lib/postgresql:Z
    privileged: true
    environment:
      TZ: Asia/Tokyo
      DB_USER: gitlab
      DB_PASS: gitlab
      DB_NAME: gitlabhq_production
      DB_EXTENSION: pg_trgm
​
  gitlab:
      restart: always
      #image: sameersbn/gitlab:12.5.2
      image: sameersbn/gitlab:12.9.2
      depends_on:
        - redis
        - postgresql
      ports:
        - "80:80"
        - "443:443"
        - "2224:22"
      external_links:
        - "registry:heapregistry.example.com"
      volumes:
        #- /srv/docker/gitlab/gitlab:/home/git/data
        - /datadrive/gitlab:/home/git/data:Z
        - ./certs:/certs
        - ./crt:/crt
      privileged: true
      environment:
        VIRTUAL_HOST: gitlab.example.com
​
        DEBUG: 'false'
​
        DB_ADAPTER: postgresql
        DB_HOST: postgresql
        DB_PORT: 5432
        DB_USER: gitlab
        DB_PASS: gitlab
        DB_NAME: gitlabhq_production
​
        REDIS_HOST: redis
        REDIS_PORT: 6379
​
        TZ: Asia/Tokyo
        GITLAB_TIMEZONE: Tokyo
​
        GITLAB_HTTPS: 'true'
        SSL_SELF_SIGNED: 'true'
​
        GITLAB_HOST: gitlab.example.com
        GITLAB_PORT: 443
        GITLAB_SSH_PORT: 2224
        GITLAB_RELATIVE_URL_ROOT:
        GITLAB_SECRETS_DB_KEY_BASE: gitlab
        GITLAB_SECRETS_SECRET_KEY_BASE: gitlab
        GITLAB_SECRETS_OTP_KEY_BASE: gitlab
​
        GITLAB_REGISTRY_ENABLED: 'true'
        GITLAB_REGISTRY_HOST: heapregistry.example.com
        #GITLAB_REGISTRY_PORT: 5000
        GITLAB_REGISTRY_PORT: 5000
        GITLAB_REGISTRY_API_URL: https://heapregistry.example.com:5000
        #GITLAB_REGISTRY_ISSUER: gitlab-issuer
        #SSL_REGISTRY_KEY_PATH: /crt/gitlab.example.com.key
        #SSL_REGISTRY_CERT_PATH: /crt/gitlab.example.com.crt
        GITLAB_REGISTRY_CERT_PATH: /certs/registry.crt
        GITLAB_REGISTRY_KEY_PATH: /certs/registry.key
        #GITLAB_REGISTRY_CERT_PATH: /crt/gitilab.example.com.crt
​
        #GITLAB_REGISTRY_KEY_PATH: /crt/gitlab.example.com.key
​
        GITLAB_ROOT_PASSWORD:
        GITLAB_ROOT_EMAIL:
​
        GITLAB_NOTIFY_ON_BROKEN_BUILDS: 'true'
        GITLAB_NOTIFY_PUSHER: 'false'
​
        GITLAB_EMAIL: gitlab.example.smtp@gmail.com
        GITLAB_EMAIL_REPLY_TO: gitlab.example.smtp@gmail.com
        GITLAB_INCOMING_EMAIL_ADDRESS: gitlab.example.smtp@gmail.com
​
        GITLAB_BACKUP_SCHEDULE: daily
        GITLAB_BACKUP_EXPIRY: 604800
        GITLAB_BACKUP_TIME: 01:00
​
        SMTP_ENABLED: 'true'
        SMTP_DOMAIN: www.gmail.com
        SMTP_HOST: smtp.gmail.com
        SMTP_PORT: 587
        SMTP_USER: gitlab.example.smtp@gmail.com
        SMTP_PASS: bEQXQ}z*r1DI<#08+UH9
        SMTP_STARTTLS: 'true'
        SMTP_AUTHENTICATION: plain
​
        IMAP_ENABLED: 'false'
        IMAP_HOST: imap.gmail.com
        IMAP_PORT: 993
        IMAP_USER: mailer@example.com
        IMAP_PASS: password
        IMAP_SSL: 'true'
        IMAP_STARTTLS: 'false'
​
        OAUTH_ENABLED: 'false'
        OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:
        OAUTH_ALLOW_SSO:
        OAUTH_BLOCK_AUTO_CREATED_USERS: 'true'
        OAUTH_AUTO_LINK_LDAP_USER: 'false'
        OAUTH_AUTO_LINK_SAML_USER: 'false'
        OAUTH_EXTERNAL_PROVIDERS:
​
        OAUTH_CAS3_LABEL: cas3
        OAUTH_CAS3_SERVER:
        OAUTH_CAS3_DISABLE_SSL_VERIFICATION: 'false'
        OAUTH_CAS3_LOGIN_URL: /cas/login
        OAUTH_CAS3_VALIDATE_URL: /cas/p3/serviceValidate
        OAUTH_CAS3_LOGOUT_URL: /cas/logout
​
        OAUTH_GOOGLE_API_KEY:
        OAUTH_GOOGLE_APP_SECRET:
        OAUTH_GOOGLE_RESTRICT_DOMAIN:
​
        OAUTH_FACEBOOK_API_KEY:
        OAUTH_FACEBOOK_APP_SECRET:
​
        OAUTH_TWITTER_API_KEY:
        OAUTH_TWITTER_APP_SECRET:
​
        OAUTH_GITHUB_API_KEY:
        OAUTH_GITHUB_APP_SECRET:
        OAUTH_GITHUB_URL:
        OAUTH_GITHUB_VERIFY_SSL:
​
        OAUTH_GITLAB_API_KEY:
        OAUTH_GITLAB_APP_SECRET:
​
        OAUTH_BITBUCKET_API_KEY:
        OAUTH_BITBUCKET_APP_SECRET:
​
        OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:
        OAUTH_SAML_IDP_CERT_FINGERPRINT:
        OAUTH_SAML_IDP_SSO_TARGET_URL:
        OAUTH_SAML_ISSUER:
        OAUTH_SAML_LABEL: "Our SAML Provider"
        OAUTH_SAML_NAME_IDENTIFIER_FORMAT: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
        OAUTH_SAML_GROUPS_ATTRIBUTE:
        OAUTH_SAML_EXTERNAL_GROUPS:
        OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL:
        OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME:
        OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME:
        OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME:
        OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME:
​
        OAUTH_CROWD_SERVER_URL:
        OAUTH_CROWD_APP_NAME:
        OAUTH_CROWD_APP_PASSWORD:
​
        OAUTH_AUTH0_CLIENT_ID:
        OAUTH_AUTH0_CLIENT_SECRET:
        OAUTH_AUTH0_DOMAIN:
        OAUTH_AUTH0_SCOPE:
​
        OAUTH_AZURE_API_KEY:
        OAUTH_AZURE_API_SECRET:
        OAUTH_AZURE_TENANT_ID:
​
  gitlab-runner:
    image: gitlab/gitlab-runner:v12.9.0
    volumes:
     - '/var/run/docker.sock:/var/run/docker.sock'
     - './crt:/etc/gitlab-runner/certs'
    privileged: true
    tty: true
    stdin_open: true
    restart: always
    depends_on:
      - gitlab
​
  registry:
    #image: registry:2.7.1
    image: registry:2.7.1
    ports:
      - "5000:5000"
    volumes:
      - registry-data:/var/lib/registry
      - ./certs:/certs
      - ./crt:/crt
    external_links:
      - "gitlab:gitlab.example.com"
    privileged: true
    environment:
      REGISTRY_LOG_LEVEL: info
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
      REGISTRY_AUTH_TOKEN_REALM: https://gitlab.example.com/jwt/auth
      REGISTRY_AUTH_TOKEN_SERVICE: container_registry
      REGISTRY_AUTH_TOKEN_ISSUER: gitlab-issuer
      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt
      #REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /crt/gitlab.example.com.crt
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
      #REGISTRY_HTTP_TLS_CERTIFICATE: /crt/gitlab.example.com.crt
      REGISTRY_HTTP_TLS_KEY: /certs/registry.key
      #REGISTRY_HTTP_TLS_KEY: /crt/gitlab.example.com.key
      REGISTRY_HTTP_SECRET: secret
    restart: always
​
volumes:
  redis-data:
  postgresql-data:
  gitlab-data:
  registry-data:
​
networks:
  default:
    external:
      name: ssl_proxy